Defining Standards for name resolution in AD Trusts

By jonfwiener ·
We want to implement some policies for external trusts. We have been
using hosts and lmhosts files to assist with name resolution but we want to make DNS
resolution standard for all future trust relationships.
We have also been trying to make trusts work when the 2 domains are using NAT and it causes problems. So NAT between domains will no longer be supported.

We want to set these 2 standards in place but want to technically back up
the reasons why we are doing this. We also want to know if this is a bad idea for some reason or if we will have trouble implementing these changes on existing trusts.

I am looking for some reasons to support making these 2 things
standards. Can anyone cite a few?

You can assume that the 2 members of the trust are running AD in separate external forests.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by BFilmFan In reply to Defining Standards for na ...

You failed to mention if these trusts are to be established with Active Directory, NT or non-Microsoft based domains.

Note that if they are using anything other than AD, you will need to use WINS, which WILL expose your environment, as you will ahve to have ports open to pass the NetBIOS traffic information from WINS server to the clients.

Most trusts are not based on AD, as all domains within a single AD forest share a trust to the root forest and between each other automatically, as the security model is the forest and not the domain.

I think you need to better clarify what the goals you are attempting to reach and what you have currently implemented as additional information so that the peers here can formulate a more through reply.

Collapse -

AD Trusts mostly, Some NT4 no non-MSFT

by jonfwiener In reply to Trusts

Thanks BFilmFan,
Point taken and clarification request appreciated. These would all be AD or NT4 trusts. All these trusts are external to the main AD Forest. Think of them as a way to allow newly acquired, but separate companies and separate AD infrastructures to access resources and authenticate from the "new" company to "Parent" company and vice versa.

Again, all I am looking for are some solid reasons to support (backup) my decision to make the use of DNS for name resolution in all trusts, a prerequisite.

Or are there valid reasons why I should not draw this line and should continue to allow the use of host files etc?

Are there other standards that I should be incorporating into our trust standards document?

We have allowed the use of NAT between trusted AD domains in the past. We also want to disallow that practice. I am also looking for reasons to support that decision and any concerns you think I may encounter in trying to enforce that standard on new and existing trusts.


Related Discussions

Related Forums