Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] "Resending" - Putting a DC Across a Firewall which is doing NAT
Prev Next
You are not authorized to post a reply.

AuthorMessages
Ravi.Sabharanjak@barclaysglobal.comUser is Offline

Posts:68

09/08/2008 3:59 PM  
My first thought when I read about this was that it's going to be
problematic. I wouldn't do this if there was another way.



Kerberos does not work across a NAT.
(http://windowsitpro.com/article/articleid/96709/using-kerberos-in-nat-a
nd-dhcp-environments.html)



If you need these DC's to communicate, you would need to maintain their
natted addresses in DNS (in the _msdcs, _sites etc zones). The DC's
would not register the NAT addresses, they would try to register their
true addresses.



Overall the setup is going to be hard to maintain, I would recommend
going back to the drawing board.



________________________________

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Keith Smith
Sent: Thursday, August 21, 2008 10:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "Resending" - Putting a DC Across a Firewall which
is doing NAT



(I didn't see this post come back to me in email, so I'm resending. my
apologies if this is a duplicate.)

Thanks in advance for any input you have.

I'm in the process of figuring out how how to do something and would
appreciate any specific references/guidance on the topic.

I have 2 different 'untrusted' networks from a security perspective. The
IP's between them are NAT'ed so, they don't see the real ip addresses
across the FW. My goal is to add a domain controller to an existing
domain (which wouldn't really see the .

Scenario:
network 1 has
DC1OnNet1 (existing DC in domain.com)
with IP 192.168.0.10
which (via NAT) shows to the other DC as 192.168.1.10

network 2 has
DC2OnNet2 (new DC)
with IP 192.168.4.10
which (via NAT) shows to the other DC as 192.168.5.10

Each network has their own DNS/WINS infrastructure, so I'm thinking that
each side would have its own set of pointers to the NAT addresses. I
just don't know specifically what entries need to occur.

Can anyone fill in all the pieces that I haven't thought of?
:)<http://www.activedir.org/emoticons/smile.gif>

- k

--

This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] "Resending" - Putting a DC Across a Firewall which is doing NAT



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:rwrabinowitz
New TodayNew Today:1
New YesterdayNew Yesterday:1
User CountOverall:4273
People OnlinePeople Online:
VisitorsVisitors:263
MembersMembers:0
TotalTotal:263
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use