Link to home
Start Free TrialLog in
Avatar of whdev1
whdev1

asked on

Cannot join 2003 domain from Xp Pro

Hi, I have a machine running XP Pro, SP2 that i am trying to connect to a remote Windows Server 2003 (SP1).

Details:
I set up the client's DSn to point to the server's IP address.
The server is a domain controller (the only DC)
I can ping the server's IP from the client
I can ping the client's IP from the server

In the past I was able to connect to the same domain from a different machine (as a test) and it worked fine. So seems like the server setting is not an issue, most likely it's how the client XP is configured.

How I attempt to do it:
Classic way - Computer Properties, join a domain, type the domain name. The domain name is set to abcd.local -- I typed it both ways on the client machine (abcd and abcd.local - neither worked).

Not sure what other details are needed...

Thank you so much for your help!
Avatar of Rob Williams
Rob Williams
Flag of Canada image

A couple of thoughts:
Make sure on the connecting XP machine that the TCP/IP properties are pointing to your internal DNS server, and only that DNS server, i.e. not the ISP, even as an alternate.
Also if there are multiple network adapters, or a wired and wireless, disable the un-necessary ones until you have joined the domain.
Agreed... it sounds like a DNS issue.

Can you ping by computer name from the server to the client and the client to the server?
Avatar of whdev1
whdev1

ASKER

Yes I can ping both ways,
Currently the static IP of the ISP is the same as the server's IP. If what you're saying is true, why would I be able to connect to the domain from another computer?

There are no other ethernet cards, just that one, hence only one local area connection.
"Currently the static IP of the ISP is the same as the server's IP"

You should have another device between you and the ISP.  By allowing the server to get an IP from the ISP you are effectively making this server public.

Either use 2 NICs (one for the ISP, one for the LAN) or place a router between the server and the ISP's modem.  Either way, your server should have a private IP and be set as a static address.

Avatar of whdev1

ASKER

netman, sorry if I miscommunicated. yes of course there is a router. What I was saying is that the server's external (public) IP is the same as the router's. The router has port forwarding which allows me to open various ports such as http, pc anywhere, etc.. The server computer has an internal IP address of 10.0.1.38

Here's a bit more info on settings:
SERVER TCP/IP settings:
Ip address: 10.0.1.38
subnet mask: 255.255.0.0
gateway: 10.0.0.1
DNS: primary 127.0.0.1, secondary is set to the DNS server provided to me by my ISP
NETBIOS setting is set to "Enable Netbios over TCP/IP"

REMOTE CLIENT SETTINGS:
IP: set to DHCP (tried also setting manually)
DNS: the public address of the server as primary, secondary is set to the DNS provided by the client ISP
NETBIOS setting is set to "Enable Netbios over TCP/IP"

Thanks again
Heres some food for thought:

If this computer belongs to a group with Group Policy enabled on the Primary DNS suffix of this computer, the string specified in Group Policy is used as the primary DNS suffix. The local setting is used only if Group Policy is disabled or unspecified. When the computer is joined to a domain that defines such a policy, you must restart the computer twice for the policy setting to take effect. After the computer is restarted the first time, the policy settings are copied to the computer from the domain. When the computer is restarted the second time, the policy settings take effect.
>>"DNS: primary 127.0.0.1, secondary is set to the DNS server provided to me by my ISP
........DNS: the public address of the server as primary, secondary is set to the DNS provided by the client ISP"

As mentioned earlier this is wrong.
Server and workstation should only point to the server itself for DNS (internal IP) and the ISP's DNS should be added as a forwarder.
As Rob already stated, set the client's DNS to the INTERNAL nic of the server.  This then assumes that DNS is servicing the internal NIC - check this from DNSMGMT.msc (properties of the server).
Also, the binding order should have the internal NIC at the top.

You also want to remove the Gateway on the server's internal NIC.  

Have you setup RRAS or are you using ISA on this server?

Avatar of whdev1

ASKER

Sorry if I ask for clarifications.. I am not a network admin & i am really new to this.

