Use W2K3 as LAN router

At our school we have a remote building linked by a wireless bridge. Performance was poor, so I added a local DC to serve this building. The wireless bridge requires that both ends be in the same subnet. Some things still get serviced from the main servers across the slow link occasionally. I need to separate the building into a separate subnet. I have installed a 2nd NIC in the server.  The NIC pointing at the bridge is and the one to the LAN is
The local DHCP allocates addresses in with default gateway as itself, From the server, I can ping the main site, and connect to the internet via the main site gateway. I can also connect to the local PCs.  I turned on RRAS and added gateway to the bridge interface, and gw to the LAN interface. The local PCs can see the local server, but not the main network. What am I doing wrong? The router just isn't routing! How do I break down the problem to test it? Are there test programs to run?
Who is Participating?
Henrik JohanssonConnect With a Mentor Systems engineerCommented:
I re-read question, and don't see why you nead server with 2NICs.

You already have the wireless bridge and separate subnets.
Add DC to remote site, but skip the extra NIC.
Configure the separate subnets as different sites by using dssite.msc and ensure that the DCs are located in correct AD-site. The clients in each site will automatically prefer their local DC.
Configure both DCs as GC (servername\NTDS-settings -> right-click -> Properties -> Global Catalog) by using dssite.msc
Henrik JohanssonSystems engineerCommented:
NIC with no gw
NIC with gw=<ip of other end of bridge> (
Client-LAN gw=

Multihomed DCs are a headache and should be avoided.
To avoid problems with authentication, do not use the bridge server as DC because the clients might try to reach the far interface instead of the nearest. It would be better to put the extra NIC in a second member server.
kmaynardAuthor Commented:
The scale of our operation makes that unrealistic unfortunately. I make the PCs in the remote location members of a group, and use that to apply GPOs to ensure the local DC is used to provide local services to restrict traffic across the slow link.  There's a DHCP server at the main site, and one with a disjoint set of addresses at the remote building.The only thing I can't seem to stop is that the DHCPs sometimes serve PCs on the wrong side of the link. That's why I wanted a separate subnet - unless there's another way of constraining which DHCP gets used? I really don't want to have to allocate IP addresses manually.
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

kmaynardAuthor Commented:
What about putting an old PC with 2 NICs in series with the wireless link? Set the IProutingenable (or whatever it is) registry key, then use IP filtering. Would this work?  If so, what protocol would need filtering out?
Rob WilliamsConnect With a Mentor Commented:
I am assuming your configuration is something like:

     Wireless Bridge
         2nd DC

Nothing wrong with your concept. I would agree with henjoh09's comment about multihomed DC's, in that they can be a little problematic, but that is not to say you can't make it work. The issue is mostly making sure DNS is working properly. For starters work with IP's, both pinging and connecting to sites such as Google http// to make sure DNS is not coming into play.

-One of the key issues I see is " with default gateway as itself". The 2nd DC's LAN NIC should have no gateway at all.
-Within RRAS you should only have to enable it and enable LAN routing, nothing else. Were the server knows the two adjoining subnets it should be able to automatically handle the routing.
-The other thing you are missing is the return route. On the router above should have a route added (based on above example):
route add mask
Alternatively rather than adding the static route on both the router and in RRAS you can enable RIP v2 dynamic routing.

-As for DHCP issues. On the second DC make sure DHCP is only bound to the LAN adapter [DHCP management console | right click on server and choose properties | advanced | bindings]
-Similarly I would do the same for DNS [DNS management console | right click on server and choose properties | Interfaces | only the following IP addresses -just the LAN IP]
-DHCP should be assigning the 2nd DC's LAN IP for DNS as the primary DNS server for client machines, and the 1st DC as the alternate/second DNS. It should also be handing out (per example) as their gateway address.

If having problems with DNS, Active Directory, or replication let us know as that can be addressed once pinging works.

kmaynardAuthor Commented:
Thanks for the suggestions. In fact, I am not going to be able to play with this stuff for some time, so I will split points. Hope that's OK. Note to other readers: I haven't actually proved this yet, but both suggestions are worthy.

Currently, the only problems arise if the wrong DHCP server awards an address. Our net is stable, so I have increased the lease to 90 days, and checked that any new clients get the right address when I add them. It seems that 'lease renew' is preferred to getting a new address, so most of the problem has gone away.

Replication, WSUS, Symantec slave AV server all working OK, so I'm inclined to leave well alone for now!
kmaynardAuthor Commented:
Thanks very much for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.