Microsoft small business knowledge base

Article ID: 978772 - Last Review: April 10, 2014 - Revision: 5.0


Network Address Translation (NAT) is a selection of network techniques which alter the address information of network traffic while in transit so as to remove details about the originating network. This is most often done by network devices, and is intended to simply enable the easy use of private network address schemes, and sometimes as a less than ideal security measure.

Domain Controller (DC)-to-DC communication and Client-to-DC communication over a NAT is a scenario that customers frequently encounter in merger and acquisition scenarios. One required service when connecting the networks of the two companies is the authentication, authorization and directory services offered by Active Directory.

There is no evidence to indicate that a NAT cross-forest configuration inherently breaks DC-to-DC communications, or Client-to-DC communications. Microsoft has not tested this scenario with Active Directory, and other technologies that are related with Active Directory. Examples of other technologies include the Kerberos protocol or DFS.

More information

The Microsoft statement regarding Active Directory over NAT is:
  • Active Directory over NAT has not been tested by Microsoft.
  • We do not recommend Active Directory over NAT.
  • Support for issues related to Active Directory over NAT will be very limited and will reach the bounds of commercially reasonable efforts very quickly.

If you are tasked with configuring a network with NAT and you plan to run any Microsoft Server solution (including Active Directory) across the NAT, please contact Microsoft customer technical support using your preferred approach or visit: (
Additionally, you can contact Microsoft Consulting Sevices.

There is no explicit or implied guarantee that following any provided guidance will work in any given scenario because it is untested. The support teams will work on issues that arise from using the provided guidance to the limits of commercially reasonable effort.

The only configuration with NAT that was tested by Microsoft is running client on the private side of a NAT and have all servers located on the public side of the NAT. The NAT would also function as a DNS server.

Applies to
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Windows Server 2012 R2 Datacenter
  • Windows Server 2012 R2 Essentials
  • Windows Server 2012 R2 Foundation
  • Windows Server 2012 R2 Standard
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation
  • Windows Server 2012 Standard
kbsurveynew kbexpertiseinter kbexpertiseadvanced kbhowto KB978772
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support