Windows 2000 NAT Does Not Translate Netlogon Traffic

When you try to log on to a domain from a computer that is running Microsoft Windows NT 4.0, Microsoft Windows 95, or Microsoft Windows 98, and is located behind a Windows 2000-based server that is performing network address translation (NAT) or Internet connection sharing (ICS), you receive the following error message: Additionally, you cannot establish a trust relationship between domains if one of the domain controllers is located behind a NAT server. However, you can map network drives by using the net use command from a client behind the NAT server. This works because the NetBIOS header contains the client name (not the client IP address).

Note that the error messages or conditions may differ from those described in this article, but it is always Netlogon communications that do not work.

If you are using a Windows 2000-based client behind a NAT server and you are using Windows 2000-based domain controllers, you can log on to the domain because Windows 2000 does not use Netlogon for domain logons.

A Windows 2000-based NAT server does not edit the client IP address that is contained in the NetBIOS over TCP/IP header.

Windows 2000 NAT does not support Netlogon and translate Kerberos. If you have clients that are located behind a Windows 2000-based NAT server and need access to domain resources, consider creating a Routing and Remote Access virtual private network (VPN) tunnel for Netlogon traffic, or upgrade the clients to Windows 2000.