RE: [ActiveDir] AD in NATed environments

[Grillenmeier, Guido]

thanks for your input Willem - yes, I was also thinking about somethink like VPN, but maybe in a dual-homed manner => one of the legs for replication between DCs accross NATed sites, another one for authentication in the respective site...  There's no way I can change all resources in the sites to new VPN address-scheme in a quick enough fashion. Would likely be a messy setup to maintain, but maybe a possible solution.   obviously dual-homing itself is not exactly a good story itself - until now I've been convincing people that dual-homing (e.g. for a productive + backup LAN) is rather difficult to maintain with DCs, since you can't control that a specific NIC wouldn't register in DDNS (ok, not an issue if I'm going to go static only). However, I've just learned that you can now control the NIC registration in Win2003. May not be my problem here.   anybody else think dual-homing would be a feasable solution for NATed networks?   Thanks, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willem Kasdorp Sent: Samstag, 5. Juni 2004 20:42 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in NATed environments I ran into this once. I managed to convince the customer that it was a really bad idea. You’re right of course, DDNS is a nono, you need some smart conversion of DNS records. That is a big puzzle and a real administrative nightmare if you think it through. Some other technical hurdles you don’t mention is that DC’s really like 2-way communication, so you need to take care to use a real NAT, not PAT (port address translation). Yet another issue is that not all IP protocols survive over a NAT. Those are protocols that have an IP address in their packet bodies, or have some form of encryption or signing. You need a NAT translator to make that work. That is probably the main reason MS will not support it. They won’t have verified that all their protocols (millions of RPC’s!) survive over NAT.   Solutions… what about a VPN into the NAT? That way the DC could have a ‘normal’ (non-NATted) address.   --     Regards, Willem     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Saturday, June 05, 2004 4:10 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD in NATed environments   last time I looked at replication of DCs in a NATed network, I was rather disappointed - basically this is was no-no. Simply due to name-resolution of the DCs (i.e. the IP-Address of a DC on one side of the NAT is not what it should be on the other side of the NAT etc.).   wondering how other folks work around this, if you just happen to fall into one of these environments...?  Trying to change the network is a major undertaking, which could take months or even years in larger companies - so mostly this is not an option. So do you - not use DDNS and manually register DCs on DNS servers (differently per DNS server, depending on which side of NAT...)? - use DDNS and work around the issues in other ways? - setup special DNS zones in some magic way that solves all the issues? - other ideas?   I heard this is not supported by MS anyways - but I'd be open to any solution...     Thanks, Guido