Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.
COURSE of the MONTH
8 days, 17 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Windows 7 Server 2003 join domain via Cisco 5.x client ASA 5505 8.2.2 client vpn
Posted on 2011-03-08
Cisco 5.x VPN client. ASA 5505 8.2.2 Server 2003 STD SP2
Can touch any resource on the remote side I choose, except joining the domain.
I can try to join and mis-spell the domain name and get an expected answer which tells me I'm on the right track.
Enter the domain creds and "the domain could not be contacted"
Can hit the DC via ping, SMB, RDP, map drives/printers, etc. DNS surely points to the DC.
Logged into the local machine with a faux 'admin' acct, toggled the firewall, this n that.
Even went so far to pre-create the computer acct in ADUC just for googles.
What am I missing? I can touch EVERY resource on the other side via my client VPN except joining the fkin DOMAIN.
How can I join a Win7pro machine to a 2003 domain via Cisco 5.x client VPN?
Short Story:
Cisco ASA 5505 8.2.2
No fancy NATS or blocks on the ASA
Can touch anything I want via the VPN
2003 SP2 Standard
Win 7 Pro
Why can't I join that domain??
TIA!!
Can touch any resource on the remote side I choose, except joining the domain.
I can try to join and mis-spell the domain name and get an expected answer which tells me I'm on the right track.
Enter the domain creds and "the domain could not be contacted"
Can hit the DC via ping, SMB, RDP, map drives/printers, etc. DNS surely points to the DC.
Logged into the local machine with a faux 'admin' acct, toggled the firewall, this n that.
Even went so far to pre-create the computer acct in ADUC just for googles.
What am I missing? I can touch EVERY resource on the other side via my client VPN except joining the fkin DOMAIN.
How can I join a Win7pro machine to a 2003 domain via Cisco 5.x client VPN?
Short Story:
Cisco ASA 5505 8.2.2
No fancy NATS or blocks on the ASA
Can touch anything I want via the VPN
2003 SP2 Standard
Win 7 Pro
Why can't I join that domain??
TIA!!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
2
- +2
6 Comments
is there any anti virus software installed, if that is installed uninstall then try joing with domain, the only reasaon can be that,
if the anti virus is installed can post what anti virus software is?
if the anti virus is installed can post what anti virus software is?
This is taked from a Microsoft Document "Active Directory in Networks Segmented by Firewalls"
Simply, you must be able to have communication on these ports via your firewall. Make sure that your firewall will pass these ports to your VPN side.
---
Operational Building Blocks
Each network scenario can be broken down into a set of operations that a particular client is trying to achieve. These operations are the building blocks for other network scenarios. This section describes each operation individually; you can use these descriptions to create customized scenarios that are not covered in this paper. For a list of commonly used ports referenced in the following operations, see Appendix C.
User Login and Authentication
A user network logon across a firewall uses the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• Kerberos authentication protocol (88/tcp, 88/udp)
• Lightweight Directory Access Protocol (LDAP) ping (389/udp)
• Domain Name System (DNS) (53/tcp, 53/udp)
Computer Login and Authentication
A computer logon to a domain controller uses the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• Kerberos authentication protocol (88/tcp, 88/udp)
• LDAP ping (389/udp)
• DNS (53/tcp, 53/udp)
Establishing an Explicit Trust Between Domains
When establishing a trust between domain controllers in different domains, the domain controllers communicate with each other by means of the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• LDAP (389/tcp) or 636/tcp if using Secure Sockets Layer (SSL))
• LDAP ping (389/udp)
• Kerberos authentication protocol (88/tcp, 88/udp)
• DNS (53/tcp, 53/udp)
Validating and Authenticating a Trust
Trust validation between two domain controllers in different domains uses the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• LDAP (389/tcp or 636/tcp if using SSL)
• LDAP ping (389/udp)
• Kerberos (88/tcp, 88/udp)
• DNS (53/tcp, 53/udp)
• Net Logon service
Because the Net Logon service cannot be locked down to a single RPC port, the RPC endpoint mapper (135/tcp and 135/udp) needs to be open, as does a small range of dynamic RPC ports for the mapper to use. For information about how to limit the range of dynamic RPC ports, see Appendix E.
Access File Resource
File access uses SMB over IP (445/tcp, 445/udp).
Perform a DNS Lookup
To perform a DNS lookup across a firewall ports 53/tcp and 53/udp must be open. DNS is used for name resolution and supports other services such as the domain controller locator.
