Windows shares through NAT

Do windows shares work through NAT?

Here's the situation: I came to administer a network that was set up
on public IPs. After adding a few workstations and printers, that
scope is nearly full. There's no reason for most of the workstations
to be on the public network (they're firewalled such that they're not
accessable). So I'd like to NAT them to private class C's, but still
access the shares in my AD infrastructure.

The issue is that with every NAT solution I try, the shares drop during
large file transfers. Although I can't find a clear "yes" or "no", I'm
lead to believe windows shares don't work through NAT.

I realize I could move everything to the private class C then use port
forwarding to bring the existing web, mail, and DNS services back
online, but I'm not comfortable enough with my networking skills to
move my entire AD infrastructure overnight and have my network and all
services working correctly for the next working day. "NATting off" a
few workstations seems to be a far easier solution.



mpitcavage

"mpitcavage" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Do windows shares work through NAT?

No.
You need to move all the machines into a private IP Range. Do it over the
weekend, do it all at once.

> I realize I could move everything to the private class C then use port
> forwarding to bring the existing web, mail, and DNS services back
> online,

I know the SOHO market uses the term "port forwarding", but there is no such
thing. It is just a term the SOHO market "made up" that doesn't mean
anything. The ports aren't being "forwarded" the ports are "going" anywhere.
The correct term is Static NAT.

You then use Static NAT to make the Mail and Web Server accessable from the
outside, but not the DNS. Your ISP's DNS is supposes to handle the public
stuff and your DNS in only supposed to handle the Active Directory stuff.
Your DNS will simply use the ISP's DNS as a forwarder in the forwarders List
within the DNS Service Config. All machines on your LAN will use your DNS
and none other.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

If the AD server has two NICs, is it possible to dual home it on the
main network and the private range?

I actually have a little bit more complex setup than previously
indicated, we have a fews devices doing radius authentication to the
AD, and some Linux services tightly tied to our AD, Linux shares some
directories containing live websites to certain windows clients (based
on AD groups), Linux builds some MySQL databases from Windows foxpro
apps, and we do mail and DNS for multiple domains. So I'd really like
to fully research all my options before moving the whole
infrastructure.

Seems like there must be an easier way to gain 5 to 10 ips without
reconfiguring the entire network.

Someone even suggested the novel method of creating a VPN into my
network from my network. I'm checking that out as well.

"mpitcavage" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> If the AD server has two NICs, is it possible to dual home it on the
> main network and the private range?

Duel-homed DCs are a disaster. SBS Servers are really the only exception
and they have Installation Wizards to keep everything in balance. Try
configuring an SBS box manually and you'll see what I mean. However it is
possible to do, but whether that actually helps you situtation is another
story.

272294 - Active Directory Communication Fails on Multihomed Domain
Controllers
http://support.microsoft.com/default...b;en-us;272294

191611 - Symptoms of Multihomed Browsers
http://support.microsoft.com/default...b;EN-US;191611

Microsoft Windows XP - Multihoming Considerations
http://www.microsoft.com/resources/d..._tcp_qpzj.asp?


> I actually have a little bit more complex setup than previously
> indicated, we have a fews devices doing radius authentication to the
> AD, and some Linux services tightly tied to our AD, Linux shares some
> directories containing live websites to certain windows clients (based
> on AD groups), Linux builds some MySQL databases from Windows foxpro
> apps, and we do mail and DNS for multiple domains. So I'd really like
> to fully research all my options before moving the whole
> infrastructure.

That is why the way your network is designed is never supposed to be done
that way. It is going to take a *ton* of planning, and it will never be a
smooth transition. To me, it is so bad that if I knew a company's network
was like that before I went to work for them,..I probably would not go work
there.

> Someone even suggested the novel method of creating a VPN into my
> network from my network. I'm checking that out as well.

Don't dig yourself into an even deeper whole by making a complex situation
even more complex. The new segment on private IP#s will not be able to get
to the Internet without a NAT or proxy device, yet at the same time you
cannot place one of those between the two segment and maintain
functionality,...yet the VPN tunnel would negate such devices and would
create the same negative effect of just not having a NAT or proxy device in
the first place.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------



"mpitcavage" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> If the AD server has two NICs, is it possible to dual home it on the
> main network and the private range?
>
> I actually have a little bit more complex setup than previously
> indicated, we have a fews devices doing radius authentication to the
> AD, and some Linux services tightly tied to our AD, Linux shares some
> directories containing live websites to certain windows clients (based
> on AD groups), Linux builds some MySQL databases from Windows foxpro
> apps, and we do mail and DNS for multiple domains. So I'd really like
> to fully research all my options before moving the whole
> infrastructure.
>
> Seems like there must be an easier way to gain 5 to 10 ips without
> reconfiguring the entire network.
>
> Someone even suggested the novel method of creating a VPN into my
> network from my network. I'm checking that out as well.
>