ad over nat

Toggle sidebar Toggle sidebar
A

Ares

Distinguished
Apr 27, 2004
8
0
18,510
Archived from groups: microsoft.public.win2000.active_directory (More info?)

i have a dc in one site and a dc in another site with nat in the middle can
i join the two dc togheter?
i mean have ad replicated with a nat in the middle (this is not a firewall
question)

dc1 10.1.1.2----------10.1.1.1nat192.168.0.1-----dc2192.168.0.2


dc2 can see dc1 wit an ip like 192.168.0.3 that is the 10.1.1.2 natted


how can i let it work?

(NAT not firewall)

thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ares" <aresblade@hotmail.com> wrote in message
news:eIVulADQFHA.4020@tk2msftngp13.phx.gbl...
> i have a dc in one site and a dc in another site with nat in the middle
can
> i join the two dc togheter?
> i mean have ad replicated with a nat in the middle (this is not a firewall
> question)
>
> dc1 10.1.1.2----------10.1.1.1nat192.168.0.1-----dc2192.168.0.2

It would be easier if you were to put a VPN through the
intervening network.

Then two simple routes would let the two DCs talk (freely)
as long as they talk through the VPN path.

The two routes go on each of the NAT/VPN routers.

In fact in that case, the VPN would not even be NATTED
(even though it travels over the NATed physical interface.)

> dc2 can see dc1 wit an ip like 192.168.0.3 that is the 10.1.1.2 natted
>
>
> how can i let it work?
>
> (NAT not firewall)
>
> thanks
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

In theory you can do the following things:

you should set a port used for RPC replication, because by default is a
dynamic port by modifying this registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\TCP/IP
Port

At the and of this page:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/df20bd3e-9914-4a8d-bd5b-3b987c73a34d.mspx
you'll see a note with the ports used by AD replication. You must map this
ports in nat so that the first domain controller can hit the second DC.

Also you must put a static entry in the DNS zone from the first server so
that the second DC to look like it has the NAT server ip address.

PS: also an interesting article:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_p63623.asp


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

"ares" <aresblade@hotmail.com> wrote in message
news:eIVulADQFHA.4020@tk2msftngp13.phx.gbl...
>i have a dc in one site and a dc in another site with nat in the middle can
> i join the two dc togheter?
> i mean have ad replicated with a nat in the middle (this is not a firewall
> question)
>
> dc1 10.1.1.2----------10.1.1.1nat192.168.0.1-----dc2192.168.0.2
>
>
> dc2 can see dc1 wit an ip like 192.168.0.3 that is the 10.1.1.2 natted
>
>
> how can i let it work?
>
> (NAT not firewall)
>
> thanks
>
>
 
A

Ares

Distinguished
Apr 27, 2004
8
0
18,510
Archived from groups: microsoft.public.win2000.active_directory (More info?)

have you tried this?
someone did?
do you have documentation?
i think that microsft should have but can't find
thanks


"Andrei Ungureanu" <andreix at msn dot com> wrote in message
news:eX6kqxFQFHA.2748@TK2MSFTNGP09.phx.gbl...
> In theory you can do the following things:
>
> you should set a port used for RPC replication, because by default is a
> dynamic port by modifying this registry key:
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\TCP/IP
> Port
>
> At the and of this page:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/df20bd3e-9914-4a8d-bd5b-3b987c73a34d.mspx
> you'll see a note with the ports used by AD replication. You must map this
> ports in nat so that the first domain controller can hit the second DC.
>
> Also you must put a static entry in the DNS zone from the first server so
> that the second DC to look like it has the NAT server ip address.
>
> PS: also an interesting article:
> http://www.microsoft.com/serviceproviders/columns/config_ipsec_p63623.asp
>
>
> --
> Andrei Ungureanu
> www.eventid.net
> Free Windows event logs reports
> http://www.altairtech.ca/evlog/
>
> "ares" <aresblade@hotmail.com> wrote in message
> news:eIVulADQFHA.4020@tk2msftngp13.phx.gbl...
>>i have a dc in one site and a dc in another site with nat in the middle
>>can
>> i join the two dc togheter?
>> i mean have ad replicated with a nat in the middle (this is not a
>> firewall
>> question)
>>
>> dc1 10.1.1.2----------10.1.1.1nat192.168.0.1-----dc2192.168.0.2
>>
>>
>> dc2 can see dc1 wit an ip like 192.168.0.3 that is the 10.1.1.2 natted
>>
>>
>> how can i let it work?
>>
>> (NAT not firewall)
>>
>> thanks
>>
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I haven't tried this and I'm not going to do it.
Most prabably in a scenario like this I will try Herb's solution with the
VPN.


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/



"ares" <aresblade@hotmail.com> wrote in message
news:OgUluSOQFHA.1528@TK2MSFTNGP09.phx.gbl...
> have you tried this?
> someone did?
> do you have documentation?
> i think that microsft should have but can't find
> thanks
>
>
> "Andrei Ungureanu" <andreix at msn dot com> wrote in message
> news:eX6kqxFQFHA.2748@TK2MSFTNGP09.phx.gbl...
>> In theory you can do the following things:
>>
>> you should set a port used for RPC replication, because by default is a
>> dynamic port by modifying this registry key:
>>
>> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\TCP/IP
>> Port
>>
>> At the and of this page:
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/df20bd3e-9914-4a8d-bd5b-3b987c73a34d.mspx
>> you'll see a note with the ports used by AD replication. You must map
>> this ports in nat so that the first domain controller can hit the second
>> DC.
>>
>> Also you must put a static entry in the DNS zone from the first server so
>> that the second DC to look like it has the NAT server ip address.
>>
>> PS: also an interesting article:
>> http://www.microsoft.com/serviceproviders/columns/config_ipsec_p63623.asp
>>
>>
>> --
>> Andrei Ungureanu
>> www.eventid.net
>> Free Windows event logs reports
>> http://www.altairtech.ca/evlog/
>>
>> "ares" <aresblade@hotmail.com> wrote in message
>> news:eIVulADQFHA.4020@tk2msftngp13.phx.gbl...
>>>i have a dc in one site and a dc in another site with nat in the middle
>>>can
>>> i join the two dc togheter?
>>> i mean have ad replicated with a nat in the middle (this is not a
>>> firewall
>>> question)
>>>
>>> dc1 10.1.1.2----------10.1.1.1nat192.168.0.1-----dc2192.168.0.2
>>>
>>>
>>> dc2 can see dc1 wit an ip like 192.168.0.3 that is the 10.1.1.2 natted
>>>
>>>
>>> how can i let it work?
>>>
>>> (NAT not firewall)
>>>
>>> thanks
>>>
>>>
>>
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Andrei Ungureanu" <andreix at msn dot com> wrote in message
news:eqIeP#SQFHA.2680@TK2MSFTNGP09.phx.gbl...
> I haven't tried this and I'm not going to do it.
> Most prabably in a scenario like this I will try Herb's solution with the
> VPN.

The part that fools most people with the VPN is
that once the VPN "interface" is created in RRAS
it is treated JUST LIKE any other interface including
a real NIC:

You can NAT or NOT NAT it, filter it, route through
it -- including providing static routes that are specific
to the interface.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom