[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

My remote network clients cannot access domain controller behind netgear dual wan router

Posted on 2009-02-22
15
Medium Priority
?
1,768 Views
Last Modified: 2012-05-06
have a w2k3 server behind a netgear dual wan router, the server was once on a verizon static dsl connection and it worked perfectly, (yes we are running a domian on a public namespace, -  i know, i know but it worked for our needs - again this was working before we changed ISP which uses the netgear router - this is a bonded DSL setup.)  After we made the switch to the netgear, the server now has a staic public ip address of the nat subnet. We changed ISP so our IP address is different and all ports are forworded to the server IP.  Now my remote computers cannot see the domain at all, they log on from cache, but receive no group policy, no AD, nothing, i noticed in my DNS which is also hosted on this server that the host a record for the the server is looking to the nat ip address and not my "outside" IP address but i cannot seem to change it.  Any Ideas that will make my domain available again?  I am unsure if this is a DNS issue, something with RPC or Msdcs, I'm at whits end with this problem. Any help would be great!
0
Comment
Question by:jesseja
  • 6
  • 5
  • 2
  • +2
15 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23709460

Can you show us a diagram of how clients connect to the server and which IP addresses are assigned where?

Are clients supposed to access the Domain Controller on its NATed address? And which address do you have registered for both "server.yourdomain.com" and "yourdomain.com"? NSLookup will do to test the latter.

Chris
0
 
LVL 4

Expert Comment

by:mgpremkumar
ID: 23710221
i believe that previously when you had verizon there was no NAT being used..... and hence your DC has a public IP address and so did the host A record for the domain controller and thus everything was working fine

first of all a domain controller behind NAT is not recommended and NAT breaks kerberos. also you have mentioned:

"i noticed in my DNS which is also hosted on this server that the host a record for the the server is looking to the nat ip address and not my "outside" IP address but i cannot seem to change it. "

this is another issue that you will run into.... the reason you are seeing this is because the records for a domain controller are register by the netlogon server... and all the records would be registered using the IP addresses configured locally on the domain controller..... check the netlogon.dns file.

if you still need to get this working... bring up another DNS which would map the records of the DC to the public IP address.....
0
 
LVL 9

Expert Comment

by:Press2Esc
ID: 23710644
You have multiple (public) static IPs??  What are the make/model of the DSL & Netgear routers?
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
LVL 3

Author Comment

by:jesseja
ID: 23711813
Ok, everyone thanks for the info i will try to respond to everyone's questions:

chris,  

Each remote computer is on it's own dsl connection and router, so the IP's of those remote computers are assigned by the dhcp in it's router and not the DC. I have 8 remote clients and they are all at different locations, they were simply joined to the domain like you would join on a local network. Setup was very simple. And it worked reliably.  

the clients are to look to the .com which is looking to the IP assinged to the nat, since the dc is behind the nat, we forworded all ports to the DC nat address (which is now the dc public address) in an attempt to make the nat transparent

when i do nslookup for server.mydomain.com i get the nat address 192.168.1.2 (i assume this to be the problem) my mydomain.com resolves fine as there is a web server running on this server that works fine.


mgpremkumar,

you are correct, when it was setup before the public ip was the statically assigned address from verizon. There was no nat.

I would perfere not to use the nat device, but i run 2 dsl connections that get aggregated to give better upload bandwidth, which i need, at price the company can afford.  A T1 would be great but there is no room in the technology budget for it. I was assured by my ISP that this setup would work.

i had a hunch that a seperate dns would be the answer, But i am unsure how to acomplish that. Can i run another dns server on the same box?

and finally..

Press2Esc:

i have 3 static IPs, two get used by the 2 dsl modems in have needed to establish my connection, the third is unused at the moment

the router is a netgear ProSafe FVS124G, and the DSL modems are :Zhone model 1611-A2-200 - adsl2+ bridge/router

they are in bridge mode






0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23711874

I guess it would do no good to attempt to get you to move away from that setup? ;)

Disable Dynamic Updates (on the Forward Lookup Zone) and manually maintain the records within the Forward Lookup Zone for the domain.

The server itself might get a bit upset about that because it will prefer to be able to see itself on the correct IP, I suggest you add the internal address into the Hosts file to counter-act that. e.g.

192.168.1.2  yourserver
192.168.1.2  yourserver.yourdomain.com
192.168.1.2  yourdomain.com

You only have a single DC I take it?

Chris
0
 
LVL 3

Author Comment

by:jesseja
ID: 23712267
well, i have a second server that i wanted to put up at a different location as a BDC, but with the domain un-accessable i was unable to join it.

