domain controller cannot be found

Had a VPN between two sites, one with a DC and things worked fine. Changed public IP addresses on the site having the DC and reconfigured the vpn/firewall. You can ping back and forth just fine but it will no longer authenticate from the off-site computers and I cannot add a computer to the domain from the off-site location.
shorne_techAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shorne_techAuthor Commented:
FYI I am using the Untangle NG Firewall with OpenVPN built-in
Anthony GarciaDevops StaffCommented:
Do you see authentication failures on the DC? You can try looking in the event viewer on that machine to see if the requests are actually coming through to it.

What is the error that you see on the client machines when they fail to authenticate? Usually it tells you if it is a problem where it cannot communicate with the DC or if it is something else.
shorne_techAuthor Commented:
On the client machines it says that a DC cannot be found when I try to add a computer to the domain from the off-site location.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Will SzymkowskiSenior Solution ArchitectCommented:
On your VPN you need to make sure that you are not blocking and ports that relate to authentication for Active Directory. You will be able to see this vary easily on your firewall.

Below is a link with all of the required ports.
https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Will.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I use the free untangle for several VPNs and have not needed to make any special adjustments.

Check your DNS config.  Ideally, post the results of IPCONFIG /ALL from a machine that's having trouble joining the domain AND from the server.

Where are your systems getting DHCP from at the remote site?  Untangle?  What DNS server is provided via DHCP?  When you try joining the domain, are you trying to connect to DOMAIN or DOMAIN.SOMETHING?
shorne_techAuthor Commented:
Main site uses DHCP from DC, remote sites uses Untangle as DHCP (different IP scheme)
Main site uses 192.168.20.xxx  and remote site uses 192.168.21.xxx
I can ping back and forth using IP Addresses but not names

Random Remote computer:
IPCONFIG /all shows
Primary DNS Suffix................calvary.local
....
DNS Suffix Search List..........calvary.local

IPAddress..............................192.168.21.xxx
Subnet Mask.........................255.255.255.0
Default Gateway...................192.168.21.21
DNS Server............................192.168.21.21
Lee W, MVPTechnology and Business Process AdvisorCommented:
As I stated, your problem is Untangle DHCP is not configured properly - your clients MUST use the DC for DNS, NOT the Untangle gateway.  Either specify DNS manually or adjust the Untangle DHCP scope to provide the DC as your clients DNS server (and the ONLY DNS server the clients know about).
Active Directory relies HEAVILY on DNS - if you don't have the DNS infrastructure configured properly, you could have many different types of errors at varying times.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Config -> Networking -> Advanced -> DHCP & DNS

The line you want to add is as follows:

dhcp-option=6,x.x.x.x,y.y.y.y,z.z.z.z

You don't have to have three addresses there, it's just option number, ip1, ip2, ip3, etc.

(The above quoted from http://forums.untangle.com/networking/29614-configure-dhcp-give-out-other-dns-server.html)
shorne_techAuthor Commented:
Ended up being something quite weird... Apparently the remote site was using OpenVPN on Untangle Version 9 and it is not compatible with OpenVPN on version 10 (which is the version at the main site)... Oddly enough as soon as I went to version 11 at the main site everything started working just fine! So apparently Untangle version 9 and 10 OpenVPN do not play well together but Untangle version 9 and 11 OpenVPN seem to work ok... anyway it is working for the moment. I will upgrade all to version 11 in the near future but for now it is working...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
That does not negate that AD requirement that DNS ONLY points to the AD DCs.  Other DCs don't know where your domain's services are.
shorne_techAuthor Commented:
Kept digging until we found the answer...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.