My organization is in the process of setting up a new network at a hosting provider for a very large application project. Since the whole system uses Active Directory we are planning on using a pair of Domain Controllers there that replicate to our headquarters over VPN. These DCs would also serve as backup for our existing system so we could lose connection or power entirely at our headquarters and the remote system could stay up and still let people log in.
Our hosting provider has setup 10.180.87.0/24 as our subnet to use with them. But because our internal IPs are 192.168.1.0/24 and they already have it in use they require us to NAT over to 192.168.50.0/24. This part wasn’t a big issue and easily setup with our Watchguard firewall appliance.
First sign of trouble was when I put the two servers on the domain and they couldn’t connect or find the domain at all. I ended up putting a post-NAT address of DOMAIN.LAN into the hosts file on both servers. They were then able to locate and join the domain.
Making them Domain controllers however has been a problem. They get all the way through setup and then fail with an error when they try to setup all the replication with “RPC server is not available”. I know the domain is prepped correctly, Last week I did all prep work to promote a new server to DC to replace an older machine which went through fine.
I suspect the NAT is the issue and servers are trying to set themselves up with pre-NAT addresses. Our provider wants us to remap our IP scheme to fit with their network and I'm not exactly thrilled with the idea. One option we are considering is creating a server and network on 192.168.50.0/24 and using intersite replication to go from 10.180.87.0/24 to 192.168.50.0/24 to 192.168.1.0/24 (although that is probably gonna be messy network config-wise to figure out.) But I’m not completely convinced if that would solve the issue. A DMZ is another option but need to look into it more before I try to get our provider to set that up.
Has anybody had experience with a similar setup or alternatives for getting DC setup on a remote connection?