Description of support boundaries for Active Directory over NAT


Network Address Translation (NAT) is a selection of network techniques which alter the address information of network traffic while in transit so as to remove details about the originating network. This is most often done by network devices, and is intended to simply enable the easy use of private network address schemes, and sometimes as a less than ideal security measure.

Domain Controller (DC)-to-DC communication and Client-to-DC communication over a NAT is a scenario that customers frequently encounter in merger and acquisition scenarios. One required service when connecting the networks of the two companies is the authentication, authorization and directory services offered by Active Directory.

There is no evidence to indicate that a NAT cross-forest configuration inherently breaks DC-to-DC communications, or Client-to-DC communications. Microsoft has not tested this scenario with Active Directory, and other technologies that are related with Active Directory. Examples of other technologies include the Kerberos protocol or DFS.

More Information

The Microsoft statement regarding Active Directory over NAT is:
  • Active Directory over NAT has not been tested by Microsoft.
  • We do not recommend Active Directory over NAT.
  • Support for issues related to Active Directory over NAT will be very limited and will reach the bounds of commercially reasonable efforts very quickly.

If you are tasked with configuring a network with NAT and you plan to run any Microsoft Server solution (including Active Directory) across the NAT, please contact Microsoft customer technical support using your preferred approach or visit:Additionally, you can contact Microsoft Consulting Sevices.

There is no explicit or implied guarantee that following any provided guidance will work in any given scenario because it is untested. The support teams will work on issues that arise from using the provided guidance to the limits of commercially reasonable effort.

The only configuration with NAT that was tested by Microsoft is running client on the private side of a NAT and have all servers located on the public side of the NAT. The NAT would also function as a DNS server.

文書番号:978772 - 最終更新日: 2014/04/10 - リビジョン: 1