Re: does active directory work behind a NAT router?

In news:1181029189.304240.97210@xxxxxxxxxxxxxxxxxxxxxxxxxxx,
leonardo <leonardo.canducci@xxxxxxxxx> typed:
Hi. I'm new here and not so skilled in active directory.
In short I have just one simple question. Does active directory work
behind a NAT router?
Routers are not used to provide Internet connectivity but to isolate
each lab from the rest of the network.

Scenario:
We are using active directory in our school labs to authenticate users
and provide them with their Documents and Settings folder wherever
they log in. Each lab has its own subnet (172.16.labx.pcy) and
everything is working fine now. We are planning to use routers to hide
and separate labs from each others, so that every lab could have its
192.168.0.0 network and a dedicated router to translate this address
with one of the same net the DC runs in (127.16.x.x). Is that
possible? Are there some problems we should be aware of? Are there
better solutions to provide the same security and flexibility?

Thanks for answering.
Leonardo

Basically if you have a private network for each lab behind a NAT and you do
not need AD communication across a NAT device (such as a Linksys router,
Pix, Watchguard, etc), then yes, AD can exist in it's own private segment.
Remember to ONLY use the DC as the DNS server address in IP properties of
their own domain. COnfigure a forwarder for Internet resolution as explained
in the first article below.

However once you need AD communication across a NAT, such as a client is on
the other side of a NAT and the DC is inside, then no, this will not work.
This is because NAT cannot support AD communication protocols (RPC, LDAP,
Kerberos, etc). If you wanted to make such a scenario work, you would need
to VPN thru the NAT.


More info and reading for everyone:

323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
(forwarding) :
http://support.microsoft.com/?id=323380

Posted 5/22/07
Do not configure the DNS client settings on the domain controllers to point
to your Internet Service Provider's (ISP's) DNS servers:
http://smtp25.blogspot.com/2007/05/do-not-configure-dns-client-settings-on_818.html

291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/?id=291382


300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000
(forwarding) :
http://support.microsoft.com/?id=300202

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/?id=825036

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain (whether it was upgraded or not, this is full of useful information
relating to AD and DNS, among other info):
http://support.microsoft.com/?id=555040

Domain Controller's Domain Name System Suffix Does Not Match Domain Name:
http://support.microsoft.com/?id=257623

Clients cannot dynamically register DNS records in a single-label forward
lookup zone:
http://support.microsoft.com/?id=826743

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names
http://support.microsoft.com/?id=300684

828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/?id=828263

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain



.

Relevant Pages

  • Re: Urgent! New router and big disaster
    ... Both NICs should point to his internal IP for DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... Both NICs should point to his internal IP for DNS. ... You should give your SBS a fixed external address so you can forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... In the TCP/IP properties for the external NIC, you need to specify an external DNS server for DNS, instead of the server's own IP address. ... You should give your SBS a fixed external address so you can forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: moved a working network, now it doesnt work
    ... router I can ping the internet with no problem. ... From one of your Linux machines can you ping the FA 0/1 interface (default ... are NOT natting so if CAN ping from the router, ...
    (comp.dcom.sys.cisco)