So if I understood you correctly, the client should have the server's internal IP as its DNS server (10.0.1.38). So here's what I had in my earlier msg.. Would you mind telling exactly what i need to change? Here's a bit more info on settings:
SERVER TCP/IP settings:
Ip address: 10.0.1.38
subnet mask: 255.255.0.0
gateway: 10.0.0.1   ****you're saying get rid of this? *************
DNS: primary 127.0.0.1, secondary is set to the DNS server provided to me by my ISP  *****you're saying put 10.0.1.38 as primary*************
NETBIOS setting is set to "Enable Netbios over TCP/IP"

REMOTE CLIENT SETTINGS:
IP: set to DHCP (tried also setting manually)  *****leave as is? ************
DNS: the public address of the server as primary, secondary is set to the DNS provided by the client ISP
*****you're saying put 10.0.1.38 as primary*************
NETBIOS setting is set to "Enable Netbios over TCP/IP"


you're dealing with a total newbie here ;)
Let’s start fresh.

If by any chance you are running Small Business Server, ignore the following and please advise.
I assuming you have completed the server installation, installed Active Directory and DNS.

If you have 1 network adapter see the following. I assume you have 2. If so skip to next section:
 Configure the server’s network adapter as follows:
 IP address 10.0.1.38
 Subnet mask 255.255.255.0
 Default gateway (router’s IP) 10.0.1.1  
    (must be in the same subnet as the adapter, i.e both 10.0.1.x, or change server IP to 10.0.0.38)
 Primary DNS 10.0.1.33
 Alternate DNS <empty>
Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server (10.0.1.x), same subnet mask as the server (255.255.255.0), the gateway pointing to your routers’ LAN IP (10.0.0.1), Primary DNS the server’s LAN IP (10.0.1.38), and the Alternate DNS empty. Again do not put an ISP's DNS server here

If 2 network adapters configure as follows:
 Server’s LAN/internal adapter connected to clients:
 IP address 10.0.1.38
 Subnet mask 255.255.255.0
 Default gateway <empty>  
 Primary DNS 10.0.1.33
 Alternate DNS empty

 Servers WAN/external adapter connected to the Internet
 IP address 10.0.0.2
 Subnet mask 255.255.255.0
 Default gateway (router’s IP) 10.0.0.1  
 Primary DNS <empty> or 10.0.1.33
 Alternate DNS <empty>
Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server (10.0.1.x), same subnet mask as the server (255.255.255.0), the gateway pointing to your server’s LAN IP (10.0.1.38), Primary DNS the server’s LAN IP (10.0.1.38), and the alternate DNS empty. Again do not put an ISP's DNS server here

Following applies to both 1 and 2 network adapters:
-In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers
-If the workstations are using DHCP, open the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router, the server's IP in #006 DNS Servers, and the domain name and suffix under #015 such as mydomain.local
-If  DHCP is enabled on the router, rather than the server, it should really be disabled on the router and configured on the server. Enabling DHCP on the server assists with dynamic updates to DNS for older clients, allows for central management, and far more scope options.
-The DHCP client service should be running on servers and workstations even where you are not using DHCP assignments. The DHCP client service controls the dynamic DNS updates
 
If you have been having DNS problems, on the workstations that have been having problems you should clear the DNS cache by entering at a command line  
  ipconfig  /flushdns
and then
  ipconfig  /registerdns
Sorry, I noticed a typo above; "Primary DNS 10.0.1.33" should read in each case "Primary DNS 10.0.1.38"
Avatar of whdev1

ASKER

Rob thank you for your detailed walk-through. I will try this today at night.

FYI, we are running Windows 2003 SBS as the server and client computers are all XP Pro
Don;t know if that changes anything. I appreciate your response.
Very welcome.

>>"we are running Windows 2003 SBS "
Very important !!! The configuration above is still the same but the way you implement is very different. Do not set any of the above manually. May explain why your system is not working. SBS has many interrelated services, so it is absolutely necessary to use the wizards.