Perform Active Directory Replication
The type of network traffic that is required for replication differs based on whether the replication is between domain controllers of one or more domains. Both types of replication require the following:
• Directory service RPC traffic (configurable directory service RPC port)
• LDAP (389/tcp or 636/tcp if using SSL)
• LDAP ping (389/udp)
• Kerberos (88/tcp, 88/udp)
• DNS (53/tcp, 53/udp)
• SMB over IP traffic (445/tcp, 445/udp)
Replication within a domain also requires File Replication service (FRS) using a dynamic RPC port. Replication traffic and configuration is further described in “Domain Controller Replication Across a Firewall” later in this paper. For instructions for configuring a static directory service RPC port, see Appendix D. For the procedure to limit the range of dynamic RPC ports, see Appendix E.
Simply, you must be able to have communication on these ports via your firewall. Make sure that your firewall will pass these ports to your VPN side.
---
Operational Building Blocks
Each network scenario can be broken down into a set of operations that a particular client is trying to achieve. These operations are the building blocks for other network scenarios. This section describes each operation individually; you can use these descriptions to create customized scenarios that are not covered in this paper. For a list of commonly used ports referenced in the following operations, see Appendix C.
User Login and Authentication
A user network logon across a firewall uses the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• Kerberos authentication protocol (88/tcp, 88/udp)
• Lightweight Directory Access Protocol (LDAP) ping (389/udp)
• Domain Name System (DNS) (53/tcp, 53/udp)
Computer Login and Authentication
A computer logon to a domain controller uses the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• Kerberos authentication protocol (88/tcp, 88/udp)
• LDAP ping (389/udp)
• DNS (53/tcp, 53/udp)
Establishing an Explicit Trust Between Domains
When establishing a trust between domain controllers in different domains, the domain controllers communicate with each other by means of the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• LDAP (389/tcp) or 636/tcp if using Secure Sockets Layer (SSL))
• LDAP ping (389/udp)
• Kerberos authentication protocol (88/tcp, 88/udp)
• DNS (53/tcp, 53/udp)
Validating and Authenticating a Trust
Trust validation between two domain controllers in different domains uses the following:
• Microsoft-DS traffic (445/tcp, 445/udp)
• LDAP (389/tcp or 636/tcp if using SSL)
• LDAP ping (389/udp)
• Kerberos (88/tcp, 88/udp)
• DNS (53/tcp, 53/udp)
• Net Logon service
Because the Net Logon service cannot be locked down to a single RPC port, the RPC endpoint mapper (135/tcp and 135/udp) needs to be open, as does a small range of dynamic RPC ports for the mapper to use. For information about how to limit the range of dynamic RPC ports, see Appendix E.
Access File Resource
File access uses SMB over IP (445/tcp, 445/udp).
Perform a DNS Lookup
To perform a DNS lookup across a firewall ports 53/tcp and 53/udp must be open. DNS is used for name resolution and supports other services such as the domain controller locator.
Perform Active Directory Replication
The type of network traffic that is required for replication differs based on whether the replication is between domain controllers of one or more domains. Both types of replication require the following:
• Directory service RPC traffic (configurable directory service RPC port)
• LDAP (389/tcp or 636/tcp if using SSL)
• LDAP ping (389/udp)
• Kerberos (88/tcp, 88/udp)
• DNS (53/tcp, 53/udp)
• SMB over IP traffic (445/tcp, 445/udp)
Replication within a domain also requires File Replication service (FRS) using a dynamic RPC port. Replication traffic and configuration is further described in “Domain Controller Replication Across a Firewall” later in this paper. For instructions for configuring a static directory service RPC port, see Appendix D. For the procedure to limit the range of dynamic RPC ports, see Appendix E.
You use any ACL on ASA to firewall traffic from remote VPN users? In this case you need to allow DNS, LDAP, Kerberos to add computer to domain. But I think this could be also a MTU issue. If MTU on client side has default value (1500) you have to put this number to lower one. You can chech the value with ping set with DF (don't fragment) flag in packet. Use command line on some tool :
ping -f -l "value" {DC IP address}
"value" - size in bytes. Start at 1400 and then go lower until the packet successfully returns from Domain controller.
Then you have to put MTU "value" to network adapter via regedit.
ping -f -l "value" {DC IP address}
"value" - size in bytes. Start at 1400 and then go lower until the packet successfully returns from Domain controller.
Then you have to put MTU "value" to network adapter via regedit.
Thanks, Kendzast. I never thought about MTU. Using your example I found that my MTU has to be 1270 or lower for the packet not to fragment. Does that sound somewhat normal?
I will try to limit my MTU soon and report back.
I will try to limit my MTU soon and report back.
Featured Post
WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month8 days, 17 hours left to enroll
764 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.