Well I had some fun today…virtual support over IM for a perfect stranger. Someone actually hit me up on my Plugoo, and had a couple of questions about setting up trusts across a firewall, so that accounts could be migrated from one domain to another. Here is the transcript, with only his/her alias changed to protect the anonymous 
(1:58:33 PM) My Plugoo: [My Plugoo] [changed] Are you online by any chance?
(1:58:39 PM) ed fisher: hello
(1:58:43 PM) My Plugoo: [changed] changed name to [changed]
(1:58:46 PM) My Plugoo: [changed] wow, lucky me
(1:59:22 PM) ed fisher: who are you, and what can i do for you?
(1:59:26 PM) My Plugoo: [changed] if you have a few minutes, i would have a question regarding the creattion of a trust between 2 distinct Win2003 Forests separated by a FW
(1:59:38 PM) ed fisher: shoot
(2:00:07 PM) My Plugoo: [changed] FW ruleas are tight and there are actually 2 FW controlled by 2 different companies
(2:00:13 PM) My Plugoo: [changed] 2FW face to face
(2:00:23 PM) ed fisher: first things first….is NAT in this situation?
(2:00:29 PM) My Plugoo: [changed] nope
(2:00:31 PM) My Plugoo: [changed] but
(2:00:33 PM) ed fisher: ok, then proceed
(2:00:48 PM) My Plugoo: [changed] we are getting ports opened according to the KB article from MS
(2:01:06 PM) My Plugoo: [changed] however, the ports are opened with DCs on the other side that are not the PDCe
(2:01:18 PM) My Plugoo: [changed
>] so basically, we can not get to the PDCe from our side
(2:01:28 PM) My Plugoo: [changed] can we establish a trust in those conditions?
(2:01:42 PM) ed fisher: no, trusts MUST be established between PDCe’s
(2:01:56 PM) ed fisher: unless you shift the fsmo role, they will have to adjust the firewall acls
(2:02:16 PM) ed fisher: remember that a trust at its basis is still a legacy, netbios relationship
(2:02:24 PM) My Plugoo: [changed] basically, our PDCe needs to have all those ports opened to their PDCe?
(2:02:34 PM) ed fisher: correct
(2:02:43 PM) My Plugoo: [changed] hmmm OK, we are in trouble…
(2:02:47 PM) ed fisher: and don’t forget the netbios name resolution
(2:02:57 PM) My Plugoo: [changed] it is a mergure/acquisition situation
(2:02:57 PM) ed fisher: well, you could reassign the pdce fsmo role
(2:03:07 PM) ed fisher: oh yeah, i am in the middle of three of those myself
(2:03:10 PM) ed fisher: who do you work for?
(2:03:20 PM) My Plugoo: [changed] the PDCe role is on the network of the company selling the division
(2:03:33 PM) ed fisher: just want to make sure i am not talking to someone upstairs from me 
(2:03:49 PM) My Plugoo: [changed] and we have no access directly t that network
(2:03:53 PM) My Plugoo: [changed] I work for changed
(2:03:57 PM) My Plugoo: [changed] changed company
(2:04:11 PM) My Plugoo: [changed] integr
ating a division from another paper company
(2:04:11 PM) ed fisher: ok, no one involved with me…Doosan.
(2:04:42 PM) ed fisher: yeah, bottom line is PDCe HAS to communicate with PDCe
the rules have to change, or the roles have to change, no other way around that
(2:05:04 PM) My Plugoo: [changed] can we moce the PDCe role to establish the trust and then remove it back to its original owner in the network we can not access?
(2:05:11 PM) ed fisher: sure
(2:05:34 PM) My Plugoo: [changed] sorry i missed the answer…
(2:05:37 PM) My Plugoo: [changed] ah ok
(2:05:39 PM) My Plugoo: [changed] I see it
(2:05:41 PM) ed fisher: hang on
(2:05:46 PM) My Plugoo: [changed] so we only need it to establish the trust
(2:05:47 PM) ed fisher: will type out all steps
(2:07:06 PM) ed fisher: 1) reassign PDCe roles to the dc’s on each side that CAN communicate across all ports
2) verify all NetBIOS name resolution (suggest using LMHOSTS file)
3) verify AD convergence on both sides so that all DCs in each domain recognise the new PDCe
4) establish trust
5) migrate
6) break trust
7) move PDCe roles back to original DCs
(2:08:17 PM) My Plugoo: [changed] we need to keep the PDCe role on the DC for as long as we keep the trust then.
(2:08:40 PM) My Plugoo: [changed] thanks a lot
(2:08:47 PM) ed fisher: suggest these two tools to verify
port query tool can verify all ports for trusts
http://www.microsoft.com/downloads/details.aspx?FamilyID=8355E537-1EA6-4569-AABB-F248F4BD91D0&displaylang=en
lmhosts creator
http://support.microsoft.com/kb/314108
(2:09:10 PM) ed fisher: and yes, do not reassign roles until after migration is done and trust is broken
(2:09:15 PM) My Plugoo: [changed] that clear things up… I think they should write this little piece of information in some KB
(2:09:19 PM) ed fisher: break trust BEFORE moving PDCe roles back
(2:09:37 PM) ed fisher:
well heck, what fun is that?
(2:10:00 PM) My Plugoo: [changed] well, simply to get an offcial answer from the vendor you know!?!
(2:10:10 PM) ed fisher: kidding, am sure it is in a technet post somewhere….they need a better way to find stuff….MS and Cisco sites are both full of good stuff, but almost impossible to find
(2:10:12 PM) My Plugoo: [changed] thanks a lot for your time
(2:10:18 PM) ed fisher: n/p good luck
(2:10:41 PM) My Plugoo: [INFO] Visitor [changed] has left the conversation.
and in googling for that, I just saw one of my own blog posts in the top three search results. Wow, I hope that http://retrohack.com/establishing-a-trust-across-a-firewall/ helps others…maybe my visitor found that first…I should have asked.
And remember, this sort of thing over Network Address Translation is NOT supported…why? Because NAT IS EVIL!
You might also enjoy:
