Hi,
I've recently been asked to manage a small 2003 domain, called “school-dom”. The DCs are on a 192.168.2.xx address and hosted at the HQ site. Several satellite sites have PCs which remotely connect in. These PCs are all on 10.216.xx addresses. NAT is used to communicate with the DCs, which has been done by configuring NAT at the firewall and adding AD DNS A records for both DCs with their 10.216.xxx NAT addresses.
An issue was discovered whereby the DCs deleted these DC NAT A records from DNS, so the previous admin decided to perform a deny system on the DC’s 10.216.xx A records to get around the auto delete. This setup used to work, but we've recently hit an issue whereby when a new PC is put on the 10.216.xx network and an admin tries to add it to the domain, the PC fails to join the domain. Pinging the domain name and doing an nslookup against the domain returns the correct internal IP of the DCs on their 192.168.xx addresses, but the PCs on the 10.216.xx network can’t communicate with the DCs on 192.168.xx addresses. Why this worked before and not now, nobody knows. If a host record is added on the client mapping the school-dom domain to the NAT IPs of the DCs, then domain join works. The clients can ping and tracert to the DCs on the NAT address, but not the internal 192.168.xx addresses. Domain ports are open from the client to the DCs (tcp 123, 135, 3268, 389, 445, 53. UDP 53, 88, 123, 135, 3268, 389, 445)
I've been asked to come up with a solution of resolving this without making client side changes (e.g. hosts file). I’m thinking of:
1. Checking with networks to see if it’s possible to route traffic rather than NAT.If doable, then get rid of the DC NAT addresses.
2. Introducing a new 2008 R2 DC and configuring proper sites and assign the DC with a 10.216.xx address.
3. Making the registry change in the article above (least preferred).
Some advice on resolving this would be appreciated.