My remote network clients cannot access domain controller behind netgear dual wan router

Can you show us a diagram of how clients connect to the server and which IP addresses are assigned where?

Are clients supposed to access the Domain Controller on its NATed address? And which address do you have registered for both "server.yourdomain.com" and "yourdomain.com"? NSLookup will do to test the latter.

Chris

i believe that previously when you had verizon there was no NAT being used..... and hence your DC has a public IP address and so did the host A record for the domain controller and thus everything was working fine

first of all a domain controller behind NAT is not recommended and NAT breaks kerberos. also you have mentioned:

"i noticed in my DNS which is also hosted on this server that the host a record for the the server is looking to the nat ip address and not my "outside" IP address but i cannot seem to change it. "

this is another issue that you will run into.... the reason you are seeing this is because the records for a domain controller are register by the netlogon server... and all the records would be registered using the IP addresses configured locally on the domain controller..... check the netlogon.dns file.

if you still need to get this working... bring up another DNS which would map the records of the DC to the public IP address.....

You have multiple (public) static IPs??  What are the make/model of the DSL & Netgear routers?

Ok, everyone thanks for the info i will try to respond to everyone's questions:

chris,  

Each remote computer is on it's own dsl connection and router, so the IP's of those remote computers are assigned by the dhcp in it's router and not the DC. I have 8 remote clients and they are all at different locations, they were simply joined to the domain like you would join on a local network. Setup was very simple. And it worked reliably.  

the clients are to look to the .com which is looking to the IP assinged to the nat, since the dc is behind the nat, we forworded all ports to the DC nat address (which is now the dc public address) in an attempt to make the nat transparent

when i do nslookup for server.mydomain.com i get the nat address 192.168.1.2 (i assume this to be the problem) my mydomain.com resolves fine as there is a web server running on this server that works fine.


mgpremkumar,

you are correct, when it was setup before the public ip was the statically assigned address from verizon. There was no nat.

I would perfere not to use the nat device, but i run 2 dsl connections that get aggregated to give better upload bandwidth, which i need, at price the company can afford.  A T1 would be great but there is no room in the technology budget for it. I was assured by my ISP that this setup would work.

i had a hunch that a seperate dns would be the answer, But i am unsure how to acomplish that. Can i run another dns server on the same box?

and finally..

Press2Esc:

i have 3 static IPs, two get used by the 2 dsl modems in have needed to establish my connection, the third is unused at the moment

the router is a netgear ProSafe FVS124G, and the DSL modems are :Zhone model 1611-A2-200 - adsl2+ bridge/router

they are in bridge mode

I guess it would do no good to attempt to get you to move away from that setup? ;)

Disable Dynamic Updates (on the Forward Lookup Zone) and manually maintain the records within the Forward Lookup Zone for the domain.

The server itself might get a bit upset about that because it will prefer to be able to see itself on the correct IP, I suggest you add the internal address into the Hosts file to counter-act that. e.g.

192.168.1.2  yourserver
192.168.1.2  yourserver.yourdomain.com
192.168.1.2  yourdomain.com

You only have a single DC I take it?

Chris

well, i have a second server that i wanted to put up at a different location as a BDC, but with the domain un-accessable i was unable to join it.

I would love to get something else, but the guy who pays the bills says no.

Have you considered Routing and Remote Access? A site-to-site VPN for the DCs, and dial-in (VPN Client) for connecting clients? Or is it not your choice?

I wouldn't choose to run Routing and Remote access on a DC myself, but I consider it far less evil than trying to get AD to work over a public network / over NAT. I have serious concerns about the security of your network.

The cost of supporting this kind of configuration (with multiple DCs) in the long run far exceeds the cost of a box to act as a VPN gateway in my opinion.

Chris

I know this is a dreaded thing in the IT world, but i have yet to hear a good reason as to why it is so bad, we have run a configuration like this for years with no trouble at all.  We ran into major issues with vpn. This server is used to transfer sales information from 8 retail locations back to our corp headquarters, when we tried to use vpn it created all sorts of gateway issues with our credit card processing system. So  a pubic acessable domain seemed to do the trick. The servers we already own, the connections are there i just need to get everything talking again :)    

Try: tracert [domain_ip] ...and you will see where it loop, stop etc. So you can see where the problem is ... (at which point).

I'm sorry, but I want no further part in the set-up for this. In all honesty I find this combination extremely worrying and don't want to be seen to advocate it:

> we have run a configuration like this for years with no trouble at all
> This server is used to transfer sales information from 8 retail locations back to our corp headquarters
> credit card processing system

The advice I will leave is that you secure this with site to site (or client to site) VPN tunnels and work out the problems with the credit card processing system.

I hope you manage to get it sorted out.

Chris

Well chris, thank you, i understand your concerns, rest assured that any sensitive data does not pass over the network just our internal numbers that mean would not mean anything  to anyone, customer information is kept securely at the store level, it's just our inventory and things like that.  i will take your advice though look further into VPN.  BUT WHY IS THIS SO WRONG !!!!??? ANYONE?

setting up dns on the same machine is not possible... you will need to setup dns on another machine... and this machine should be on the internet and not behind the NAT device.... once the dns is installed on the new machine create a secondary zone so that you transfer all the records from the current dns server... then convert the zone to primary... modify the ip addresses as required and then put is on the internet......

as Chris mentioned you are on your own as this is not at all a recommended solution.... wish you all the best

Ok guys recommend me a solution, i really need something to work. Does VPN perform the same way as being joined to the domain?  Can you configure VPN without network address translation?

Thanks Chris, We are looking into VPN.