Set the server IP/s by going to:
Server management | Internet and E-mail | Change server IP address

The server needs to run DHCP. If enabled on the router, disable, and see the following regarding configuring on an existing SBS:
http://www.microsoft.com/technet/prodtechnol/sbs/2003/plan/gsg/appx_c.mspx#EXG

Configure the networking components by going to:
Server management | Internet and E-mail | Connect to the Internet

You can run these wizards as often as you like, it will not harm to re-run and can often "fix things".

Avatar of whdev1

ASKER

I see.
Ok this will be a long and sleepless night for me trying this. Hopefully it will all work in the morning - will let you know.. Thanks again
Good luck with it. I'm sure your first time it will take a while, but when you get used to the wizards, it will take about 15 minutes.
--Rob
Avatar of whdev1

ASKER

RObWill, one more thing..

Some of the clients will need to be on the same domain from remote locations/other ISPs. By configuring clients' DNS with the server's local IP (e.g. 10.0.1.38), they will be able to join the domain. Won't they need to point to the public IP address so they can access it from a different ISP ?
Are they connecting with a VPN? I assume so if they need domain access.
If so set them up pointing to your DNS server as well. They will still do DNS queries through your DNS server. I know this sounds like it would be slow but I doubt they will even notice. Keep in mind when you do any DNS query it is passed to one DNS server (the ISP) and then forwarded to another higher up and then a root server. Then the reply is sent back.
The catch is when the VPN is down, they are out of luck. The solution to this is to add a DNS server to the remote site, which replicates the DNS information. However, this is not always possible.
I'll let you run with this Rob - I'll monitor things if you need me.

I'll do my best, but don't go far :-)
You are the master Netman66 with Win configs.
--Rob
Avatar of whdev1

ASKER

Rob, I haven't looked into VPN and if possible would like to avoid it simply b/c it's horribly slow from my experience. Do I absolutely have to have VPN enabled to do that?
I thought I can point DNS of the remote client to the public IP of the server. I did that once before and it worked, but worked only on one computer (my personal laptop).
Why do you want your remote PC's to be members of the domain ?
If they need access to resources you need a VPN. If not, they do not need to be members of the domain.
VPN's are not that slow, they are compared to a LAN connection, but anything accessed over the Internet is only very slightly slower due to encryption and un-encryption.
Avatar of whdev1

ASKER

To make a long story short, we're installing SAP across all those client machines. SAP clients (as I was told) are slow over VPN, so we were recommended to go with the "domain" route. I honestly don't know much about the reasoning behind what their saying..

The other reason is I thought that VPN requires your server to have two LAN connections on the server We only have one.

Other than that, I would honestly prefer to have VPN since it's so much less messy.

forgive me being so offensively far from all IT and networking. Hopefully soon we will hire a dedicated IT support specialist. Netman66, I appreciate your help. I'm increasing points to 350.
We all have our fields of expertise. I'm not quite sure yet what mine is, but it's not SAP  :-)
I am not sure of what the requirements are for SAP. As a rule VPN's are a good, secure method for remote access to resources, but they are not the only option. Folks that say they are slow are usually referring to opening a document locally versus over a VPN. Hardware VPN's are usually more secure and slightly better performance, should you want to go that way, but nothing wrong with Windows built in VPN solutions.
For the record there is no need to have 2 network adapters, and although that is a quite acceptable solution, I almost never use 2.
I'm not going too far.  It gets a little noisy when too many people start throwing out ideas.

Rob's wise in stating we all have our own specialties - together we should be able to help.

A few things I've noted so far.

1)  You have SBS in a single NIC configuration - this can be problematic at best since there isn't a clear procedure (at least to me) in using the Wizard to configure your server's network.

2)  If you are running SAP from remote workstations, then you might want to look at another 2003 server to use as a Terminal Server and remote to that from the client to run SAP. This way the traffic stays on the local network and not through the router.  You still need a secure method of connecting to the office from the Internet and that's where a small, inexpensive box like a Netscreen or SonicWall VPN appliance is best used.  You sure can use the SBS box as a VPN endpoint, but you'll need another NIC and you should also install ISA (if you have SBS premium) or RRAS if not - and this method requires a hole in the edge protection to get to the endpoint.

