?
Solved

Unable to browse WAN over IPSEC tunnel, same domain different subnets

Posted on 2003-03-10
29
Medium Priority
?
533 Views
Last Modified: 2008-03-04
Hi all,
I am administering an inherited network with two geographic locations.  Both locations are running a win 2k server and various windows clients.  The domain name at either location is the same  e.g. mydomain.com, but the IP ranges are on different subnets.  I have recently connected the two locations over an IPSEC tunnel through firewall hardware on either end.  After creating the tunnel, I installed WINS on either end and set up push/pull replication.  Currently I can ping names and IPs on both sides of the tunnel, but I cannot browse computers through "my network places".  In the WINS console, I can "find by owner" all of the computers from both sides of the tunnel. How can I get all of the computers to show up in My Network Places?  Is this a problem because of different subnets?...because of the Domain Controller on either end? ...DNS?  Any help on how to troubleshoot this would be greatly appreciated.
Regards,
NewbieAdmin
0
Comment
Question by:NewbieAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
  • 5
  • +1
29 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8104660
0
 

Author Comment

by:NewbieAdmin
ID: 8104742
Thanks, I will look at those to see if they solve the problem.  Can only one DC act as master browser?  If so, what is effected on the other side of the tunnel when I change one or the other to the master browser?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8104770
There should be one master browser per subnet. Check the server logs at each site for messages regarding browser elections and who thinks they won.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 2

Accepted Solution

by:
mdnewell earned 1200 total points
ID: 8105496
Hey newbieAdmin,
You state that the domains have the same name in each site but are they the same domain or are they two different domains that have the same name?

It sound like WINS is working correctly if you can ping by name on the other side of your tunnel. I believe if they are two domains with the same name the computers will not show up in Network Neighborhood in a different domain unless there's a trust between them. I'm not sure of the problems you may have if you setup a trust between two domains with the same name but it should be ok, just confusing to the users.

Remebmer to Windows, a domain is a SID, not a name.


Are these nt 40.0 or 2K domains?

Let me know,
Mike.
0
 

Author Comment

by:NewbieAdmin
ID: 8105569
They were set up as separately with the same domain name.  I guess that is what I mean by they are the same domain.  You are probably correct in that they are different domains with the same domain name.  I am a little new at this, I'm assuming SID is the security identifier?  Is it impossible to join them into the same domain by name and SID?    Also, I am running 2k domains.  I think you may have hit the nail on the head here because I noticed an error in the event log referring to the SID being incorrect.  How would I go about resolving this issue?  
Thanks,
NewbieAdmin
0
 
LVL 2

Expert Comment

by:mdnewell
ID: 8105957
Hey,
Yes, I mean the SID is the security identifier. Windows sees those as seperate domains.

You may want  to look into teh Domain Migration utility from MS. You can migrate the users and computers from one domain to another and with SID history if you are in native mode. But do some reading, this is relativly straight forward with the migration utility but it's still some work and some chances for bad thing to happen.

Is the plan to have the two sites one domain with the vpn connection perminantly between them?
0
 
LVL 1

Expert Comment

by:Baddog
ID: 8106123
Since you have two subnets, you must be using some type of router to make both networks communicate. In this case, althugh I am not 100 percent sure I do not think that you can use My Network Places as it works on broadcast signals and these get filtered out by the router.  

Ping.exe sends an IP packet with an echo request and therefore goes through.


BDog
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8106149
Baddog,
The WINS server handles the netbios name resolution and browser lists for sites across a WAN. See the first link in my initial post How Browsing works across a WAN.
0
 

Author Comment

by:NewbieAdmin
ID: 8106200
Mike,
Yes, the plan is to have two sites with one domain and a permanent vpn connection between them.  I'll look into the domain migration utility.  I don't know what difficulies there may be since some users will be duplicated on each server.  Would it be easier to change the domain on one end of the tunnel?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 800 total points
ID: 8106232
I think you'll be much happier if you go ahead and change the domain name on one end and create a trust relationship between them.
0
 
LVL 1

Expert Comment

by:Baddog
ID: 8106268
lrmoore,
     Got it...this makes for some good reading. Thnx.
0
 
LVL 2

Expert Comment

by:mdnewell
ID: 8106344
I don't believe you can easily rename a domain unless you upgrade to Windows 2003 so you'll still need to go through some type of migration or footwork to get your domain renamed. I believe there's some info on MS site regarding renaming a domain but I don't have any links handy. Sorry.

