Joining a security domain over a WAN

Posted on 2003-10-26
Last Modified: 2010-04-14
I am in the process of setting up a new Windows 2000 domain. The domain consists of PC's in two seperate buildings, on two seperate subnets, connected by Cisco routers and only one Domain Controller located in the main building.

The problem is that I am trying to figure out why the PC's in the remote building, they are running windows 2000, cannot join the windows 2000 domain. I get the message that the "Domain could not be contacted." The PC's in the building with the Domain Controller are having no problem connecting to the domain. The two buildings are on different subnets, and are connected by Cisco routers. I at first thought it was a Cisco routing problem, but i could ping the PC's on the other subnet, and the trace route went the correct route. Then when i tried to ping using the PC's name, it would not resolve the machine name to the IP address. I have set up DNS on the sever, and it is working properly. The PC's have the DNS address of the Domain Controller listed as the primary DNS server.

The thing that adds the complexity is the fact that they are on a mixed Novell and MS network and they get their DHCP addresses from the Novell Servers(this is their first MS server). Because of this they do not update the DNS server with their IP address.
Question by:brakofanon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 51

Expert Comment

ID: 9624269
I suspect the offices are running private addressing?

Is the pipe between the Cisco's your Frame Relay or is it just the Internet?

If you are using private addressing and expect the clients to find your DNS server over the Internet, then it's not going to work unless you have your ISP register your DNS (which is likely not what we want here).

You'll need to create a static route to your DNS server so that DNS resolution gets forwarded to the other office.  I think you can use the other router's IP as the DNS to forward to and setup a forwarder on that router to your DNS server. Make sure you create access lists so that intruders can't do the same.  A better solution would be to build a small server and join the domain.  Have DNS setup on it and make it AD integrated.  Take that over to the other office.

I would also do the following:

1) Create an OU for each location - place user and computer objects in the correct OU.
2) Setup Sites - one for each location.
3) Create subnets and associate each to the correct Site.
4) Place a server in each site (both physically and in Active Directory).
5) Configure replication schedules on the links between sites.

You should have no issues is setup correctly.

Author Comment

ID: 9626303
Yes, the pipe runs through their own frame, not over the internet.

How do i create a static route to point to the DNS Server properly? i am not a Cisco person, but i have set them up successfully before. I would just need the proper syntax.

Again, i think it is working at least partially, as the pings work, and the trace route goes straight from the pc, through the router, to the server, and vice versa.

I doubt that they will want to pony up the money for another server before they have this one fully functional first. I need to have this set up by Tuesday.
LVL 51

Expert Comment

ID: 9626918
route add [network ID of subnet with DNS server] [mask of same] [gateway - router interface]

Try this on one PC first.


Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

LVL 51

Expert Comment

ID: 9627002
I've put up a flag for you for a Cisco person to join us in the event you need to tweak your routers.


Accepted Solution

NicBrey earned 500 total points
ID: 9627438
DNS queries are UDP broadcasts, and router do not by default forward broadcasts over WAN links. On the router of the problem PC's you need to add the line under the ethernet interface configuration mode that will allow the router to forward the DNS queries
to the DNS server.

router(config-if)#ip helper-address  <ip address of DNS server>

That should do it...

Author Comment

ID: 9630251
What about the response going the other way? I cannot ping the machines on the remote site by name either. It sounds like this thread is going in the right direction, i just want to be sure before i go back out there.

Would i need to add a helper statement going the other way? if so, where do i point it to?

Expert Comment

ID: 9633299
No, you only need to add the helper statement on the local router interface of the PC's that can't resolve the names. (the building without the domain controller). The replies from the server would be returned without any further configuration.
The machines on the side of the DNS server should be able to get the names from the server.
I think once the Active Directory accounts are created and the DNS entries are made, you should be able to ping the remote hostnames from the side of the domain controller.


Author Comment

ID: 9633583
That would be the E0 interface if i am correct. I will try that this afternoon. Thank you very much.
LVL 51

Expert Comment

ID: 9678556
Glad we could help!

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question