Joining a security domain over a WAN

Posted on 2003-10-26
Last Modified: 2010-04-14
I am in the process of setting up a new Windows 2000 domain. The domain consists of PC's in two seperate buildings, on two seperate subnets, connected by Cisco routers and only one Domain Controller located in the main building.

The problem is that I am trying to figure out why the PC's in the remote building, they are running windows 2000, cannot join the windows 2000 domain. I get the message that the "Domain could not be contacted." The PC's in the building with the Domain Controller are having no problem connecting to the domain. The two buildings are on different subnets, and are connected by Cisco routers. I at first thought it was a Cisco routing problem, but i could ping the PC's on the other subnet, and the trace route went the correct route. Then when i tried to ping using the PC's name, it would not resolve the machine name to the IP address. I have set up DNS on the sever, and it is working properly. The PC's have the DNS address of the Domain Controller listed as the primary DNS server.

The thing that adds the complexity is the fact that they are on a mixed Novell and MS network and they get their DHCP addresses from the Novell Servers(this is their first MS server). Because of this they do not update the DNS server with their IP address.
Question by:brakofanon
  • 4
  • 3
  • 2
LVL 51

Expert Comment

ID: 9624269
I suspect the offices are running private addressing?

Is the pipe between the Cisco's your Frame Relay or is it just the Internet?

If you are using private addressing and expect the clients to find your DNS server over the Internet, then it's not going to work unless you have your ISP register your DNS (which is likely not what we want here).

You'll need to create a static route to your DNS server so that DNS resolution gets forwarded to the other office.  I think you can use the other router's IP as the DNS to forward to and setup a forwarder on that router to your DNS server. Make sure you create access lists so that intruders can't do the same.  A better solution would be to build a small server and join the domain.  Have DNS setup on it and make it AD integrated.  Take that over to the other office.

I would also do the following:

1) Create an OU for each location - place user and computer objects in the correct OU.
2) Setup Sites - one for each location.
3) Create subnets and associate each to the correct Site.
4) Place a server in each site (both physically and in Active Directory).
5) Configure replication schedules on the links between sites.

You should have no issues is setup correctly.

Author Comment

ID: 9626303
Yes, the pipe runs through their own frame, not over the internet.

How do i create a static route to point to the DNS Server properly? i am not a Cisco person, but i have set them up successfully before. I would just need the proper syntax.

Again, i think it is working at least partially, as the pings work, and the trace route goes straight from the pc, through the router, to the server, and vice versa.

I doubt that they will want to pony up the money for another server before they have this one fully functional first. I need to have this set up by Tuesday.
LVL 51

Expert Comment

ID: 9626918
route add [network ID of subnet with DNS server] [mask of same] [gateway - router interface]

Try this on one PC first.


LVL 51

Expert Comment

ID: 9627002
I've put up a flag for you for a Cisco person to join us in the event you need to tweak your routers.

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.


Accepted Solution

NicBrey earned 500 total points
ID: 9627438
DNS queries are UDP broadcasts, and router do not by default forward broadcasts over WAN links. On the router of the problem PC's you need to add the line under the ethernet interface configuration mode that will allow the router to forward the DNS queries
to the DNS server.

router(config-if)#ip helper-address  <ip address of DNS server>

That should do it...

Author Comment

ID: 9630251
What about the response going the other way? I cannot ping the machines on the remote site by name either. It sounds like this thread is going in the right direction, i just want to be sure before i go back out there.

Would i need to add a helper statement going the other way? if so, where do i point it to?

Expert Comment

ID: 9633299
No, you only need to add the helper statement on the local router interface of the PC's that can't resolve the names. (the building without the domain controller). The replies from the server would be returned without any further configuration.
The machines on the side of the DNS server should be able to get the names from the server.
I think once the Active Directory accounts are created and the DNS entries are made, you should be able to ping the remote hostnames from the side of the domain controller.


Author Comment

ID: 9633583
That would be the E0 interface if i am correct. I will try that this afternoon. Thank you very much.
LVL 51

Expert Comment

ID: 9678556
Glad we could help!

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Visual C++ Runtime Error on Windows 2000 Server 2 1,484
HP ML 110: This System is not supported platform 1 506
website 1 303
Windows  Active Directory  Quesiton 8 117
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When we talk about DevOps toolchains, I sometimes wonder how many people really get what we’re talking about. I don’t know if it’s just semantics or tone or something else, but sometimes I think it just sounds like buzzword sausage. So it’s always …
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now