• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 708
  • Last Modified:

Joining a security domain over a WAN

I am in the process of setting up a new Windows 2000 domain. The domain consists of PC's in two seperate buildings, on two seperate subnets, connected by Cisco routers and only one Domain Controller located in the main building.

The problem is that I am trying to figure out why the PC's in the remote building, they are running windows 2000, cannot join the windows 2000 domain. I get the message that the "Domain could not be contacted." The PC's in the building with the Domain Controller are having no problem connecting to the domain. The two buildings are on different subnets, and are connected by Cisco routers. I at first thought it was a Cisco routing problem, but i could ping the PC's on the other subnet, and the trace route went the correct route. Then when i tried to ping using the PC's name, it would not resolve the machine name to the IP address. I have set up DNS on the sever, and it is working properly. The PC's have the DNS address of the Domain Controller listed as the primary DNS server.

The thing that adds the complexity is the fact that they are on a mixed Novell and MS network and they get their DHCP addresses from the Novell Servers(this is their first MS server). Because of this they do not update the DNS server with their IP address.
0
brakofanon
Asked:
brakofanon
  • 4
  • 3
  • 2
1 Solution
 
Netman66Commented:
I suspect the offices are running private addressing?

Is the pipe between the Cisco's your Frame Relay or is it just the Internet?

If you are using private addressing and expect the clients to find your DNS server over the Internet, then it's not going to work unless you have your ISP register your DNS (which is likely not what we want here).

You'll need to create a static route to your DNS server so that DNS resolution gets forwarded to the other office.  I think you can use the other router's IP as the DNS to forward to and setup a forwarder on that router to your DNS server. Make sure you create access lists so that intruders can't do the same.  A better solution would be to build a small server and join the domain.  Have DNS setup on it and make it AD integrated.  Take that over to the other office.

I would also do the following:

1) Create an OU for each location - place user and computer objects in the correct OU.
2) Setup Sites - one for each location.
3) Create subnets and associate each to the correct Site.
4) Place a server in each site (both physically and in Active Directory).
5) Configure replication schedules on the links between sites.

You should have no issues is setup correctly.
0
 
brakofanonAuthor Commented:
Yes, the pipe runs through their own frame, not over the internet.

How do i create a static route to point to the DNS Server properly? i am not a Cisco person, but i have set them up successfully before. I would just need the proper syntax.

Again, i think it is working at least partially, as the pings work, and the trace route goes straight from the pc, through the router, to the server, and vice versa.

I doubt that they will want to pony up the money for another server before they have this one fully functional first. I need to have this set up by Tuesday.
0
 
Netman66Commented:
route add [network ID of subnet with DNS server] [mask of same] [gateway - router interface]

Try this on one PC first.

Advise.

0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Netman66Commented:
I've put up a flag for you for a Cisco person to join us in the event you need to tweak your routers.

0
 
NicBreyCommented:
DNS queries are UDP broadcasts, and router do not by default forward broadcasts over WAN links. On the router of the problem PC's you need to add the line under the ethernet interface configuration mode that will allow the router to forward the DNS queries
to the DNS server.


router(config-if)#ip helper-address  <ip address of DNS server>

That should do it...
0
 
brakofanonAuthor Commented:
What about the response going the other way? I cannot ping the machines on the remote site by name either. It sounds like this thread is going in the right direction, i just want to be sure before i go back out there.

Would i need to add a helper statement going the other way? if so, where do i point it to?
0
 
NicBreyCommented:
No, you only need to add the helper statement on the local router interface of the PC's that can't resolve the names. (the building without the domain controller). The replies from the server would be returned without any further configuration.
The machines on the side of the DNS server should be able to get the names from the server.
I think once the Active Directory accounts are created and the DNS entries are made, you should be able to ping the remote hostnames from the side of the domain controller.


0
 
brakofanonAuthor Commented:
That would be the E0 interface if i am correct. I will try that this afternoon. Thank you very much.
0
 
Netman66Commented:
Glad we could help!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now