ad over nat

  • Thread starter Thread starter ares
  • Start date Start date
A

ares

i have a dc in one site and a dc in another site with nat in the middle can
i join the two dc togheter?
i mean have ad replicated with a nat in the middle (this is not a firewall
question)

dc1 10.1.1.2----------10.1.1.1nat192.168.0.1-----dc2192.168.0.2


dc2 can see dc1 wit an ip like 192.168.0.3 that is the 10.1.1.2 natted


how can i let it work?

(NAT not firewall)

thanks
 
In theory you can do the following things:

you should set a port used for RPC replication, because by default is a
dynamic port by modifying this registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\TCP/IP
Port

At the and of this page:
http://www.microsoft.com/technet/pr...Ref/df20bd3e-9914-4a8d-bd5b-3b987c73a34d.mspx
you'll see a note with the ports used by AD replication. You must map this
ports in nat so that the first domain controller can hit the second DC.

Also you must put a static entry in the DNS zone from the first server so
that the second DC to look like it has the NAT server ip address.

PS: also an interesting article:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_p63623.asp
 
ares said:
i have a dc in one site and a dc in another site with nat in the middle can
i join the two dc togheter?
i mean have ad replicated with a nat in the middle (this is not a firewall
question)

dc1 10.1.1.2----------10.1.1.1nat192.168.0.1-----dc2192.168.0.2

It would be easier if you were to put a VPN through the
intervening network.

Then two simple routes would let the two DCs talk (freely)
as long as they talk through the VPN path.

The two routes go on each of the NAT/VPN routers.

In fact in that case, the VPN would not even be NATTED
(even though it travels over the NATed physical interface.)
 
have you tried this?
someone did?
do you have documentation?
i think that microsft should have but can't find
thanks
 
Andrei Ungureanu said:
I haven't tried this and I'm not going to do it.
Most prabably in a scenario like this I will try Herb's solution with the
VPN.

The part that fools most people with the VPN is
that once the VPN "interface" is created in RRAS
it is treated JUST LIKE any other interface including
a real NIC:

You can NAT or NOT NAT it, filter it, route through
it -- including providing static routes that are specific
to the interface.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top