Help with VPN, two domains & Server 2003

Discussion in 'Computer Support' started by Bababooey, Oct 11, 2005.

  1. Bababooey

    Bababooey Guest

    Hi - need some help with the following from all the network pro's ou
    there

    Here is the situation

    Two offices we will call location A and location

    Location A - Server 2003 - running active directory, DNS and DHCP wit
    regular domain setup as "locationa.local" Internal Subnet i
    192.168.2.

    Location B - Server 2003 - running active directory, DNS and DHCP wit
    regular domain setup as "locationb.local" Internal Subnet i
    192.168.1.

    Each office has broadband connection through a Linksys BEFSX41 (VP
    Endpoint

    Have established a VPN connection between the two routers
    offices with no problem

    From any computer at location A, can ping computer in location B wit
    no problems - yet when going to network neighboorhood can only se
    the local domain and not the remote domain at location

    I figure that I need to somehow get the two subnets and domains t
    talk to each other directly - but not quite sure what to do

    Please help - and thank you in advanc
     
    Bababooey, Oct 11, 2005
    #1
    1. Advertisements

  2. Bababooey

    why? Guest

    Oh so big a <groan> this has been mention several times.

    You will notice the lack of '?''s below , that's because I am busy on
    something else, so here are some thoughts.
    How do you know.

    What tests, can you only see the far away router. Can you go across the
    router/vpn at the far end and see other devices, if so how.

    What's different between that test / result and how network
    neighboorhood works.
    Do you ping by hostnames or IP.

    The answer will be IP, it may be different there is a lack of detail in
    several places.
    This isn't the same as a ping. Although on MS network it can be messy a
    ping from the cmd prompt on a mapped drive looks for a file called
    'ping' in the path before it really runs the command you entered.
    Another MS issues is name lookups can be via DNS then WINS for the same
    thing only a minute later and it might work or fail, it's messy.

    So it's 2 domains as well, an additional issue. The domain controllers
    can't see each other.

    OTOH what's blocked by your FW, what traffic do you allow across the
    VPN.

    What do you have for name resolution - WINS, DNS ?
    Have you ever heard of WINS server, proxy WINS server per subnet,
    broadcasts, broadcasts not crossing routers , maybe the Linksys boxes
    are so cheap that's not an issue.

    Read up on SMB
    Run a packet sniffer, when you try to connect to the far end you will
    see the look up requests, what device they are aimed and and either no
    reply or a failed reply.


    Me
     
    why?, Oct 11, 2005
    #2
    1. Advertisements

  3. Bababooey

    joe.gauthier Guest

    I'll be short and sweet.

    Trusting your vpn is up then the domains need to be forced to see
    eachother. I WOULD NOT SET UP WINS. Wins is old and going to be
    supported less and less. I would set up either one domain or two
    trusted forests. With AD DNS is king.

    I would lookup more about AD trust relationships. Don't waste your
    time with SMB or a packet sniffer. If you are using linksys equipment
    (not passing judgement we all have our budgets) don't waste to much
    time figuring out how it works. AD was set up to handle this. I still
    think that you need to set up one domain and then multiple sites in the
    AD.
     
    joe.gauthier, Oct 11, 2005
    #3
  4. Bababooey

    Bababooey Guest

    why?wrote
    Oh so big a <groan> this has been mention several times

    You will notice the lack of '?''s below , that's because I am bus
    o
    something else, so here are some thoughts
    How do you know

    What tests, can you only see the far away router. Can you go acros
    th
    router/vpn at the far end and see other devices, if so how

    What's different between that test / result and how networ
    neighboorhood works
    Do you ping by hostnames or IP

    The answer will be IP, it may be different there is a lack of detai
    i
    several places
    This isn't the same as a ping. Although on MS network it can be mess

    ping from the cmd prompt on a mapped drive looks for a file calle
    'ping' in the path before it really runs the command you entered
    Another MS issues is name lookups can be via DNS then WINS for th
    sam
    thing only a minute later and it might work or fail, it's messy

    So it's 2 domains as well, an additional issue. The domai
    controller
    can't see each other

    OTOH what's blocked by your FW, what traffic do you allow across th
    VPN

    What do you have for name resolution - WINS, DNS
    Have you ever heard of WINS server, proxy WINS server per subnet
    broadcasts, broadcasts not crossing routers , maybe the Linksys boxe
    are so cheap that's not an issue

    Read up on SMB
    Run a packet sniffer, when you try to connect to the far end you wil
    see the look up requests, what device they are aimed and and eithe
    n
    reply or a failed reply

    Me[/quote:d85db1ef7e


    Ok, in regards to how we determined if the VPN was functionin
    properly

    1. In the Linksys BEFSX41, the VPN log showed the connection betwee
    two routers/subnets as successfu

    2. We tested connnection between the computers by going to an X
    workstation at Location A and opening up Windows Explorer. We did
    SEARCH FOR COMPUTERS and typed in the ip address of a computer a
    location b. We were asked for a password to access the computer (w
    typed in a domain user that had access at location b and we then ha
    access to all the network shares on that system. We then transferre
    some files between the systems with no problem

    3. When we pinged, we pinged the IP address of one of th
    workstations on at the remote location

    4. Both domains use the DNS server for name resolution (server 2003

    Looking forward to your repl

    Thanks again!!
     
