Reaching out to the greater brain trust to see if I am on the right track.
I need to ask the question of whether there is a way to a make a NAT’d forest trust function reliably? It has been years since I looked into the question, and I have always said no when asked if it would be ok. Recently, leadership asked me if I would lie down on the tracks (effectively stopping numerous initiatives) and say absolutely no to NAT’d trusts, to which I responded with a firm Yes. Now that I have placed that target on my back, I want to do a brain check to validate that I have done my due diligence. The scenario is that we have an acquisition where more than one 2-way forest trusts will eventually be necessary between multiple forests on our side, and with the new company. Unfortunately there are many, many thousands of conflicting IP’s with the acquisition that cannot be resolved in a timely manner. This makes me think that we would need to create the trusts over a NAT.
In reading the passage below from Tom Moser’s Ask PFE post, that states “Commonly during mergers or acquisitions, both companies will have the same IP scheme, using 10.0.0.0/8 networks. There's no way to make this work without NAT as overlapping address space won't be routable (disclaimer: I'm not a networking expert). Since we don't support NAT your best option is probably to merge the networks or come up with some equally not-NAT-but-still-routable plan.”, it appears as if the not to NAT trusts position is still required. I think the official Microsoft position is that this is not a supported configuration. So I have a couple of questions: 1. Assuming that a NAT’d trust configuration still not recommended, is there an alternative that I am missing? 2. What behaviors are we likely to see should the trusts be established as is, other than a confused DC locator process? Leadership wants to know consequences, not just me saying no can do. Thanks for your help!
Gary G Gray, CISSP, CCSP, MCP
Sr. Advisor, Security Architecture - Active Directory
Mobile: (352) 585-4505 | Email: g3@xxxxxxxxxxxxxxxx