• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Active directory replication with nat

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory

View previous topic :: View next topic  
Author Message
stingray2004
Just Arrived
Just Arrived


Joined: 18 Sep 2004
Posts: 0


Offline

PostPosted: Sat Sep 18, 2004 1:55 am    Post subject: Active directory replication with nat Reply with quote

Hi
i would like to know if ad replication eith a nat in the middle works, and if i need special configurations (like dns .....)
thanks
Back to top
View user's profile Send private message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Sat Sep 18, 2004 7:15 pm    Post subject: Reply with quote

Actually it works very well Wink
You need to configure a router to router VPN though so the traffic knows how to get to the other address .
Mine works like so.

All one domain site #1:
10.1.0.0 mask 255.255.0.0

site #2
10.2.0.0 mask 255.255.0.0

sonicwall firewall on both lans sonic wall open a VPN to the 'other side'
replication works fine.
http://www.microsoft.com/technet/community/columns/cableguy/cg1001.mspx
Back to top
View user's profile Send private message
stingray2004
Just Arrived
Just Arrived


Joined: 18 Sep 2004
Posts: 0


Offline

PostPosted: Wed Sep 22, 2004 11:03 am    Post subject: Reply with quote

yes but if i don'thave vpn in the middle?

mine is nat inside between two private networks like:


adserver110.1.1.2----------------10.1.1.1 nat device 192.168.0.1--------------------192.168.0.2 adserver2


does this work?
i cant'find articles about ad replicaion with nat, without vpn ipsec etc etc


thanks
Back to top
View user's profile Send private message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Wed Sep 22, 2004 2:12 pm    Post subject: Reply with quote

do you have routers in between? is this going over the internet or in a test lab?

if it's over the internet it wn't work without router to router vpn or a demand dial VPN.
remember backbone routers don't route to private IP addresses that's why we can use NAT in the first place.
Back to top
View user's profile Send private message
stingray2004
Just Arrived
Just Arrived


Joined: 18 Sep 2004
Posts: 0


Offline

PostPosted: Thu Sep 23, 2004 1:15 am    Post subject: Reply with quote

it's all private!
Back to top
View user's profile Send private message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Thu Sep 23, 2004 9:51 pm    Post subject: Reply with quote

then it'll work, NAT is'nt routed only over backbone routers.
Back to top
View user's profile Send private message
stingray2004
Just Arrived
Just Arrived


Joined: 18 Sep 2004
Posts: 0


Offline

PostPosted: Fri Sep 24, 2004 6:50 pm    Post subject: Reply with quote

Hi Iím doing some testing with active directory replication and nat


This is the lab configuration



Dc01 192.168.0.2-----------------192.168.0.1 nat device 10.1.1.1-------10.1.1.2 dc02

I need to have this configuration working, two dc ,with a server (2003) with routing and remote access in the middle acting as nat device. (NO VPN OR IPSEC)

I did dcpromo on dc01 and ok!
I did dcpromo on the second dc, that have ip of 10.1.1.2 but on the other side is 192.168.0.3, and ok!

Now on the dns on dc01 I have that dc02 is 10.1.1.2 so I get some replication error specially with rpc!

But if I add users or ou on the dc01 I see them replicated on dc02

Can I modify dns records to reflect the natted ip?


Does this work?

thanks
Back to top
View user's profile Send private message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Fri Sep 24, 2004 11:33 pm    Post subject: Reply with quote

Yes you can modify DNS records to NAT'd addresses.
Did you configure the servers to be in the same site or different sites?
When you go to sites and services what type of connections are there between the servers?
Back to top
View user's profile Send private message
stingray2004
Just Arrived
Just Arrived


Joined: 18 Sep 2004
Posts: 0


Offline

PostPosted: Sat Sep 25, 2004 6:26 pm    Post subject: Reply with quote

i had no connections so i didi them manually, then when i tried to manually replicate i didn't work, and if from dc01 i tried to reach dc02 with
\\dc02, it didn't work because on dc01 the dns said that dc02 was 10.1.1.2, so i changed the dns and now dc02 have the natted ip on the dns, and it seems to work, they replicate each other (tested with replmon)

so two ad with nat in the middle even that from microsoft (routing and remote acces work!!!!)

but on microsoft book it says that it doesn't work?!?!?!?!?!?!

this is what is on the book:
Because Active Directory directory service uses Kerberos version 5 protocol, domain
controllers cannot replicate through a NAT server. Microsoft Proxy Server can be used
in place of NAT where applications not supported by NAT need to be implemented.


what do you think?
thanks
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register