Odd issues with XP on a VPN

I was having issues logging onto the domain from a remote machine via VPN, so I opened up port 139 on the DC side and I could logon to the domain.

Now when I try to add a domain account to the local admin group, the domain is not an option, and when I try to remotely add the name I get an access denied error.

What is preventing this? And is there any other ports other than 139 I should have open on either end?
Nathaniel_ScrivNETAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
You will need all File and Print Sharing ports:
TCP 139 & 445
UDP 137 & 138
As well as DNS:
TCP 53
However where is the firewall? As a rule all ports are open with a VPN. Make sure none of the above are open to the Internet.
0
Rob WilliamsCommented:
If joining a PC to the domain it must also be configured to ONLY point to your internal DNS server's IP for DNS, and the domain suffix added to the advanced TCP/IP properties of the virtual adapter's DNS tab.
0
Nathaniel_ScrivNETAuthor Commented:
The setup is (at both locations) A modem and a Netgear Prosafe. The Prosafe blocks all incoming by default.
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

Nathaniel_ScrivNETAuthor Commented:
So...I look at the router and see: Thu, 2009-05-28 10:36:45 - UDP packet - Source: 192.168.1.2 - Destination: 192.168.254.2 - [Service access request successful Src 137 Dst 137 from WAN] That is my attempt to log onto the domain, but I get an error that says the domain is not available.

So all ports are open as you said...but no logon?
0
Nathaniel_ScrivNETAuthor Commented:
I enabled slow link on the GPO, and I can login to the domain, but the machine now says it has lost the trust relationship with the domain. I have removed and added the machine to the domain multiple times.
0
Rob WilliamsCommented:
So the VPN is an IPSec VPN between two Netgear routers? If so there are no ports that you need to open on the router. However, is the VPN configuration between the two IP's 192.168.1.2 - 192.168.254.2 or the two subnets 192.168.1.0 -  192.168.254.0? It should be the later or you will not be able to contact the other devices at the remote site such as the server.
0
Nathaniel_ScrivNETAuthor Commented:
I can contact the remote machines. I can ping them, I can put the machine on the domain, I can login to the domain, I can browse the shares, but I cannot add domain users to the local computer groupaccounts.

I get the error " it has lost the trust relationship with the domain".
0
Rob WilliamsCommented:
If the trust is actually lost you will need to remove the PC from the domain, delete the computer account on the server, rename the PC, and rejoin the domain. Please advise if the server is Small Business Server.

However it is possible it may just not be able to access the server. The routers will not block any ports between the two sites when using a VPN, however if there is a software firewall enabled on the server or PC it can block the traffic. As a rule on a software firewall, the ports are open when file and print sharing is enabled, but only for access from the local subnets. Remote subnets have to be added port by port to the firewall exception scope. The easiest test if a software firewall is present is to disable it and try the connections.
0
Nathaniel_ScrivNETAuthor Commented:
I have done the first step multiple times.

I have disabled the firewall on the remote side, and the server is off by default since the ICS service is disabled.

Yes, it is SBS 2003.
0
Rob WilliamsCommented:
>>"I have done the first step multiple times. "
Do you mean you can rejoin the domain, but not add domain users? Very odd.

The reason I ask if it is SBS is there are several other necessary steps when rejoining the domain. See TechSoEasy's excellent guide:
http://techsoeasy.spaces.live.com/blog/cns!AB2725BC5698FCB8!278.entry
0
Rob WilliamsCommented:
Though I doubt it is related to your problem have you added the remote site and subnet in Active Directory Sites and Services of the SBS?
0
Nathaniel_ScrivNETAuthor Commented:
Once I added the VPN option onto the computer object it seems to enable me to add users to the local groups through remote mangement...I still can't see the domain when I choose an object from the permissions screen locally though.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
Sorry I had missed your last post notification. I just received the one regarding closing the question.
I am not sure what is blocking the RPC traffic. No ports should need to be opened in the VPN configuration, however if the traffic is filtered by a software firewall the ports mentioned earlier will have to be configured to allow traffic. I would also make sure the client machine points ONLY to the server for DNS, the domain suffix is added to the client's DNS configuration, and there is only one network adapter enabled on the client.
Good luck with it, and sorry we couldn't be more help.
Cheers!
--Rob
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.