Solved

Use W2K3 as LAN router

Posted on 2008-10-07
7
764 Views
Last Modified: 2012-06-21
At our school we have a remote building linked by a wireless bridge. Performance was poor, so I added a local DC to serve this building. The wireless bridge requires that both ends be in the same subnet. Some things still get serviced from the main servers across the slow link occasionally. I need to separate the building into a separate subnet. I have installed a 2nd NIC in the server.  The NIC pointing at the bridge is 10.66.16.21/24 and the one to the LAN is 10.66.18.2/24.
The local DHCP allocates addresses in 10.66.18.0/24 with default gateway as itself, 10.66.18.2. From the server, I can ping the main site, and connect to the internet via the main site gateway. I can also connect to the local PCs.  I turned on RRAS and added 0.0.0.0/0 gateway 10.66.16.21 to the bridge interface, and 10.66.18.0/24 gw 10.66.18.2 to the LAN interface. The local PCs can see the local server, but not the main network. What am I doing wrong? The router just isn't routing! How do I break down the problem to test it? Are there test programs to run?
0
Comment
Question by:kmaynard
  • 4
  • 2
7 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22670426
NIC with 10.66.18.2: no gw
NIC with 10.66.16.21: gw=<ip of other end of bridge> (10.66.16.2?)
Client-LAN 10.66.18.0/24: gw=10.66.18.2

Multihomed DCs are a headache and should be avoided.
To avoid problems with authentication, do not use the bridge server as DC because the clients might try to reach the far interface instead of the nearest. It would be better to put the extra NIC in a second member server.
0
 

Author Comment

by:kmaynard
ID: 22676961
The scale of our operation makes that unrealistic unfortunately. I make the PCs in the remote location members of a group, and use that to apply GPOs to ensure the local DC is used to provide local services to restrict traffic across the slow link.  There's a DHCP server at the main site, and one with a disjoint set of addresses at the remote building.The only thing I can't seem to stop is that the DHCPs sometimes serve PCs on the wrong side of the link. That's why I wanted a separate subnet - unless there's another way of constraining which DHCP gets used? I really don't want to have to allocate IP addresses manually.
0
 

Author Comment

by:kmaynard
ID: 22681797
What about putting an old PC with 2 NICs in series with the wireless link? Set the IProutingenable (or whatever it is) registry key, then use IP filtering. Would this work?  If so, what protocol would need filtering out?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 250 total points
ID: 22691907
I re-read question, and don't see why you nead server with 2NICs.

You already have the wireless bridge and separate subnets.
Add DC to remote site, but skip the extra NIC.
Configure the separate subnets as different sites by using dssite.msc and ensure that the DCs are located in correct AD-site. The clients in each site will automatically prefer their local DC.
Configure both DCs as GC (servername\NTDS-settings -> right-click -> Properties -> Global Catalog) by using dssite.msc
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 250 total points
ID: 22692039
I am assuming your configuration is something like:

        Internet
             ||
  Router(10.66.16.254)
             ||
     (10.66.16.253)
     Wireless Bridge
     (10.66.16.252)
             ||
     (10.66.16.100)
         2nd DC
     (10.66.18.100)
             ||
           PC's

Nothing wrong with your concept. I would agree with henjoh09's comment about multihomed DC's, in that they can be a little problematic, but that is not to say you can't make it work. The issue is mostly making sure DNS is working properly. For starters work with IP's, both pinging and connecting to sites such as Google http//64.233.187.99/ to make sure DNS is not coming into play.

-One of the key issues I see is "10.66.1.0/24 with default gateway as itself". The 2nd DC's LAN NIC should have no gateway at all.
-Within RRAS you should only have to enable it and enable LAN routing, nothing else. Were the server knows the two adjoining subnets it should be able to automatically handle the routing.
-The other thing you are missing is the return route. On the router 10.66.16.254 above should have a route added (based on above example):
route add 10.66.18.0 mask 255.255.255.0 10.66.16.100
Alternatively rather than adding the static route on both the router and in RRAS you can enable RIP v2 dynamic routing.

-As for DHCP issues. On the second DC make sure DHCP is only bound to the LAN adapter [DHCP management console | right click on server and choose properties | advanced | bindings]
-Similarly I would do the same for DNS [DNS management console | right click on server and choose properties | Interfaces | only the following IP addresses -just the LAN IP]
-DHCP should be assigning the 2nd DC's LAN IP for DNS as the primary DNS server for client machines, and the 1st DC as the alternate/second DNS. It should also be handing out 10.66.18.100 (per example) as their gateway address.

If having problems with DNS, Active Directory, or replication let us know as that can be addressed once pinging works.

--Rob
0
 

Author Comment

by:kmaynard
ID: 22745711
Thanks for the suggestions. In fact, I am not going to be able to play with this stuff for some time, so I will split points. Hope that's OK. Note to other readers: I haven't actually proved this yet, but both suggestions are worthy.

Currently, the only problems arise if the wrong DHCP server awards an address. Our net is stable, so I have increased the lease to 90 days, and checked that any new clients get the right address when I add them. It seems that 'lease renew' is preferred to getting a new address, so most of the problem has gone away.

Replication, WSUS, Symantec slave AV server all working OK, so I'm inclined to leave well alone for now!
0
 

Author Closing Comment

by:kmaynard
ID: 31504058
Thanks very much for your help.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now