Announcement

Collapse
No announcement yet.

Joining Domain across WAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Joining Domain across WAN

    I have a 2003 server set up as a DC for my domain. I have 8 sites all connected with 100Mbps fiber provided by the local telco, we are set up on our own VLAN on their equipment. Each site has a Mikrotik router. I am trying to join a 2008 server at each site to the domain and promote it to DC, but I'm having trouble. I took one of the servers to the physical site where the 2003 DC is hosted and joined it without any problem, but when I returned it to the remote site it could not see the domain.

    Each router is set up with the following IP scheme.

    The external interface has an IP in the 10.125.5.x network, the internal IP is 10.y.1.1 where y ranges from 1-8. The servers are setup 10.y.200.1 at each site. I can ping each way, tracert shows that it hits local router, remote router, remote machine, no additional hops either way. I have the DC set as the primary DNS and can ping the DC by name. When I try to join the domain it gives me the following:

    The domain name "domain" might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.

    If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

    DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "domain":

    The query was for the SRV record for _ldap._tcp.dc._msdcs.domain

    The following domain controllers were identified by the query:
    my-dc.domain


    However no domain controllers could be contacted.

    Common causes of this error include:

    - Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

    - Domain controllers registered in DNS are not connected to the network or are not running.


    I have tried to use PortQry to check ports and have been unable to find anything blocked. Any suggestions?

  • #2
    Re: Joining Domain across WAN

    Have spent quite some time trying to maintain a group of laptops which were built locally, then joined to a domain which was only available thru a VPN tunnel, with the client itself being the local endpoint. While it eventually works, it's never been 100% right.

    One thing I've found to help things along but not solve all the issues is to ping the distant DC (all of them), one after the other from the client wishing to join. If you immediately go thru the join process, it'll work much faster but it still won't be 100%. Subsequent applications of Group Policy will fail because the DC isn't found, or some such. HOSTS file entries or LMHOSTS entries haven't helped.

    Never found the final answer, but I'm guessing there's a layer-2 protocol associated with GP enforcement which has issues across WAN links, esp. for non-local subnets. Theoretically, allowing NetBIOS over TCP/IP ought to allow the kind of traffic we're talking about, but I've never had the time to find the absolute answer.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Joining Domain across WAN

      With the traffic I've watched going across the routers it doesn't appear to send any information except the DNS request. Would I have to have a VPN set up to make this work? I could do that if I had to, but I don't see any reason why I should. Pinging the DC didn't do any good, I even tried pinging the DC from the new server and the new server from the DC.

      Comment


      • #4
        Re: Joining Domain across WAN

        Layer 2 traffic doesn't cross routed boundaries by itself. If you're looking at the traffic between routers, yes you'll see DNS because it's Layer 3 ip traffic. But any traffic generated by the client which is NOT routable, won't be seen between them. You should look at traffic between the server wanting to join and the router it talks to as it's gateway. Any broadcast or NetBIOS traffic without IP addressing isn't going to go any further than that first router. If there is such traffic being stopped by the first router (by design!) then your domain join won't work.

        You may need to include 'ip helper' address settings in your router setups. If any device is in the same subnet as a DC, then domain joins, bootp or image deployment traffic (WDS) works without assistance. However, if you want these to function where user subnets are separate from server subnets, you have to include statements which tell the router where to find the help it may need to feed client traffic.

        Assume servers are on VLAN23 (192.168.23.0/24) and clients are on VLAN41 (192.168.41.0/24), and one Cisco device holds the SVIs for both VLANS. Also assume your DC has an address of 192.168.23.14 in Vlan 23. You should see something like the 2 example interface statements in the running config:

        !
        interface Vlan23
        description *** Gateway for traffic into/out of Vlan 23 ***
        ip address 192.168.23.1 255.255.255.0
        !
        interface Vlan41
        description *** Gateway for traffic into/out of Vlan 41 ***
        ip address 192.168.41.1 255.255.255.0
        ip helper-address 192.168.23.14
        !

        We have such settings in our Cisco kit, and use WDS deployment for our client PCs. We have 2 DCs and a WDS server, so we have those 3 ip helper addresses on each SVI gateway interface, across multiple Layer 3 switches in multiple buildings. Without the WDS server address, WDS clients can't find the server. Deployed images join the domain automatically and flawlessly, but we don't span through WAN links, just inter-building fiber running at 1Gig. Just read up on the specifics of that command again, and it works for NetBIOS packets. See if such can be used with your routers, since you proved that local domain joins work, just routed traffic doesn't.

        PS: if this helps, don't forget to award rep points!!
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment

        Working...
        X