is that but?(nobody can answered me)

[Mike]

NAT------------DC1
|______Client,DC2

DC in segment A(192.168.0.x)
All client in segment B(192.168.1.X)

NAT is windows 2000 RRAS

1.Client can join domain but can't add "domain users" to administrators in
local computer

2.I can prompt DC2 to domain controller and the DC2 is DC1 additional
domain controller, but DC2 can't replication to DC1


hope someone can help me, because I asked many many many~...............but
nobody can answered

If it really can't replication or join domain through windows 2000 NAT, in
this environment has any workaround???


thanks thanks thanks so much hope someond can.........

 

[Trond Hindenes]

you shouldn't use NAT between two segments that belong to the same private
subnet (192.168.x.x)
if you use NAT, you need to publish your DC01 server to subnet B so that it
gets a 192.168.1.x address.

I would simply go with a router without NAT between your subnets.

best regards
Trond Hindenes
Consultant
Norway

 

[Mike]

No.....~

I thinks you mistake my meaning

the NAT has three NICs one is public and two is private,thanks


public private
<====NAT-------------->DC1
|____________>DC2,all client

 

[Trond Hindenes]

okay. Assuming that you can ping dc01 from DC02 using ip adresses and vice
versa, this could be a DNS related issue.
For testing, I think I would install the DNS service on DC01, and point DC02
to use DC01 for DNS (in network config). If your NAT device is a firewall
with three NICs, you also need to make sure that all necessary ports are
open between your two subnets:

(from
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp)

To enable replication over dynamic RPC, configure your firewall to permit
the following:

Service Port/protocol
RPC endpoint mapper 135/tcp, 135/udp
NetBIOS name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
RPC dynamic assignment 1024-65535/tcp
SMB over IP (Microsoft-DS) 445/tcp, 445/udp
LDAP 389/tcp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
DNS 53/tcp, 53/udp
WINS resolution (if required) 1512/tcp, 1512/udp
WINS replication (if required) 42/tcp, 42/udp
Network time protocol (NTP) 123/udp



best regards,

Trond Hindenes
Consultant
Norway

 

[Mike]

thanks!

can you told me how to mapping or permit these port in windows 2000
nat????????

 

[Trond Hindenes]

I`m sorry, I\m no master in windows 2000 NAT. Cant you just permit all IP
(both TCP and UDP) traffic between the two subnets just to get it working
first, and then look into tightening security when everything is working?

best regards,
Trond Hindenes
Consultant
Norway

 

[Mike]

sorry~I didn't catch you!

because by default that allow all ip traffic!

can you told me more~~????

thanks

 

[Trond Hindenes]

if you already allow all IP traffic, then that`s not the issue.

could you put both servers on same subnet and see if they replicate, just to
eliminate any network-related problems? I have a feeling that we are talking
past each other here...

best regards,
Trond Hindenes
Consultant
Norway