Re: AD/DNS with NAT

---

• From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
• Date: Thu, 24 Apr 2008 10:16:29 -0500

---

You don't do NAT for any of this. That is the last thing in the world you
would want.

Effectively you are just changing/adding subnets. Geography is totally
irrelevant,...you handle Routing (*as* routing, not NAT) the same way as if
the subnets were all in the same room. Geography and Line Technology (like
MPLS) is completely irrelevant. Routing is still just routing.

I could offer more but lack to much information. Much of the details in your
post don't really matter as far as I can tell. Basically the Layer 1, 2, &3
Topology and the Subnetting scheme are the only thing that matters.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------



"AnthonyE" <aeychenne@xxxxxxx> wrote in message
news:b1347c7a-9749-4b39-ab14-6923d11dba81@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Everyone,

I request some help from the community about an architecture design a
bit tricky. Our client desires to change his network infrastructure
and he?s asking my company to validate the system side and potential
consequences to it.

CONTEXT:
Today, his entire network is based on a private range (10.x.x.x). Two
Datacenters host servers as Domain Controllers AD2003, DNS, Exchange
and other services for the whole company.
Users are separated in one big headquarter and 58 small offices.
Each small office hosts a member server for DHCP, DNS caching, file
sharing etc? The users on these small offices are authenticating
directly to one of the 4 domain controllers located in the
Datacenters. All sites (HQ, Datacenters and small offices) are
interconnected by a MPLS network.
So far, so good, everything works fine.
But here we go: this company is part of a larger group and is
requested to be part of the WAN network of the Group to connect their
small offices to the Datacenters, in order to save cost, gain speed
and increase security. This means changing IP ranges ; the small
offices will be migrated to the new range but the headquarter is too
complicated to migrate so they will keep their private IP range
(10x.x.x.x) and NAT will be used to connect the Datacenters to the
Group WAN network. This way, the small offices will use new IP
addresses to access their business application, the IP translation
being done by Firewalls at the Datacenters. The private range 10.x.x.x
will be unknown for the small sites and non routable.
For info, we will try to recommend to the client to add Firewalls at
every small offices to use NAT in order to keep the private IP range
on each site but due to the cost of 58 FW?s, this will be probably
rejected. That would have resolved all our issues because the
migration to the new network would have been totally transparent for
the actual system infrastructure.

PROBLEM:
In this new situation, we know that business services like telnet,
Intranet (web) won?t have any issue working through that NAT
environment. But, our concerns are about the DNS / Active Directory
infrastructure now ?hidden? behind the NAT.
All the servers in the Datacenters will have a corresponding and
unique ?external address? on the new WAN cloud, and known by the
firewall for IP translation. But how services like DNS and AD will
react behind the NAT?
Indeed, by default, DNS, when requested, will send a resolved answer
specifying the ?private? IP address of the searched host, instead of
the external one, necessary for the small offices. Some firewalls like
Cisco or apparently Checkpoint seem to offer functionalities as DNS
Doctoring, translating the IP inside the DNS response but I would like
to be sure this works in an AD/DNS environment. If not, what are the
other options to make this works?
Also, about Kerberos: once the small office desktops have the correct
external IP address of a DC in the Datacenter, will they still be able
to authenticate through the NAT? I didn?t read anything saying No, but
hasn?t read anything saying Yes either :-)

So what do you think? is there anyone with experience on such a case
involving AD/DNS in a NAT environment ? What are your suggestions?

Thanks in advance.

Anthony E.


.

---

• References:
  • AD/DNS with NAT
    • From: AnthonyE

• Prev by Date: AD/DNS with NAT
• Next by Date: Re: AD/DNS with NAT
• Previous by thread: AD/DNS with NAT
• Next by thread: Re: AD/DNS with NAT
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: AD/DNS with NAT ... Our client desires to change his network infrastructure ... Datacenters host servers as Domain Controllers AD2003, DNS, Exchange ... every small offices to use NAT in order to keep the private IP range ... (microsoft.public.windows.server.active_directory) Re: AD/DNS with NAT ... his entire network is based on a private range. ... Datacenters host servers as Domain Controllers AD2003, DNS, Exchange ... every small offices to use NAT in order to keep the private IP range ... (microsoft.public.windows.server.networking) Re: AD/DNS with NAT ... his entire network is based on a private range. ... Datacenters host servers as Domain Controllers AD2003, DNS, Exchange ... every small offices to use NAT in order to keep the private IP range ... (microsoft.public.windows.server.dns) AD/DNS with NAT ... his entire network is based on a private range. ... Datacenters host servers as Domain Controllers AD2003, DNS, Exchange ... every small offices to use NAT in order to keep the private IP range ... (microsoft.public.windows.server.active_directory) AD/DNS with NAT ... his entire network is based on a private range. ... Datacenters host servers as Domain Controllers AD2003, DNS, Exchange ... every small offices to use NAT in order to keep the private IP range ... (microsoft.public.windows.server.dns)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.networking  > 2008-04