NAT and Active Directory

  • Thread starter Thread starter Peter
  • Start date Start date
P

Peter

Does anyone know of any issues using Active Directory (or with ADS
replication) if the child domains in the enterprise want to use NAT on their
edge routers to the other child domains?

Some here have said that this wont work, others say it will.
Some say issues were corrected in recent service packs, others say no.

I've never heard anyone say anything, and cant find anything about issues,
either with ADS or DNS or DHCP, etc

TIA
 
In
Peter said:
Does anyone know of any issues using Active Directory (or with ADS
replication) if the child domains in the enterprise want to use NAT
on their edge routers to the other child domains?

Some here have said that this wont work, others say it will.
Some say issues were corrected in recent service packs, others say no.

I've never heard anyone say anything, and cant find anything about
issues, either with ADS or DNS or DHCP, etc

TIA
Click to expand...

Are you asking if it's ok to use a domain controller as a NAT device? If so,
I would suggest not. You would be exposing the machine on an untrusted
public network.

If the routes are performing NAT and you have other locations that are setup
the same and want to interconnect them, the best way is by the use of a VPN.
Either the router that is performing NAT for you can also be used for the
VPN, if it supports it. If not, you can go with a simple NetScreen device.
Works like a charm and is secure. Remember you want to setup a private
tunnel between the two Netscreens or routers. This way you can have an
unabridged and secure connection.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In
Peter said:
Does anyone know of any issues using Active Directory (or with ADS
replication) if the child domains in the enterprise want to use NAT
on their edge routers to the other child domains?

Some here have said that this wont work, others say it will.
Some say issues were corrected in recent service packs, others say no.

I've never heard anyone say anything, and cant find anything about
issues, either with ADS or DNS or DHCP, etc

TIA
Click to expand...

To add, as for DNS or DHCP, there wouldn't be a problem with them at all. I
assume you would have a DHCP server in each location, and would design DNS
to support your AD infrastructure at each location or using AD Integrated
zones or Primary/Secondary zones, depending on your AD design. This would
have nothing to do with NAT.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
I've never heard anyone say anything, and cant find anything about
Ace is correct.

It isn't a particularly good idea to use a DC for the NAT\router (without
another
firewall outside it) but it is technically feasible.

One issue not really related directly but so common as to be worth
mentioning:
IF the NAT acquires a DHCP assigned address on the outside NIC, and (as
is typical) receives a DNS server setting from there....
THEN you need to manually override that DNS setting with the correct DNS
(INTERNAL) DNS server -- even if that is the same machine.

Do NOT allow the NAT to point it's own "client" DNS at the ISP if it must
either
be an "Internal DNS client" OR "register itself with INTERNAL DNS" (as a DC
must.)
 
Sorry - I was obviously not clear enuff.

NAT is being used for security on the Cisco routers in the child domains so
that there is translation between each of them. No Microsoft NAT is
involved. No RRAS.

Now, that being said, any issues
 
In
Peter said:
Sorry - I was obviously not clear enuff.

NAT is being used for security on the Cisco routers in the child
domains so that there is translation between each of them. No
Microsoft NAT is involved. No RRAS.

Now, that being said, any issues
Click to expand...

Then, no there are not, except of course if the NAT router has mutliple
internal private interfaces. If this is so, there may be LDAP communication
problems between the private subnets. The usual cause is H.323 support. This
is due to the way the packets are routed, the PDUs are chopped to 64k to
optimize video conferencing and other H.323 apps. You would have to read the
docs on the routers in order to find out how to disable that.

If you have mutliple private subnets scattered with remote locations, then
it's best to create a VPN with a unit such as a Netscreen between the
priuvate subnets, or do it with your routers (Tunnel Mode). LDAP, Kerberos
and RPC do not translate across NAT (port remapping services/ports, etc),
and therefore, this would be a MAJOR problem. VPN Tunnels are the normal way
to make this work.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top