It all depends on what you want to accomplish. I don't mean to be that vague but each setup has advantages and disadvantages to them.

Can you tell me a little more about what you need to do between the two places?
0
 
LVL 2

Expert Comment

by:mdnewell
ID: 8106359
I don't believe you can easily rename a domain unless you upgrade to Windows 2003 so you'll still need to go through some type of migration or footwork to get your domain renamed. I believe there's some info on MS site regarding renaming a domain but I don't have any links handy. Sorry.

It all depends on what you want to accomplish. I don't mean to be that vague but each setup has advantages and disadvantages to them.

Can you tell me a little more about what you need to do between the two places?
0
 

Author Comment

by:NewbieAdmin
ID: 8106438
Mike,
Initially what I need to accomplish is very simple compared to the capabilities that are there.  We currently are just doing FTP file sharing between the two sites which really limits the search capabilities.  I would like to join everything to improve on the useablity of the file sharing.  I also want to be able to print to the network printers on the other side of the tunnel.  At least at first that is all that needs to be accomplished.  However, I don't want anything that I do now to limit what I can do in the future.  Although I have not looked into it very much, eventually I would like to be able to do roaming profiles and remote user VPN.  In short for now, I just want to be able to browse the opposite end of the tunnel in the same manner that I browse the side I am located on.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8106491
0
 

Author Comment

by:NewbieAdmin
ID: 8106597
lrmoore,
Although that info tells you how to change the domain that a win2k computer logs on to, I don't think it works the same as changing the entire domain, i.e. it does not rename the domain used by a domain controller.
0
 
LVL 2

Expert Comment

by:mdnewell
ID: 8106635
lrmoore,
This is an article on how to change a local system to join an existing domain. Not how to rename a domain.


NewbieAdmin,
How large are the domains in question? Have they been around a while and have users and shares that will need to be addressed?

Again,
Renaming a domain on pre 2003 domains is no easy project by any means. Remember, ther's alot associated with a domain.

I still think the domain migration wizard will help here.

 
0
 

Author Comment

by:NewbieAdmin
ID: 8106705
Mike,
I looked at the domain migration article, but it only mentioned native mode, and I think I am in mixed mode.  I need to look around a little more on this, so let me know if you see an applicable article.  The domains are relatively small (10-30 computers varying from win95 to winXPpro) but have been around for a few years.  
0
 
LVL 2

Expert Comment

by:mdnewell
ID: 8106787
Ya, The wizard that's free from MS only supports native mode domains because of the use of SID history. NetIQ has a domain wizard that you can use on non native domains but it's allot less work if you're in native mode and use the SID history. You should probably look into going into native mode, you'll like it.

I'll look around but and post if I find anything but you may consider creating a trust between the two domains with the same name. Theoretically, it should work, it would just be confusing to your users but may be a quick fix for what you need.

You could train your users that the first domain listed in network neighborhood is their domain and the second is the remote office, or something like that. You would just see this

domainname
domainname

in network neighborhood.
0
 
LVL 2

Expert Comment

by:mdnewell
ID: 8106792
Ya, The wizard that's free from MS only supports native mode domains because of the use of SID history. NetIQ has a domain wizard that you can use on non native domains but it's allot less work if you're in native mode and use the SID history. You should probably look into going into native mode, you'll like it.

I'll look around but and post if I find anything but you may consider creating a trust between the two domains with the same name. Theoretically, it should work, it would just be confusing to your users but may be a quick fix for what you need.

You could train your users that the first domain listed in network neighborhood is their domain and the second is the remote office, or something like that. You would just see this

domainname
domainname

in network neighborhood.
0
 

Author Comment

by:NewbieAdmin
ID: 8106986
Mike,

I tried to create the trust relationship, but it did not take.  As mentioned before, I am a little new at this so I may be doing something wrong, but this is what I did:

Administrative Tools>Active Directory Domains and Trusts

Right click mydomain.com, select properties, then select the trusts tab...

Click add and add mydomain.com to trusted domains
click add and add mydomain.com to trust this domain

I did the same thing on the server at the other end of the tunnel, but it doesn't work.  I think each domain tries to establish a trust relationship with itself and fails to connect.  

