NAT Routers Disallow Setup of One-way Trusts Between Domains (186340)
The information in this article applies to:
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0
This article was previously published under Q186340 SYMPTOMS
You are unable to establish a two one-way trust between separate domains
where IP communication passes through a router that has Network Address
Translation (NAT) enabled.
CAUSE
A Windows NT Trust relationship uses NetBIOS Datagram Services. Network
devices implementing NAT do not translate addresses in the NetBIOS header.
Some Routers enable Fast Packet Switching to increase performance by just
analyzing the IP Header and not the NetBIOS Datagram header, which is where
the Source IP Address is located.
A Windows NT Trust relationship uses NetBIOS Datagrams. To successfully
negotiate a trust relationship, the source IP address in the NetBIOS header
must be correct. Most network devices implementing NAT do not translate the
IP addresses in the NetBIOS header.
RESOLUTION
To resolve this problem, disable 'Fast Packet Switching' on your Router.
MORE INFORMATION
In order for packets to pass between two domains separated by a router
running NAT, you should ensure that the Fast Page Switching function of the
router/NAT software combination is disabled. Fast Page Switching is
sometimes shipped with a default of ENABLED when installed. This provides
for faster throughput of packets but prevents the NAT device from
performing proper address translation on a per-packet basis.
| Modification Type: | Major | Last Reviewed: | 8/9/2001 |
|---|
| Keywords: | kbprb KB186340 |
|---|
|