Other than that, a single NIC on the SBS server needs a little TLC to get working properly without the wizard.  At all costs it needs to be a private address.  Any inbound allowed traffic should be port-forwarded if you have no other choice.

Keep up the great support Rob.

NM
Avatar of whdev1

ASKER

Thank you both. Ok sold on VPN.

I re-enabled "Routing and Remote Access"  and chose "Custom VPN" option since standard VPN would not start (it said it required 2 network cards). The server's router has both port 1723 and port 47 open and pointing to the server. Now i am trying to connect through VPN again - it's timng out on "Verifying username and password".. (using administrator's login and password)

Server is set to "Windows Authentication" (not Radius), "Ip routing" and "IP-based remote access" are both enabled, multi-link connections and LCP are enabled.

Now there's a bunch of log files that I can look at under c:\windows\tracing (tapi32.log. RTM.log, router.log, rastapi.log, rasman.log, IpRoutermanager.log, KMDDSP.log) - not sure what they all mean, but I can paste some of their log entries in response to my VPN connection attempt.
It's not Port 47, it's protocol 47 (or GRE).

Netman66, I have never had a problem configuring SBS with a single NIC using the wizard, even for VPN. However, I have to agree there are advantages to 2 NIC's, such as more security/control and it is the default SBS design.

whdev1, wizards, wizards, wizards  <G>
Always use the wizards with SBS. If you can't find one chances are you missed it, have another look <G>
To configure the VPN on SBS run the wizard located:
Server management | Internet and E-mail | Configure remote access
For the connecting client machines, if you want name resolution to work properly, you should also use the "Create Remote Connection Disk" option on the same page.
This will configure the VPN, routing, and windows firewall. If you have UPnP enabled on your router it will even configure that. However, there are security risks with UPnP, so I don't recommend that.
http://www.grc.com/unpnp/unpnp.htm

If you have a connection but cannot complete it is likely a GRE error. Do you get a 721 error? As Netman66 said "protocol 47". This is not done with forwarding, but rather with "PPTP (or VPN) pass through" option, or specific commands on commercial routers.
Avatar of whdev1

ASKER

When I ran the configure remote access wizard, it asked for either VPN server name or Ip address. I put the IP address in there.

Yes, it's Error 721. Have never seen pass through options on that router, will try to dig in.

*sigh*
What router do you have?
IP address is your WAN/external/public IP, or a registered domain name and server name such as VPN1.MyDomain.com  If you don't know the public IP you can find it by going to http://www.canyouseeme.org  from the SBS It will be displayed. While there test for port 1723, to verify the forwarding is correct. This will not test GRE.

What make and model is the router ? Perhaps we can help.
When configuring the forwarding, some routers, such as Netgear, allow you to forward a port, or a known service. If PPTP is one of the services forwarding it will also enable GRE. On those same routers forwarding port 1723 allows no way of enabling GRE, so you need to use the service.
:-)  you are faster than I ?
For the record whdev1, using a VPN router will give you better security and a little better performance. No chance your router has VPN capabilities is there ?
Adding ISA to your SBS, as Netman66 mentioned earlier,  is another option. Do you have premium version ?  Second network adapter is absolutely necessary for that.
Avatar of whdev1

ASKER

I have service running on 1723 so looks fine. The router is 2Wire Homeportal 1800HG - no VPN capabilities to my knowledge...

port 1723 is pointing to the server machine. I think the server sees that the client is trying to connect because the log files in c:\windows\tracing are getting updated to the second.
Are you still getting the 721 error ?
I know a while back we verified at least one of the 2Wire units did not support GRE. Some do not. I couldn't find anything on this unit.
Avatar of whdev1

ASKER

Yes sir, still 721. Tried a minute ago... This router is supposedly their best router (at least it was 2 years ago). Here's what i found http://www.dsldepot.com/dslmodem.asp?modem=238

I can try to call their support and see what they say
Does the client have permissions to VPN in?  It's on the Properties of the account in AD.