If I were to use the migration wizard and switch to native mode, what exactly does that mean?  What is the difference between native and mixed mode?  Are there any significant changes there.  I noticed that it is a permanent change, so that if there are problems I am out of luck.  
0
 
LVL 2

Expert Comment

by:mdnewell
ID: 8107212
Sorry to hear that the trust didn't work but it was worth a shot. Did you get an error when you established the trusts?
 

Native mode means you don't have any 4.0 BDC's for that domain and yes, it's a perminant change. But not a big deal if you're SURE (read SURE) there's no 4.0 BDC's. It allows you to bring the users from the old domain to the new domain, retaining their old domain user SID, allowing them to still have access the original domain while you're migrating. It also allows the use of Universal groups, something else you will want to read about.

In any case you should read about it, there's plenty of stuff regarding mixed mode vs native mode on MS site.
0
 

Author Comment

by:NewbieAdmin
ID: 8107723
I did get an error saying that the domain could not be verified.  I think I will try to use the migration utility or possibly try to rename one of the domains.  I have switched both servers to native mode and will be reading up on the migration utility.  I will also read up on how to rename a domain.  I think that lrmoore is correct in that this would be more intuitive to the users.  Hopefully that will close out this question.  Sorry to drag it all out, but I'm learning as I go, (sometimes the hard way).  Thanks everyone for all of the help.  I'll post when I have tried one of these options.  
Thanks all.
0
 
LVL 2

Expert Comment

by:mdnewell
ID: 8107815
Cool. I'd be interested in how the domain migration or re-name goes. Keep us posted.

Good luck,
Mike
0
 

Author Comment

by:NewbieAdmin
ID: 9011247
Hi guys.  Sorry for the long delay in this, but I was waiting for the opportunity to travel to the other geographic location, since it has a much smaller network.  I will be trying the domain change tomorrow (Sunday).  I have brought up another server by itself with a new domain name:  place1.here.mydomain.com.  I am probably going to try the domain migration tool to change over to this new domain.  If that does not work, then I will just bring up the old server again.  I have posted another question regarding the naming of the domains on either end, and how to access them.  You guys may be able to help on that, and I have jumped the points up a little.  I will probably bump up the points on this question to 400 and split it between mdnewell and lrmoore.  I'll post one last time when I'm am finished to let you guys know how it goes.  Thanks for all the help.
0
 

Author Comment

by:NewbieAdmin
ID: 9023526
I have increased the points here a little more and I have a follow up question.  I think I will have to bring both DC's up from scratch.  When I do that, can I call them "here.mydomain.internal" and "there.mydomain.internal" without "mydomain.internal" existing yet, and what is neccessary in Windows 2000 to be able to browse from one to the other?  Is it as simple as creating the trusts between them?  The vpn connects between the IP subnets, but I'm not sure if I need to create subnets in Windows 2000.  Please let me know what you think on this.  Thanks.  As I mentioned, I will be splitting 400 points for the questions that have already been answered, and then another 100 will go to whoever can give me a detailed explanation on this part.  
0
 
LVL 2

Expert Comment

by:mdnewell
ID: 9032549
Seems a little overkill to have two domains setup like that but I don't know your needs. I would consider having those offices in the same domain and creating sites in AD. Much easier administratively.

Why the two domain model?

0
 

Author Comment

by:NewbieAdmin
ID: 9037427
I thought based on lrmoore's comment that it would be more intuitive to the user.  I would like them to both be able to see all computers in My Network Places, but I also want them to know which computers are located where.  My plan was to create two trees in the same forest.  I'm not particularly familiar with how to set up sites and what that means as far as the user is concerned.  With the two trees model, they would each see two locations in My Network Places> "here" and "there" respectively.  Would sites accomplish the same thing?
0
 

Author Comment

by:NewbieAdmin
ID: 9103350
Hi guys,
I split the points in what I thought was a fair manner.  Thank you both for the help.  I still have not completed the tunnel to my satisfaction, but it will be done as soon as I can bring up the server again on my end of the tunnel.  At this point I still have to decide whether to use the same domain name or two separate ones.  I think I will probably stick with the original plan as suggested by lrmoore, and make them separate, but I will look into AD sites to see what the advantages/disadvantages are.  I did not try the domain migration because I did not think either end of the tunnel was set up correctly, and I wanted to start each side with a fresh install.  Anyway, thanks again guys.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question