Joining a security domain over a WAN

Posted on 2003-10-26
Medium Priority
Last Modified: 2010-04-14
I am in the process of setting up a new Windows 2000 domain. The domain consists of PC's in two seperate buildings, on two seperate subnets, connected by Cisco routers and only one Domain Controller located in the main building.

The problem is that I am trying to figure out why the PC's in the remote building, they are running windows 2000, cannot join the windows 2000 domain. I get the message that the "Domain could not be contacted." The PC's in the building with the Domain Controller are having no problem connecting to the domain. The two buildings are on different subnets, and are connected by Cisco routers. I at first thought it was a Cisco routing problem, but i could ping the PC's on the other subnet, and the trace route went the correct route. Then when i tried to ping using the PC's name, it would not resolve the machine name to the IP address. I have set up DNS on the sever, and it is working properly. The PC's have the DNS address of the Domain Controller listed as the primary DNS server.

The thing that adds the complexity is the fact that they are on a mixed Novell and MS network and they get their DHCP addresses from the Novell Servers(this is their first MS server). Because of this they do not update the DNS server with their IP address.
Question by:brakofanon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 51

Expert Comment

ID: 9624269
I suspect the offices are running private addressing?

Is the pipe between the Cisco's your Frame Relay or is it just the Internet?

If you are using private addressing and expect the clients to find your DNS server over the Internet, then it's not going to work unless you have your ISP register your DNS (which is likely not what we want here).

You'll need to create a static route to your DNS server so that DNS resolution gets forwarded to the other office.  I think you can use the other router's IP as the DNS to forward to and setup a forwarder on that router to your DNS server. Make sure you create access lists so that intruders can't do the same.  A better solution would be to build a small server and join the domain.  Have DNS setup on it and make it AD integrated.  Take that over to the other office.

I would also do the following:

1) Create an OU for each location - place user and computer objects in the correct OU.
2) Setup Sites - one for each location.
3) Create subnets and associate each to the correct Site.
4) Place a server in each site (both physically and in Active Directory).
5) Configure replication schedules on the links between sites.

You should have no issues is setup correctly.

Author Comment

ID: 9626303
Yes, the pipe runs through their own frame, not over the internet.

How do i create a static route to point to the DNS Server properly? i am not a Cisco person, but i have set them up successfully before. I would just need the proper syntax.

Again, i think it is working at least partially, as the pings work, and the trace route goes straight from the pc, through the router, to the server, and vice versa.

I doubt that they will want to pony up the money for another server before they have this one fully functional first. I need to have this set up by Tuesday.
LVL 51

Expert Comment

ID: 9626918
route add [network ID of subnet with DNS server] [mask of same] [gateway - router interface]

Try this on one PC first.


The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

LVL 51

Expert Comment

ID: 9627002
I've put up a flag for you for a Cisco person to join us in the event you need to tweak your routers.


Accepted Solution

NicBrey earned 2000 total points
ID: 9627438
DNS queries are UDP broadcasts, and router do not by default forward broadcasts over WAN links. On the router of the problem PC's you need to add the line under the ethernet interface configuration mode that will allow the router to forward the DNS queries
to the DNS server.

router(config-if)#ip helper-address  <ip address of DNS server>

That should do it...

Author Comment

ID: 9630251
What about the response going the other way? I cannot ping the machines on the remote site by name either. It sounds like this thread is going in the right direction, i just want to be sure before i go back out there.

Would i need to add a helper statement going the other way? if so, where do i point it to?

Expert Comment

ID: 9633299
No, you only need to add the helper statement on the local router interface of the PC's that can't resolve the names. (the building without the domain controller). The replies from the server would be returned without any further configuration.
The machines on the side of the DNS server should be able to get the names from the server.
I think once the Active Directory accounts are created and the DNS entries are made, you should be able to ping the remote hostnames from the side of the domain controller.


Author Comment

ID: 9633583
That would be the E0 interface if i am correct. I will try that this afternoon. Thank you very much.
LVL 51

Expert Comment

ID: 9678556
Glad we could help!

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The Summer 2017 Scholarship Winners have been announced!
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question