Log in to a Windows domain controller over a router?
Hi all,
Wonder if you could help me with a situation. I think there's a way to do this, but I've forgotten.
I'm dealing with a client-server network with a couple of domain controllers, in one city. There is a Windows 2000 domain controller and a Windows 2003 server (which I have yet to make a domain controller, but I will). This network is connected to another a peer-to-peer network in another city, over a Cisco router-to-router IPSec VPN.
The peer-to-peer network has been using terminal services up to now, but we would like to get rid of terminal services. The VPN connection is high speed and reliable now, and we would like to have those computers log into the domain controller in the other city, over the VPN.
When I try to set a workstation to join the domain, it cannot find the domain controller. And then I seem to remember that there is something you have to setup. Is there some kind of domain controller relay that you have to set up? Does anyone know how to do this? Obviously we don't want to put another server in the other city. The network is small, and the whole reason for having it log in over the VPN is to avoid putting in another server. Can anyone help with this?
This is fairly urgent, just because we've gotten started. But I'll try to be patient, 'cause I could use the help. It's only the users the would get on my back!
thanks!
Wonder if you could help me with a situation. I think there's a way to do this, but I've forgotten.
I'm dealing with a client-server network with a couple of domain controllers, in one city. There is a Windows 2000 domain controller and a Windows 2003 server (which I have yet to make a domain controller, but I will). This network is connected to another a peer-to-peer network in another city, over a Cisco router-to-router IPSec VPN.
The peer-to-peer network has been using terminal services up to now, but we would like to get rid of terminal services. The VPN connection is high speed and reliable now, and we would like to have those computers log into the domain controller in the other city, over the VPN.
When I try to set a workstation to join the domain, it cannot find the domain controller. And then I seem to remember that there is something you have to setup. Is there some kind of domain controller relay that you have to set up? Does anyone know how to do this? Obviously we don't want to put another server in the other city. The network is small, and the whole reason for having it log in over the VPN is to avoid putting in another server. Can anyone help with this?
This is fairly urgent, just because we've gotten started. But I'll try to be patient, 'cause I could use the help. It's only the users the would get on my back!
thanks!
ASKER
Sorry, had a delay here. Get back to you very soon.
ASKER
Seems to me it was a DNS thing. And I played with different scenarios. The only way it seemed to work reliably is if I put in static DNS, in this order:
1 - (primary) domain controller
2 - router IP
3 - (secondary) domain controller
4 - external DNS 1
5 - external DNS 2
The last 2 are really just in case the link goes down and they still have Internet. But honestly, I don't really understand why item 2 helps it work. All I know is that it does. If anyone wants to take any time to help explain it, well, I got some points here that really aren't going anywhere yet, although I think Jay_Jay70 deserves some for trying to help.
1 - (primary) domain controller
2 - router IP
3 - (secondary) domain controller
4 - external DNS 1
5 - external DNS 2
The last 2 are really just in case the link goes down and they still have Internet. But honestly, I don't really understand why item 2 helps it work. All I know is that it does. If anyone wants to take any time to help explain it, well, I got some points here that really aren't going anywhere yet, although I think Jay_Jay70 deserves some for trying to help.
thats ok my friend, if you fixed this yourself, then you don't need to pass out points,
however, if think we need to look at why that router IP makes a difference, does you router handle DHCP?
however, if think we need to look at why that router IP makes a difference, does you router handle DHCP?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, the router does handle DHCP... however, it looks like the moderators have whipped the carpet out from under this one...(?)
ah well lets see if we can fix anyway
in a domain environment, your router should never handle DHCP, its just asking for trouble, you need to set up DHCP on your domain controller and disable ti completely on your router, set your scope options to point to the server for dns, add the isp dns servers as forwarders on your dns propeties, and watch everything work!
in a domain environment, your router should never handle DHCP, its just asking for trouble, you need to set up DHCP on your domain controller and disable ti completely on your router, set your scope options to point to the server for dns, add the isp dns servers as forwarders on your dns propeties, and watch everything work!
ASKER
Well, if you don't mind continuing to discuss this (it's up to you, just for fun), I should clarify...
- remember, this is a router-to-router VPN situation...
the router on the main network...
- has the servers (domain controllers) on its LAN
- does not handle DHCP (- that is actually handled by the servers)
the router on the remote network...
- does not have any servers
- does handle DHCP, for that network only
Do you think that the servers on the main network should handle DHCP for the remote network? Is that necessary? Ideal? If so, I would need some kind of relay agent, wouldn't I?
Really, I think the remote router is handling DHCP for the remote network, in case the connection goes down, and leases expire, they can still get Internet. That is an important consideration anyway. Do you have any thoughts about this?
- remember, this is a router-to-router VPN situation...
the router on the main network...
- has the servers (domain controllers) on its LAN
- does not handle DHCP (- that is actually handled by the servers)
the router on the remote network...
- does not have any servers
- does handle DHCP, for that network only
Do you think that the servers on the main network should handle DHCP for the remote network? Is that necessary? Ideal? If so, I would need some kind of relay agent, wouldn't I?
Really, I think the remote router is handling DHCP for the remote network, in case the connection goes down, and leases expire, they can still get Internet. That is an important consideration anyway. Do you have any thoughts about this?
ASKER
One more comment... I don't remember... does a DHCP relay agent have to be on a Windows server? Can it be on a Windows workstation? Because it if it's on a Windows server, the cost savings are defeated, and you might as well do the whole domain thing on the remote network.
ahh i see i see, i understand what you are getting at then.
with your remote location, can you ping your 2003 server by name and IP at the moment?
with your remote location, can you ping your 2003 server by name and IP at the moment?
ASKER
Yup. As I said, the above configuration allows me to set up domain-joined PCs in the remote network that log in over the router-to-router VPN. It needs to be set up this way, though. I find it's also necessary even if I want to allow non-domain PCs to access the exchange server - but that makes it work.
sorry mate, am still here just a bit busy atm!
ASKER
no problem. we're jus' chattin' now. However, it is helpful.
actually, thinking on this i think i remember another case, where even though there was full resolution, the MTU size was causing greif and not allowing domain joining
first look at dns and connection
are you able to ping the remote DC by name and IP?
Cheers!