http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspxA lot of planning goes into the features and capabilities of each Windows release. Over the years I&rsquo;ve noticed that there is not a great deal of awareness out in the general public for just how much work and labor goes into a new version of Windowsen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspx#3544901Wed, 09 Jan 2013 12:29:13 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3544901Herbert Mauerer [MSFT]<p>this blog does not warn sufficiently about DCs and NAT. The MS support statement is:</p> <p>978772 Description of support boundaries for Active Directory over NAT</p> <p><a rel="nofollow" target="_new" href="http://support.microsoft.com/kb/978772/EN-US">support.microsoft.com/.../EN-US</a></p> <p>Cheers</p> <p>Herbert Mauerer</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3544901" width="1" height="1">http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspx#3326153Mon, 19 Apr 2010 14:16:03 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3326153dsammich<p>Tim,</p> <p>I have been working with this for a couple of days. &nbsp;I have site-to-site IPSEC tunnel built and can ping everything with no issues. &nbsp;The DNS piece you menioned with reg hack doesn't seem to be working and would like more information on the key and how DNS publishes.</p> <p>I am in a hosted environment and have to hide networks all of the time to prevent subnet overlapping. &nbsp;I am able to translate the addresses properly to the outside, essentially masking the &quot;real&quot; ip of the domain controllers.</p> <p>When I attempt to connect to a DC from a box that I am trying to run DCPROMO on, the existing DC (that has your reg hack), is returning the &quot;real&quot; IP, not the NAT'd IP?</p> <p>Thoughts?</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3326153" width="1" height="1">http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspx#3280606Fri, 11 Sep 2009 18:52:15 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3280606Tim Springston [MS]<p>Kerberos should not have problems with the NATted solution as long as the appropriate ports (UDP and TCP 88) are open.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3280606" width="1" height="1">http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspx#3269067Wed, 29 Jul 2009 16:09:40 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3269067msbrianp<p>Does this potentially pose problems with Kerberos authentication through the NAT device to the DC in the NATed segment? &nbsp; Good artical- thanks. &nbsp;</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3269067" width="1" height="1">http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspx#3232295Wed, 29 Apr 2009 07:31:16 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3232295jansenet<p>I had a client with that same issue about 3 years ago. &nbsp;They ended up re-arranging the network and did an IP cutover, going away from using NAT'ing to fix the issues. &nbsp;I have to say that this is the best breakdown of this specific issue that I have seen to date. &nbsp;Keep up the good articles!</p> <p>Eric Jansen</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3232295" width="1" height="1">http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspx#3229221Wed, 22 Apr 2009 17:11:33 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3229221wilfman<p>Tim.</p> <p>Great article. &nbsp;Will remember this for next time we come across this issue.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3229221" width="1" height="1">