Joining a security domain over a WAN

I am in the process of setting up a new Windows 2000 domain. The domain consists of PC's in two seperate buildings, on two seperate subnets, connected by Cisco routers and only one Domain Controller located in the main building.

The problem is that I am trying to figure out why the PC's in the remote building, they are running windows 2000, cannot join the windows 2000 domain. I get the message that the "Domain could not be contacted." The PC's in the building with the Domain Controller are having no problem connecting to the domain. The two buildings are on different subnets, and are connected by Cisco routers. I at first thought it was a Cisco routing problem, but i could ping the PC's on the other subnet, and the trace route went the correct route. Then when i tried to ping using the PC's name, it would not resolve the machine name to the IP address. I have set up DNS on the sever, and it is working properly. The PC's have the DNS address of the Domain Controller listed as the primary DNS server.

The thing that adds the complexity is the fact that they are on a mixed Novell and MS network and they get their DHCP addresses from the Novell Servers(this is their first MS server). Because of this they do not update the DNS server with their IP address.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I suspect the offices are running private addressing?

Is the pipe between the Cisco's your Frame Relay or is it just the Internet?

If you are using private addressing and expect the clients to find your DNS server over the Internet, then it's not going to work unless you have your ISP register your DNS (which is likely not what we want here).

You'll need to create a static route to your DNS server so that DNS resolution gets forwarded to the other office.  I think you can use the other router's IP as the DNS to forward to and setup a forwarder on that router to your DNS server. Make sure you create access lists so that intruders can't do the same.  A better solution would be to build a small server and join the domain.  Have DNS setup on it and make it AD integrated.  Take that over to the other office.

I would also do the following:

1) Create an OU for each location - place user and computer objects in the correct OU.
2) Setup Sites - one for each location.
3) Create subnets and associate each to the correct Site.
4) Place a server in each site (both physically and in Active Directory).
5) Configure replication schedules on the links between sites.

You should have no issues is setup correctly.
brakofanonAuthor Commented:
Yes, the pipe runs through their own frame, not over the internet.

How do i create a static route to point to the DNS Server properly? i am not a Cisco person, but i have set them up successfully before. I would just need the proper syntax.

Again, i think it is working at least partially, as the pings work, and the trace route goes straight from the pc, through the router, to the server, and vice versa.

I doubt that they will want to pony up the money for another server before they have this one fully functional first. I need to have this set up by Tuesday.
route add [network ID of subnet with DNS server] [mask of same] [gateway - router interface]

Try this on one PC first.


IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

I've put up a flag for you for a Cisco person to join us in the event you need to tweak your routers.

DNS queries are UDP broadcasts, and router do not by default forward broadcasts over WAN links. On the router of the problem PC's you need to add the line under the ethernet interface configuration mode that will allow the router to forward the DNS queries
to the DNS server.

router(config-if)#ip helper-address  <ip address of DNS server>

That should do it...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
brakofanonAuthor Commented:
What about the response going the other way? I cannot ping the machines on the remote site by name either. It sounds like this thread is going in the right direction, i just want to be sure before i go back out there.

Would i need to add a helper statement going the other way? if so, where do i point it to?
No, you only need to add the helper statement on the local router interface of the PC's that can't resolve the names. (the building without the domain controller). The replies from the server would be returned without any further configuration.
The machines on the side of the DNS server should be able to get the names from the server.
I think once the Active Directory accounts are created and the DNS entries are made, you should be able to ping the remote hostnames from the side of the domain controller.

brakofanonAuthor Commented:
That would be the E0 interface if i am correct. I will try that this afternoon. Thank you very much.
Glad we could help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.