Re: AD & NAT

---

• From: "Mathieu CHATEAU" <gollum123@xxxxxxx>
• Date: Sun, 16 Sep 2007 10:02:12 +0200

---

Hello,

I guess you really can't avoid this nat ? Be prepared to the hard way..
-DC will register in DNS with bad address
-IpSec doesn't like nat, even NAT-T:
IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
http://support.microsoft.com/default.aspx?scid=kb;en-us;885348


-You may have kerberos error:
0x26 (KRB_AP_ERR_BADADDR) ""Incorrect net address"
Session tickets include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid.

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"LCS AP-Certificate" <LCSAPCertificate@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:09701575-CCC3-4824-9C69-A7BDD6D733FC@xxxxxxxxxxxxxxxx

Hi,

We are working on a case where we need to implement AD architecture using a
natted IP for the DC.

Scenario / Business Requirement -

Client would use a Parent and Child AD domain architecture. Parent AD domain
would be World.com while child domain would be Child.World.com. World.com is
an empty root forest while Child.World.com would contain all resources, DC's
worldwide
The first domain controller for root domain and child domain would be
installed at America datacentre and a ADC for root domain would be at APAC
datacentre for redundancy while domain controllers belonging to the child
domain are spread across locations in APAC, Americas and Europe
APAC, Americas and Europe has one Datacentre. AD DC's in each of the
datacentre have a real IP of 10.x.x.x while they are natted to 3.x.x.x on the
NAT device. The other server infrastructure such as E-Mail, etc also use
10.x.x.x as real IP and natted with 3.x.x.x on the NAT device
The locations which are in APAC or America or Europe have their DC with a
3.x.x.x IP. There is no NAT configured for locations except datacentre. There
are a total of 20 such locations that would have a DC with 3.x.x.x IP
addressing range and without NAT
Clients across the globe are on 3.x.x.x IP addressing range. They are not
configured for NAT. There are no clients except servers in datacentre
Client would be using the natted IP scenario for atleast a year further
Client has configured a secondary DNS zone having 3.x.x.x address in the
America datacentre cause of which locations in America can enroll
workstations to domain

Problem Scenario / Queries - Due to the nat scenario, the following
scenarios exist

Additional domain controllers can only be added at America datacentre. These
ADC's cannot be added for other locations in Americas
DNS name resolution by client at locations returns the real IP of 10.x.x.x
DHCP Scope would be 3.x.x.x for clients at locations
How to configure AD site replication between locations in APAC, Americas and
Europe and between three datacentres

Kindly advise on the workaround that can be employed when DC's use NAT IP
across the enterprise and in this scenario, how to effect name resolution, ad
site replication from all locations across the enterprise and other essential
configurations such as DHCP, etc.

We need advisory assistance on implementing the above and how the problem
scenario can be addressed or the workaround that can be employed in
effectively deploying an AD infrastructure using a NAT IP across the
enterprise and also able to perform DNS name resolution, DHCP, AD
replication, adding machines to the domain, installing additional domain
controllers, etc

Regards,

Manish

.

---

• Follow-Ups:
  • Re: AD & NAT
    • From: LCS AP-Certificate

• Prev by Date: Job interview questions
• Next by Date: Re: Limit Library User For Small School ?
• Previous by thread: Job interview questions
• Next by thread: Re: AD & NAT
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: AD & NAT ... scenario outlined above is most common though and should be able to be ... We cant avoid this NAT. ... The real IP at the three datacentre for DCs is 10.x.x.x. ... The client desktops at all locations would be having ... (microsoft.public.windows.server.active_directory) Re: AD & NAT ... need to NAT you. ... The client is a demerged company of the parent. ... The demerged company or client wants to set up its own AD server ... understanding purpose we would call it as primary datacentre while ... (microsoft.public.windows.server.active_directory) Re: AD & NAT ... We cant avoid this NAT. ... The real IP at the three datacentre for DCs is 10.x.x.x. ... The client desktops at all locations would be having ... We would like to know how can we proceed in such a scenario or what are the ... (microsoft.public.windows.server.active_directory) Re: FTP Server setup... Im so close! ... > I have installed the Internet Information Services, etc, and have the FTP ... Your external client is trying to use Passive Mode. ... Since your server is behind NAT, ... (microsoft.public.windowsxp.network_web) Re: AD & NAT ... Request you to kindly elaborate on Double NAT and how it would help in this ... The client is a demerged company of the parent. ... The demerged company or client wants to set up its own AD server ... understanding purpose we would call it as primary datacentre while ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)