Dear All, Here is my scenario. My internal Network IP range is 192.168.10.0/24 and external IP range for client desktop is 10.10.10.0/24. Internal Network (192.168.10.0/24) --> Firewall --> Router (NATTING DONE HERE) --> External desktops (10.10.10.0/24). I have done the NATTING on router like this ..... DNS Server and Active Directory server IP 192.168.10.50 --> 10.10.10.50 Now when i tried to join any desktop from external network....it is giving me an error like....domain does not available..... I am able to joing desktop in domain withing same network range i.e 192.168.10.x Please let me know the wayout of this problem. Thanks and Regards, Suhag Desai.

Hi Suhag, NAT is not a supported configuration in Active Directory. http://support.microsoft.com/kb/978772 The issue with using NAT is, all the records on the DNS will be registered with the physical IP of the DC In your case all the records for your DC will resolve to 192.168.10.50 Although you have configured your DNS server as 10.10.10.50 on your client side, but when you try to join it to domain, the client will try to resolve the SRV records of the DC, the DNS will resolve it to the physical IP and not the NAT IP, since client doesnot have the routing information for the physical IP you will get the error that the domain is not available. If you can somehow get your NAT device to reverse translate the IP addresses to their NAT IP, then it can work. But in this case you can only have DCs at a single location onlyThanks and Regards, Mukesh. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Please VOTE as HELPFUL if the post helps you and remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Mukesh for providing the information about technical limitation of DNS functionalities over NAT but I am wondering whether my router is support reverse NATTING. Is their any other workaround of this problem? Thanks once again, Suhag Desai.

Hi, You may consider using VPN for remote client. For the VPN client, ensure to use only the internal domain DNS server on the NIC and no other else. For more detailed information, you may refer to the following article. How to Join or Access an Internal Domain from an External Client Using ISA Server and VPN http://support.microsoft.com/kb/303503 Joining a computer to a domain over a client VPN connection http://msmvps.com/blogs/acefekay/archive/2012/01/18/joining-a-computer-to-a-domain-over-a-client-vpn-connection.aspx Best Regards, AidenAiden Cao TechNet Community Support

Thanks Aiden for your suggestion but in my scenario there is no VPN. i have firewall in-between internal network where DNS is residing and external network where desktops are residing. i want to take all desktops in domain. Regards, Suhag Desai.

Try adding local host entries for domain controller with natted IP on machines. OR, You can even try adding persistent routes on PCs.Don't be a prick ! Be reasonable and provide your feedback. Say something whether the suggestion was helpful or not, mark a reply as answer or click on to vote helpful if any suggestion really helps you, don't leave that choice to moderators, let the credit go to a contributor who has invested his precious time on your questions. Please be informed that, moderators are also humans and they also make mistakes ;-) Last but not the least, Unmark as answer if any post doesn't answer your question/s !!!

Yes, i already thought about this but there are more than 500+ desktops to be taken in domain.....Hence it is not feasible to add multiple entries in each desktops....

Yes, i already thought about this but there are more than 500+ desktops to be taken in domain.....Hence it is not feasible to add multiple entries in each desktops.... I understand your situation however, Sorry to say this, I can't think of any other option other than static routes or local dns entries. You need to figure out a way to accomplish this task by creating some script which can be published on all machines.Don't be a prick ! Be reasonable and provide your feedback. Say something whether the suggestion was helpful or not, mark a reply as answer or click on to vote helpful if any suggestion really helps you, don't leave that choice to moderators, let the credit go to a contributor who has invested his precious time on your questions. Please be informed that, moderators are also humans and they also make mistakes ;-) Last but not the least, Unmark as answer if any post doesn't answer your question/s !!!

Yes, i already thought about this but there are more than 500+ desktops to be taken in domain.....Hence it is not feasible to add multiple entries in each desktops.... I understand your situation however, Sorry to say this, I can't think of any other option other than static routes or local dns entries. You need to figure out a way to accomplish this task by creating some script which can be published on all machines.Don't be a prick ! Be reasonable and provide your feedback. Say something whether the suggestion was helpful or not, mark a reply as answer or click on to vote helpful if any suggestion really helps you, don't leave that choice to moderators, let the credit go to a contributor who has invested his precious time on your questions. Please be informed that, moderators are also humans and they also make mistakes ;-) Last but not the least, Unmark as answer if any post doesn't answer your question/s !!!