Solved

connecting a windows 2008 r2 server to a domain controller through a vpn

Posted on 2014-11-01
22
212 Views
Last Modified: 2014-11-14
I have a VPN tunnel with a domain controller on one side and another server that has Remote Desktop Services running on the other side. I want to add that server to the domain and use other services on the side that has the domain controller. Currently I can ping the IP's of the other servers but I cannot connect to the domain controller. What is the most reliable and stable setup?
0
Comment
Question by:aks17
  • 13
  • 6
  • 3
22 Comments
 
LVL 6

Expert Comment

by:Thomas Wheeler
ID: 40417246
Is this a router to router vpn? The best is to have the vpn on the routers and add the routes for the two subnets. At that point you can access the servers as if they were on the same physical network.
0
 

Author Comment

by:aks17
ID: 40417252
Yes there is a VPN tunnel between two routers. I can ping the servers from either side but UNC doesn't resolve.
0
 
LVL 6

Expert Comment

by:Thomas Wheeler
ID: 40417286
Are you pinging by name? What dose a tracer out say
0
 

Author Comment

by:aks17
ID: 40417317
I ping the static IP address of the server and I get replys. I ping by name and it says host cannot by found. Run the tracert by IP and it shows 1 hop.
0
 

Author Comment

by:aks17
ID: 40417319
also shows the name that I was trying to ping.
0
 
LVL 6

Expert Comment

by:Thomas Wheeler
ID: 40417385
What dns servers are you using the dc? Also when you browse to the server via uncle are you using the ip? Dose it work with the ip?
0
 

Author Comment

by:aks17
ID: 40417393
The dns servers are on the dc and secondary dc on one side of the vpn. Can browse to the server on the other side using the IP. Tried to setup the dns server on the server I'm trying to connect to the dc and could not resolve. Made a manual entry on the dc of the other server and it was no help.
0
 
LVL 6

Expert Comment

by:Thomas Wheeler
ID: 40417414
What type of routers do you have? Is there firewalling happening? What happens if you do an ns lookup against the server on the other side?
nslookup google.Com server ip
0
 

Author Comment

by:aks17
ID: 40417525
I get server unknown and the ip address of server I'm searching from. The same for google.com.
The routers are Cisco asa 5510's. The VPN tunnel should not be blocking any inside traffic.
0
 
LVL 6

Expert Comment

by:Thomas Wheeler
ID: 40417543
Can you rdp to the dc from the rds server?
0
 
LVL 6

Expert Comment

by:Thomas Wheeler
ID: 40417567
we need a little network info attached is a visio document showing what I think your setup looks like. From the RDS server you can ping the DC correct? From the DC you can ping the RDS right? if you do a tracert from rds to dc it completes and if you do a tracert from dc to rds it completes. Please post an ipconfig /all from both servers. Also on the ASA did you use the VPN wizard to set the vpn up? if so post the info for the setup.
Facke-network.vsd
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:aks17
ID: 40418252
The visio document is correct. I can ping and run a tracert from either location. I can also rdp from either location to the servers. Below is the ip config all for both servers.

Location 1
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : TS1FS
   Primary Dns Suffix  . . . . . . . : test.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : test.org
Ethernet adapter Local Area Connection 2:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network Connection #2
   Physical Address. . . . . . . . . : 00-1D-15-EA-C6-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-13-17-ED-C8-6C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ec14:24a7:58a5:c1fd%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.121(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 234886423
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-F5-D2-10-00-15-17-EA-C4-8C
   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   Primary WINS Server . . . . . . . : 192.168.1.126
   NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{B07CC62E-98A5-4FF7-95F0-CCFD726FFB31}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{DF9E069E-EDB0-4FBF-A6C4-D117D5753FBF}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
C:\Users\Administrator>

Location 2
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Users\Administrator>ipconfig /all

