DC access with NAT and Public IP

Hello,

I have a situation where I need to configure a domain controller at a remote
site (site2) that uses NAT internally along with statically mapped outside
addresses. The host site (site1) has all public addresses and controls access
via a firewall. There is no VPN between the sites (will use IPSEC once this
works) and access is controlled via thier respective firewalls. I was able to
join the domain at site1 from site2 but replication does not work properly as
the new domain controller tries to respond with the NAT address instead of
the outside address. I'm sure this is not the first time this configuration
has been faced but I am unsure of how to solve this. Is there something I
need to setup in DNS, host file, or do I need to configure static routing on
the dc? Any help would be greatly appreciated.

-----------
Anyone who knows everything, leads a pretty boring life

In news:16025F8B-3F10-407F-9C2A-(E-Mail Removed),
UWide User <(E-Mail Removed)> typed:
> Hello,
>
> I have a situation where I need to configure a domain controller at a
> remote site (site2) that uses NAT internally along with statically
> mapped outside addresses. The host site (site1) has all public
> addresses and controls access via a firewall. There is no VPN
> between the sites (will use IPSEC once this works) and access is
> controlled via thier respective firewalls. I was able to join the
> domain at site1 from site2 but replication does not work properly as
> the new domain controller tries to respond with the NAT address
> instead of the outside address. I'm sure this is not the first time
> this configuration has been faced but I am unsure of how to solve
> this. Is there something I need to setup in DNS, host file, or do I
> need to configure static routing on the dc? Any help would be greatly
> appreciated.
>
> -----------
> Anyone who knows everything, leads a pretty boring life

It depends on how it is setup. If two true firewalls, yes it will work. But
with NAT, no, it will not. The only way to get it to work between two NATs
is a VPN IPSec based tunnel using the NAT devices as the endpoints, that is
if the NAT device supports configuring tunnels between themselves. Keep in
mind, domain communication and functionality, which requires RPC, Kerberos
and LDAP, do NOT work across a NAT because NAT cannot traverse the security
functions and hashes. If a pure firewall, there are 29 ports that need to be
open to allow domain communication. That is why a IPSec tunnel is your best
bet.

I usually implement two PIX boxes on each end in such a scenario - it just
works. Other vendors work nicely as well, but the point is the right
equipment will be needed. This way the internal subnets from each location
communicate with each other and do not get NAT'd.

Hosts files do not work with AD.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Hello,

Thanks for your post and thanks Ace for the detailed information he shared.
This is Neo and I will be assisting you in this post.

From your description, I understand that:

You have two sites in your AD environment. All computers at the first site
(let's call this site: site1) have public IP addresses and are located
behind firewall. All computers at the second site (let's call this site:
site2) have private IP addresses and are located behind NAT device. The
current issue is that the domain controller at site2 couldn't perform a DC
replication with the domain controller at site1.

If there is any misunderstanding, please let me know.

Analysis:
==============================

This should be an expected behavior.

Firstly, as we know, NAT gives us a more secure network because the
addresses of the private network are completely hidden from the Internet.
The connection shared computer, which uses NAT, does all of the translation
of Internet addresses to the private network, and vice versa. However,
please be aware that the NAT does not have the ability to translate all
payloads. This is because some applications use IP addresses in other
fields besides the standard TCP/IP header fields. For example, Kerberos
Protocol, which is required by domain communication, does not work with NAT.

On the other hand, domain clients who have private IP addresses are not
aware of NAT. When registering in DNS, the clients will send their private
IP addresses instead of the public IP address of NAT. This could be a
problem as it will cause collisions if there are multiple clients behind
the same NAT

Therefore, configuring domain controllers to communicate over a NAT is
strongly not recommended.

Suggestions:
==============================

It's not an easy project to implement another firewall at site2 and perform
DC replication between two public networks. Also, you might not have enough
public IP addresses assigned to clients at site two.

Therefore, under this scenario, I recommend you implement two NAT devices
with VPN feature supported at each site. And then build a Site to Site VPN
connection between site1 and site2. In this way, the internal subnets from
each location could communicate with each other through the VPN tunnel. I
agree with Ace 's suggestion that building one IPSec tunnel between two
sites is your best choice.

I hope this helps! Thanks!


Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you so much for the reply! Do you happen to know where the full list of
firewall ports are documented for proper domain controller communication?

again thanks.
--
-----------
Anyone who knows everything, leads a pretty boring life


"Ace Fekay [MVP]" wrote:

> In news:16025F8B-3F10-407F-9C2A-(E-Mail Removed),
> UWide User <(E-Mail Removed)> typed:
> > Hello,
> >
> > I have a situation where I need to configure a domain controller at a
> > remote site (site2) that uses NAT internally along with statically
> > mapped outside addresses. The host site (site1) has all public
> > addresses and controls access via a firewall. There is no VPN
> > between the sites (will use IPSEC once this works) and access is
> > controlled via thier respective firewalls. I was able to join the
> > domain at site1 from site2 but replication does not work properly as
> > the new domain controller tries to respond with the NAT address
> > instead of the outside address. I'm sure this is not the first time
> > this configuration has been faced but I am unsure of how to solve
> > this. Is there something I need to setup in DNS, host file, or do I
> > need to configure static routing on the dc? Any help would be greatly
> > appreciated.
> >
> > -----------
> > Anyone who knows everything, leads a pretty boring life
>
> It depends on how it is setup. If two true firewalls, yes it will work. But
> with NAT, no, it will not. The only way to get it to work between two NATs
> is a VPN IPSec based tunnel using the NAT devices as the endpoints, that is
> if the NAT device supports configuring tunnels between themselves. Keep in
> mind, domain communication and functionality, which requires RPC, Kerberos
> and LDAP, do NOT work across a NAT because NAT cannot traverse the security
> functions and hashes. If a pure firewall, there are 29 ports that need to be
> open to allow domain communication. That is why a IPSec tunnel is your best
> bet.
>
> I usually implement two PIX boxes on each end in such a scenario - it just
> works. Other vendors work nicely as well, but the point is the right
> equipment will be needed. This way the internal subnets from each location
> communicate with each other and do not get NAT'd.
>
> Hosts files do not work with AD.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
>
>

In news934BC64-2EE4-4E75-9606-(E-Mail Removed),
UWide User <(E-Mail Removed)> typed:
> Thank you so much for the reply! Do you happen to know where the full
> list of firewall ports are documented for proper domain controller
> communication?
>
> again thanks.

You are welcome. Here is a link with all the ports:
http://support.microsoft.com/kb/q179442/

Ace

Hello,

How's everything going?

I'm wondering if the suggestion has helped or if you have any further
questions.

Please feel free to respond to the newsgroups if I can assist further.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.