The alternative, as you mentioned, is to encapsulate domain authentication traffic by using a virtual private network. Either PPTP or IPsec/L2TP VPNs can be used. For this option, you will need to open the ports for the VPN protocol you choose.
So what you need now is information about your specific firewall and how to open the necessary ports, and specific info, should you choose to go that route, on creating Windows 2000 VPNs. An excellent article on this issue and how to deal with it is Active Directory in Networks Segmented by Firewalls. The white paper discusses the ports necessary, offers information on selecting a VPN protocol and setting things up and has links to other VPN resources. In addition, should you later decide that hosting a DC at a remote site is part of your plan, it details the issues of doing DC replication over firewalls.
Dig deeper on Windows mobile device management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.