Solved

Use W2K3 as LAN router

Posted on 2008-10-07
7
809 Views
Last Modified: 2012-06-21
At our school we have a remote building linked by a wireless bridge. Performance was poor, so I added a local DC to serve this building. The wireless bridge requires that both ends be in the same subnet. Some things still get serviced from the main servers across the slow link occasionally. I need to separate the building into a separate subnet. I have installed a 2nd NIC in the server.  The NIC pointing at the bridge is 10.66.16.21/24 and the one to the LAN is 10.66.18.2/24.
The local DHCP allocates addresses in 10.66.18.0/24 with default gateway as itself, 10.66.18.2. From the server, I can ping the main site, and connect to the internet via the main site gateway. I can also connect to the local PCs.  I turned on RRAS and added 0.0.0.0/0 gateway 10.66.16.21 to the bridge interface, and 10.66.18.0/24 gw 10.66.18.2 to the LAN interface. The local PCs can see the local server, but not the main network. What am I doing wrong? The router just isn't routing! How do I break down the problem to test it? Are there test programs to run?
0
Comment
Question by:kmaynard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22670426
NIC with 10.66.18.2: no gw
NIC with 10.66.16.21: gw=<ip of other end of bridge> (10.66.16.2?)
Client-LAN 10.66.18.0/24: gw=10.66.18.2

Multihomed DCs are a headache and should be avoided.
To avoid problems with authentication, do not use the bridge server as DC because the clients might try to reach the far interface instead of the nearest. It would be better to put the extra NIC in a second member server.
0
 

Author Comment

by:kmaynard
ID: 22676961
The scale of our operation makes that unrealistic unfortunately. I make the PCs in the remote location members of a group, and use that to apply GPOs to ensure the local DC is used to provide local services to restrict traffic across the slow link.  There's a DHCP server at the main site, and one with a disjoint set of addresses at the remote building.The only thing I can't seem to stop is that the DHCPs sometimes serve PCs on the wrong side of the link. That's why I wanted a separate subnet - unless there's another way of constraining which DHCP gets used? I really don't want to have to allocate IP addresses manually.
0
 

Author Comment

by:kmaynard
ID: 22681797
What about putting an old PC with 2 NICs in series with the wireless link? Set the IProutingenable (or whatever it is) registry key, then use IP filtering. Would this work?  If so, what protocol would need filtering out?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 250 total points
ID: 22691907
I re-read question, and don't see why you nead server with 2NICs.

You already have the wireless bridge and separate subnets.
Add DC to remote site, but skip the extra NIC.
Configure the separate subnets as different sites by using dssite.msc and ensure that the DCs are located in correct AD-site. The clients in each site will automatically prefer their local DC.
Configure both DCs as GC (servername\NTDS-settings -> right-click -> Properties -> Global Catalog) by using dssite.msc
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 250 total points
ID: 22692039
I am assuming your configuration is something like:

        Internet
             ||
  Router(10.66.16.254)
             ||
     (10.66.16.253)
     Wireless Bridge
     (10.66.16.252)
             ||
     (10.66.16.100)
         2nd DC
     (10.66.18.100)
             ||
           PC's

Nothing wrong with your concept. I would agree with henjoh09's comment about multihomed DC's, in that they can be a little problematic, but that is not to say you can't make it work. The issue is mostly making sure DNS is working properly. For starters work with IP's, both pinging and connecting to sites such as Google http//64.233.187.99/ to make sure DNS is not coming into play.

-One of the key issues I see is "10.66.1.0/24 with default gateway as itself". The 2nd DC's LAN NIC should have no gateway at all.
-Within RRAS you should only have to enable it and enable LAN routing, nothing else. Were the server knows the two adjoining subnets it should be able to automatically handle the routing.
-The other thing you are missing is the return route. On the router 10.66.16.254 above should have a route added (based on above example):
route add 10.66.18.0 mask 255.255.255.0 10.66.16.100
Alternatively rather than adding the static route on both the router and in RRAS you can enable RIP v2 dynamic routing.

-As for DHCP issues. On the second DC make sure DHCP is only bound to the LAN adapter [DHCP management console | right click on server and choose properties | advanced | bindings]
-Similarly I would do the same for DNS [DNS management console | right click on server and choose properties | Interfaces | only the following IP addresses -just the LAN IP]
-DHCP should be assigning the 2nd DC's LAN IP for DNS as the primary DNS server for client machines, and the 1st DC as the alternate/second DNS. It should also be handing out 10.66.18.100 (per example) as their gateway address.

If having problems with DNS, Active Directory, or replication let us know as that can be addressed once pinging works.

--Rob
0
 

Author Comment

by:kmaynard
ID: 22745711
Thanks for the suggestions. In fact, I am not going to be able to play with this stuff for some time, so I will split points. Hope that's OK. Note to other readers: I haven't actually proved this yet, but both suggestions are worthy.

Currently, the only problems arise if the wrong DHCP server awards an address. Our net is stable, so I have increased the lease to 90 days, and checked that any new clients get the right address when I add them. It seems that 'lease renew' is preferred to getting a new address, so most of the problem has gone away.

Replication, WSUS, Symantec slave AV server all working OK, so I'm inclined to leave well alone for now!
0
 

Author Closing Comment

by:kmaynard
ID: 31504058
Thanks very much for your help.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question