Domain Controller (DC)-to-DC communication and Client-to-DC communication over a NAT is a scenario that customers frequently encounter in merger and acquisition scenarios. One required service when connecting the networks of the two companies is the authentication, authorization and directory services offered by Active Directory.
There is no evidence to indicate that a NAT cross-forest configuration inherently breaks DC-to-DC communications, or Client-to-DC communications. Microsoft has not tested this scenario with Active Directory, and other technologies that are related with Active Directory. Examples of other technologies include the Kerberos protocol or DFS.
- Active Directory over NAT has not been tested by Microsoft.
- We do not recommend Active Directory over NAT.
- Support for issues related to Active Directory over NAT will be very limited and will reach the bounds of commercially reasonable efforts very quickly.
If you are tasked with configuring a network with NAT and you plan to run any Microsoft Server solution (including Active Directory) across the NAT, please contact Microsoft customer technical support using your preferred approach or visit:
There is no explicit or implied guarantee that following any provided guidance will work in any given scenario because it is untested. The support teams will work on issues that arise from using the provided guidance to the limits of commercially reasonable effort.
The only configuration with NAT that was tested by Microsoft is running client on the private side of a NAT and have all servers located on the public side of the NAT. The NAT would also function as a DNS server.
Article ID: 978772 - Last Review: Mar 29, 2017 - Revision: 4