I think you might want to investigate using a VPN to connect your DC to the other DC's.
http://infosecuritymag.techtarget.com/2003/mar/surgeongeneral.shtml http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac tivedirectory/deploy/depovg/advpnddd.mspx Couple words of caution. By Default AD Replication and FRS operations are optimized for LAN based operation not WAN. There are no control panel applets for controlling AD Replication & RPC behavior. The only tools you have are registry settings, KB articles and white papers. (As well as the MS diagnostic tools, and third-party tools like AD Troubleshooter) You also should be aware that AD Replication traffic and Kerberos uses UDP by default. I have encountered situations where all the ports are open and working, but trust keep breaking, and replication keeps failing. This is usually due to UDP traffic getting fragmented. If you encounter this, you will want to force Kerberos and AD to use TCP packets. I have spoken to the MS AD Firewall PM about this. MSFT seems to think registry modification is good enough in these situations. I am on them to change this in Longhorn. I would also like to see the replication protocol have some built-in diagnostics that throw more descriptive events when they encounter replication problems that are the result of firewall and RPC issues. You might want to run this by MSFT before you implement it, to see what their support will cover, cause when you encounter problems, they are going to be the only ones that will be able to really assist you. Thanks, Todd Myrick MS MVP Directory Services -----Original Message----- From: Chris Gauch [mailto:[EMAIL PROTECTED] Sent: Sunday, February 27, 2005 7:14 PM To: [email protected] Subject: [ActiveDir] Win 2003 DC behind firewall We currently run 4 Windows 2003 domain controllers on our network(s), all 4 of which are on different public networks (we own several IP blocks as we are an ISP). We'd like to place one of the DCs behind our Sonicwall to serve as a DC/global catalog for al of the servers within NAT'ed environment, as we've run into odd issues mapping drives, etc. with the servers behind the firewall (obviously this is caused by DNS issues). Additionally, we'd like this DC to act as an "internal" DNS server for the NAT'ed network behind the firewall. The problem we've faced with DNS is that our NAT'ed servers publish their private IP addresses on the public DCs; we'd like to set up a configuration where our NAT'ed servers publish ONLY to the internal/NAT'ed DC, and the public addresses that have been set up for IP forwarding (behind the firewall) are published to the public DCs (running DNS). I guess I'm just looking for tips/advice for how to best go about running a single Windows 2003 domain across both public and private networks with regards to the situation above. Thanks in advance for any input. - Chris ------------------------------------------ Chris Gauch Systems Administrator Digicon Communications, Inc. [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