Windows IP Configuration
   Host Name . . . . . . . . . . . . : TS2FS
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 2:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-1D-37-47-B4-FD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-1C-68-35-B4-FC
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::25c5:97af:514e:48b3%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.254
   DHCPv6 IAID . . . . . . . . . . . : 234888807
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-8F-33-EA-00-1D-47-47-A4-FC
   DNS Servers . . . . . . . . . . . : 192.168.2.101
                                                   192.168.2.100
                                                   192.168.1.121
   Primary WINS Server . . . . . . . : 192.168.2.101
   NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{8AA06BD2-D225-4AD7-8C01-0B9975BEA8EC}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{0E4D5960-6F5B-4526-9641-42D188803B32}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d15:4abd:ce:1ba0:1f55:fd9a(Preferred)
   Link-local IPv6 Address . . . . . : fe80::cb:1ac0:3e53:fd9a%18(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
C:\Users\Administrator>

For the ASA it's the site to site wizard that was used.
0
 
LVL 19

Accepted Solution

by:
compdigit44 earned 500 total points
ID: 40418269
I the RDS server the server you want to add to the domain have you make checked to see if the Windows firewall is enabled.

I assume your router/VPN is allowing the following ports which are needed to add a workstation to the domain..

UDP Port 88 for Kerberos authentication

UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.

TCP Port 139 and UDP 138 for File Replication Service between domain controllers.

UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.

TCP and UDP Port 445 for File Replication Service

TCP and UDP Port 464 for Kerberos Password Change

TCP Port 3268 and 3269 for Global Catalog from client to domain controller.

TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
0
 

Author Comment

by:aks17
ID: 40430339
I checked the router vpn traffic and verified that the requests for the ports is going from one side to the other. When testing from the server that we want to connect to the domain. But the domain controller does no respond back to the requests.
0
 

Author Comment

by:aks17
ID: 40430343
Should I connect through the vpn to the domain controller using the IP address and then try to run the join domain process?
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40430530
The fact you are not getting any return traffic is a problem... Have you check both router/firewall rules???

Are you able to monitor traffic live on both the source and destination routers??
0
 

Author Comment

by:aks17
ID: 40430692
Yes I am able to monitor traffic live at both destinations. I can see the requests come through and then no answer in return.
Also checked the rules on the firewall as well. I think it's the server not responding to the IP address that's allowed through the vpn but not in the same pool.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40431317
What do you mean by "not on same pool"

Have you tried to run Network Monitor on the target server to see traffic is reaching the server and "if" it is making any attempt to respond?
0
 

Assisted Solution

by:aks17
aks17 earned 0 total points
ID: 40431342
By meaning not in the same pool I meant one side is 192.168.1.x and the other is 192.168.2.x. I ran wireshark to capture the port request traffic and did see the requests but no response.

Also I did finally get the server to join the domain. Only problem I'm not sure if it was everything that was done before or the final step or all of the above.

The last step when I was finally able to connect was I opened the run command and typed \\192.168.1.126 of the dc and clicked run. It opened windows explorer with the file folders from the dc. Then I proceeded to follow to join to the domain process and it connected. Restarted and everything is as expected.

Thanks for everyone's help.
0
 

Author Comment

by:aks17
ID: 40431344
Also I did finally get the server to join the domain. Only problem I'm not sure if it was everything that was done before or the final step or all of the above.

The last step when I was finally able to connect was I opened the run command and typed \\192.168.1.126 of the dc and clicked run. It opened windows explorer with the file folders from the dc. Then I proceeded to follow to join to the domain process and it connected. Restarted and everything is as expected.
0
 

Author Comment

by:aks17
ID: 40431347
The last step is the point that everything worked as expected.
0
 

Author Closing Comment

by:aks17
ID: 40442224
The last step when I was finally able to connect was I opened the run command and typed \\192.168.1.126 of the dc and clicked run. It opened windows explorer with the file folders from the dc. Then I proceeded to follow to join to the domain process and it connected. Restarted and everything is as expected.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now