I would love to get something else, but the guy who pays the bills says no.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23712552

Have you considered Routing and Remote Access? A site-to-site VPN for the DCs, and dial-in (VPN Client) for connecting clients? Or is it not your choice?

I wouldn't choose to run Routing and Remote access on a DC myself, but I consider it far less evil than trying to get AD to work over a public network / over NAT. I have serious concerns about the security of your network.

The cost of supporting this kind of configuration (with multiple DCs) in the long run far exceeds the cost of a box to act as a VPN gateway in my opinion.

Chris
0
 
LVL 3

Author Comment

by:jesseja
ID: 23713030
I know this is a dreaded thing in the IT world, but i have yet to hear a good reason as to why it is so bad, we have run a configuration like this for years with no trouble at all.  We ran into major issues with vpn. This server is used to transfer sales information from 8 retail locations back to our corp headquarters, when we tried to use vpn it created all sorts of gateway issues with our credit card processing system. So  a pubic acessable domain seemed to do the trick. The servers we already own, the connections are there i just need to get everything talking again :)    
0
 
LVL 3

Expert Comment

by:MiamiCo
ID: 23713252
Try: tracert [domain_ip] ...and you will see where it loop, stop etc. So you can see where the problem is ... (at which point).
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 23713552

I'm sorry, but I want no further part in the set-up for this. In all honesty I find this combination extremely worrying and don't want to be seen to advocate it:

> we have run a configuration like this for years with no trouble at all
> This server is used to transfer sales information from 8 retail locations back to our corp headquarters
> credit card processing system

The advice I will leave is that you secure this with site to site (or client to site) VPN tunnels and work out the problems with the credit card processing system.

I hope you manage to get it sorted out.

Chris
0
 
LVL 3

Author Comment

by:jesseja
ID: 23714115
Well chris, thank you, i understand your concerns, rest assured that any sensitive data does not pass over the network just our internal numbers that mean would not mean anything  to anyone, customer information is kept securely at the store level, it's just our inventory and things like that.  i will take your advice though look further into VPN.  BUT WHY IS THIS SO WRONG !!!!??? ANYONE?
0
 
LVL 4

Expert Comment

by:mgpremkumar
ID: 23714468
setting up dns on the same machine is not possible... you will need to setup dns on another machine... and this machine should be on the internet and not behind the NAT device.... once the dns is installed on the new machine create a secondary zone so that you transfer all the records from the current dns server... then convert the zone to primary... modify the ip addresses as required and then put is on the internet......

as Chris mentioned you are on your own as this is not at all a recommended solution.... wish you all the best
0
 
LVL 3

Author Comment

by:jesseja
ID: 23714771
Ok guys recommend me a solution, i really need something to work. Does VPN perform the same way as being joined to the domain?  Can you configure VPN without network address translation?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 23715308

> BUT WHY IS THIS SO WRONG !!!!??? ANYONE?

For the same reason that we need to perform backups. You never miss it until you need it, and then it's far too late. Absence of security, or absence of backups represent an unnecessary risk.

On the network security side we are taught to trust no one. Sometimes we have to learn that the hard way, but it all becomes clear after you've seen a few systems compromised.

With this configuration you are, by implication, trusting every person who might be able to access your network traffic between the store and your HQ. That's before you even start on those capable of pretending to be someone else purely to gain access to your network.

Because of the above, you do have to remember that in addition to your inventory data you're potentially passing authentication (user names and passwords) and any other data associated with your AD domain.

> Does VPN perform the same way as being joined to the domain?

Not quite the right layer.

A VPN tunnel will act as if you had a direct network connection between the networks.

For a site-to-site VPN that normally means you have private IP addresses routing down the VPN tunnel. That can be a fully (privately) routed address space, meaning these issues with providing public IPs to clients go away.

The same applies to clients connecting. They're given an IP address on a private network range that is allowed to chat to your internal network.

> Can you configure VPN without network address translation?

Yes. That's how it would normally be set. In that the tunnel itself would be invisible, clients would just see it as a direct connection between the sites (you'll see that if you run a Tracert down the connection).

What do you have acting as a Firewall at the moment? Most modern firewalls are capable of establishing VPN tunnels on some level. As an example, the router / firewall I have under my TV for this connection is and that's sold as a home / very small business ADSL router.

Chris
0
 
LVL 3

Author Closing Comment

by:jesseja
ID: 31549930
Thanks Chris, We are looking into VPN.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question