0

I have a VPN setup between multiple locations. Between each location and the central point (me), is a trust between our domain controllers. It all works great..

A new location wants to join, but their AD controller is using an IP address that is already in use by another AD in a separate location.

Neither locations can change their IP addresses, but apparently there is a NAT rule that could be used to allow communication between each AD controller? The central site has a Cisco 5510 firewall which could perform the NAT, but I am unsure of the logic behind the NAT rule.

Is anyone able to explain or help out? Thanks.

Mr. Mister
  • 1

1 Answers1

2

I think you're going to need to do some re-addressing.

Think through things - even if you could put in place a NAT rule to help route things between these two DCs, they're still going to look up each other's address in DNS. When they do this, DNS will respond with the real IP of the remote server, not the NATed address. Then the server will try to, well, talk with itself which is counter-productive.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Actually, the AD controllers do not speak to each other.. only to the central point. So with that in mind is it workable? – Mr. Mister Mar 01 '11 at 00:21
  • Same issue applies there. The central point will look up the DNS name of one of the servers and will get an IP address back, but you have no way of ensuring which one it'll contact. – EEAA Mar 01 '11 at 00:24
  • what if there is a NAT rule at both ends? Since it is all routed over VPN and using pirvate IP addresses. I could use a DNS record for one of the locations that is false and route that over the vpn tunnel for that location.. then the firewall at the other end could translate it back? – Mr. Mister Mar 01 '11 at 00:45
  • You're getting very close to an unmaintainable hack. Might it work? Perhaps, but it'll be ugly. It will be well worth the pain of re-addressing. – EEAA Mar 01 '11 at 00:48