Domain controlers between NAT

I have DC's at two different sites (CA and NY). Both used to have
public addresses. Now I had to change the address on the server in CA
to a NAT address because we put in a firewall and everything needs to
be behind it. The server in CA does have a coresponding outside
address, however, because of AD the server in NY is seeing the
non-routable address of the CA server. This is causing replication to
blow up. I tried placing a host entry for the CA server on the NY
server but replication traffic is still trying to go over the NAT
address. Is there a way to fix this so the NY sever and CA server can
talk properly? Over the outside addresses? Any ideas?

Thank you.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>I have DC's at two different sites (CA and NY). Both used to have
> public addresses. Now I had to change the address on the server in CA
> to a NAT address because we put in a firewall and everything needs to
> be behind it. The server in CA does have a coresponding outside
> address, however, because of AD the server in NY is seeing the
> non-routable address of the CA server. This is causing replication to
> blow up. I tried placing a host entry for the CA server on the NY
> server but replication traffic is still trying to go over the NAT
> address. Is there a way to fix this so the NY sever and CA server can
> talk properly? Over the outside addresses? Any ideas?

What is the connectivity between the two sites?
Are/were you doing your synchronisation directly over the Internet?

I think you probably could reconfigure the firewalls in both sites to enable
replication, I think you should be looking at a VPN between them.
Once you have a VPN in place the two servers will be able to see the
internal networks of both sites (assuming it's suitably configured).
Is that the sort of thing you are after?

J.T.

You have lots of options depending on how you are set up.

How many public IPS do you have on the out side of the NAT?

"(E-Mail Removed)" wrote:

> I have DC's at two different sites (CA and NY). Both used to have
> public addresses. Now I had to change the address on the server in CA
> to a NAT address because we put in a firewall and everything needs to
> be behind it. The server in CA does have a coresponding outside
> address, however, because of AD the server in NY is seeing the
> non-routable address of the CA server. This is causing replication to
> blow up. I tried placing a host entry for the CA server on the NY
> server but replication traffic is still trying to go over the NAT
> address. Is there a way to fix this so the NY sever and CA server can
> talk properly? Over the outside addresses? Any ideas?
>
> Thank you.
>
>

I'm thinking VPN may be the answer (MS VPN). There is a T1 between the
sites and both have Cisco firewalls, but I have no more interfaces on
the CA pix or else I would just keep that box on a routable address.
Haven't had to setup the VPN before, is there a way to make it a
permanant link?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I'm thinking VPN may be the answer (MS VPN). There is a T1 between the
> sites and both have Cisco firewalls, but I have no more interfaces on
> the CA pix or else I would just keep that box on a routable address.
> Haven't had to setup the VPN before, is there a way to make it a
> permanant link?
>

My first consideration would be for a VPN between the pixes, rather than an
MS VPN.
For the MS VPN to work the pixes will have to be configured to allow that
VPN traffic through no matter where it is from, whereas a pix to pix VPN can
be guaranteed to come from the appropriate box - it just keeps the decision
a bit further away from the servers.

J.T.