Active Directory Intersite Replication NAT Firewall

[mofomikes]

Im trying to setup a remote domain controller, but I havent found a clear way of establishing a secure method to preform replication through our firewalls and Network address translation.

Opening ports for RPC is too much of a security risk

SMTP replication does not allow data replication (GPO, scripts)

IPsec (as far as i know) does not work with NAT in windows 2000 because altered address will fail the checksums. microsoft released client side NAT-T patch to allow clients with NAT to connect to windows 2000 via L2TP/IPSec, but there is no server side update. "Server-side NAT-T functionality is a new feature in Windows Server 2003 Routing and Remote Access only. NAT-T server-side support will not be added to Windows 2000 Routing and Remote Access."

http://support.microsoft.com/default.aspx?scid=kb;en-us;818043#4

Having this said, what are the common setups that people have for intersite replication of Active directory? Active directory intersite replication is a common issue but I'm yet to find any information online for my situation.

Im thinking i must deploy a windows 2003 domain controller to act as a bridgehead for the intersite replication. any other suggestions would be greatly apprecaited.

 

[Castor66]

Firewall to Firewall VPN is the way to go. You can get pretty cheap vpn concentrators to do this for you.

 

[mofomikes]

is there a way to preform the intersite replication with my existing hardware? or are vpn concentrators the most recommended method??