You could try calling them but I find you seldom get an informed answer.
Below is a GRE test from an earlier post of mine, but no real need to do so, the 721 error pretty well guarantees that is the problem.

Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
Avatar of whdev1

ASKER

I think we're getting somewhere now. So I found and downloaded both pptpclnt and pptpsrv and ran them. At first I sent the info to the server's public IP.

Connectivity test to TCP Port 1723 was successful!!!
Closing down socket...
=================================
Creating a socket to test GRE protocol traffic...
Total GRE packets sent = 1
Total GRE packets sent = 2
Total GRE packets sent = 3
Total GRE packets sent = 4
Total GRE packets sent = 5

The server however did not respond. So what i did next was do pptpclnt, but this time on the server's LOCAL Ip 10.0.1.38 - after about 20-25 seconds (it took that long), the server responded. here's the server's output:

E:\Docs\Install Apps\Misc>pptpsrv
Error 10048 binding Socket:
WSAEADDRINUSE: Address already in use
Created socket for GRE protocol test
Listening on PROTOCOL 47 for incoming GRE packets...
Total GRE packets received = 1
Total GRE packets received = 2
Total GRE packets received = 3
Total GRE packets received = 4
Total GRE packets received = 5
======================================
GRE protocol test was successful!
======================================
Closing socket
Goodbye!

The first line (socket error) was interesting.

So right after that I went back into my client's VPN connection and changed the server's IP to the local 10.0.1.38 address. This time I got a different error

"Cannot retrieve protocol information. Error 668: The connection was terminated" (it happened right after the "Registering your computer on the network" appeared).
Avatar of whdev1

ASKER

Not to celebrate this early, but I think I got this mofo working !
There were few things I had to play with to get VPN connected. The main problem stemmed from the fact that the server is not setup to be the DHCP server - due to that, the server was simply not able to assign IP addresses to the clients. After much head-banging, I disabled DHCP in RRA and assigned a packet of 10 addresses 10.0.1.200 through 10.0.1.210 and next time I attempted to connect from the client, it worked

Another problem was incorrect authentication parameters. I have no clue what MSCHAP means, but common sense told me that they have to be identical on both ends.

It's pretty slow though and I still need to do play around more with it to understand how it works. If any of you guys have suggestions on how to make it faster, I'd appreciate it.

Otherwise, I can give points to you and split it however you'd like.
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of whdev1

ASKER

the only caveat is I can connect from my personal laptop and ping the server by its internal IP (not by name), e.g 10.0.1.200
for some reason I cannot do the same from another PC.. i.e. I can connect through VPN, but I cannot ping the server neither by name nor by internal IP address
i read somewhere that you have to open port 72 to enable name resolution inside VPN, still no luck.

SO what would be your suggestion? To keep the things as-is.. ? or to reconfigure by putting DHCP on the server? my worry with the latter one is that sometimes I have to reboot the server and the entire office's internet may sink while it's rebooting.

Any suggestions on improving VPN's speed?

How would you like me to distribute points among you?
If you are using the MS DUN connectoid for VPN, there should be an option for "Use gateway on remote network".

This will make sure all queries go to your DNS server rather than the ISP's.
Avatar of whdev1

ASKER

well thank you for your time and help. if you know anyone in Chicago looking for a network administrator or an IT job, pls feel free to forward to me simon@argotea.com

cheers!
Thanks whdev1.
Sorry tied up the last few days.

As Netman66 stated you really should set up DHCP on the server, and with SBS it is actually necessary for some services to work properly.
RRAS on it's own will actually work without it, by using APIPA addresses, but this comes with numerous limitations. Rebooting the server will not throw clients off the network because of DHCP. That would only happen if a lease were to be renewed at the exact time you rebooted the server. However, if the server is your only DNS server it will make them loose Internet access and likely most resources. In a SBS network, the entire network is usually pretty useless without it anyway.

As for connectivity and name resolution, you need to use the wizards to configure with SBS. Doing so should also configure proper routing and name resolution. The "configure remote access" wizard will not function properly without DHCP on the SBS.