    Bababooey, Oct 11, 2005
    #4
  5. Bababooey

    why? Guest

    On 11 Oct 2005 14:07:31 -0700, wrote:

    Please include some of the post you are replying to.
    I don't have a VPN, maybe you meant to reply to someone else?
    It's still easier than beginners AD.

    <snip>

    Me
     
    why?, Oct 11, 2005
    #5
  6. Bababooey

    why? Guest

    That's still the edge devices, it doesn't mean the rest works :)
    Even if it's 2 domains and why, the DNS is common isn't it, 1 site is a
    backup of the other?

    So it's DNS domains you mean "locationa.local" and "locationb.local" or
    have you gone for a AD split.

    As it's VPN why isn't 1 office simply an extension of the 1 domain. Okay
    so if the VPN goes the DNS/AD/Domain goes. so make a primary/secondary
    at each location, the secondaries are backups of the other site. This
    means all AD/domain/DNS info is present on both sites.

    AD at both sites, but a single forest containing the 2 domains?

    If the PS are below Win 2000 , NetBIOS is still the primary source for
    lookups, domain logins. If Win 2000 and above always use DNS.

    Can you put a 2003 box in the site that fails, configured as much as
    possible like a workstation and see if that's okay.
    Fine, that's very different from NN.
    DNS you verified it's working from each site. Each site can do fwd and
    reverse lookups to the other.

    From A and B do local and remote

    nbtstat -a <ip address>
    nbtstat -a <netbiosname>

    Do you get the answers you expect?


    Skipping over trusts and forests, it hard enough in the books / on paper
    and impossible like this.

    These are the things you need to check.
    Don't get too carried away, these issues can be tricky or easy to see
    when on site with some diagnostic tools handy.

    I usually rely on the packet sniffer method, and then tell the (at work
    , of course) WINS / AD manger that a name lookup is wrong or keeps
    failing.
    I just wish our place was so simple, 50 odd NT domains, WINS everywhere
    replaciting into a central bucket, which nicely replicates out erros,
    trusts all over multiple sites, depending in what site worked with which
    other site or not, or maybe 5 people did but the rest of 500 people
    didn't but they wouldn't be able to access across trusts, 50 odd local
    DNS, central DNS, 60 something DNS domains, 1 DNS domain that accepts
    entries into the DNS manager, but then moves hosts in the AD.

    :)


    Right , I just missed the battle scene / end of Macroos Plus Ep4. So a
    bit of revrerse play on the DVD is in order.

    Me
     
    why?, Oct 11, 2005
    #6
  7. Bababooey

    Bababooey Guest

    Ok, maybe I wasn't as clear as some of you wanted. I will try to
    explain exactly where we are at.

    Location A
    One Server running Server 2003 w/DNS/DHCP/AD
    Broadband connection through modem to Linksys BEFSX41
    domain - locationa.local - not associated in any way with any other
    domain or office
    internal subnet 192.168.2.0
    40 workstations running XP Pro
    VPN has been established with Location B via BEFSX41 Router

    Location B
    One Server running Server 2003 w/DNS/DHCP/AD
    Broadband connection through modem to Linksys BEFSX41
    domain - locationb.local - not associated in any way with any other
    domain or office
    internal subnet 192.168.1.0
    40 workstations running XP Pro
    VPN has been established with Location B via BEFSX41 Router

    From Location A
    From either server or workstation when going to network
    neighboorhood/entire network/microsoft network we only see the
    locationa domain and when clicking on that all workstations and
    server are visible. Pull up windows explorer and type in known IP
    address of another workstation at location b (when doing search for
    computers) that workstation is able to be viewed and files
    transferred back and forth. When going into command prompt and
    pinging any known ip's for workstations at location b, ping is
    successful.

    On server at location A, attempted to open active directory trusts,
    right clicked on domain locationa.local and select properties then
    trust and attempted to add locationb.local domain and message said
    that domain could not be found

    At this point, all what we would like to do (with what we have as
    stated in the setup above) is that when a user at either location a
    or b goes into network neighboorhood, they will be able to view the
    other domain and access the systems (granted they have the correct
    username/password/permissions)

    Thanks again
     
    Bababooey, Oct 12, 2005
    #7
  8. Bababooey

    why? Guest

    It still appears that your AD/DHCP/DNS at each site is for it's own site
    and not a primary / backup for and of the other so both sites have
    copies of each others info.

    If you can't find a domain, check the records for each domain / servers
    exist in each AD/DNS , part of that is the nbtstat mentioned earlier,
    this displays record types/values.

    At work 1 person couldn't logon to a remote domain, everything tested
    okay until an ipconfig didn't renew, but the date time changed every
    boot. Checked WINS/AD all okay, ip and netbios data checked. Web
    browsing other stuff okay. Still couldn't find the domain (master
    browser) fix was ipconfig/flushdns (a Win 2000 client).

    Other times login failures due to corrupt entries for the DC/ADs, some
    plonkers were removing static entries for DC's / servers, and wanted
    those auto detected. Making sure WINS/AD all had static DC/login server
    entries as static cured issues.

    <snip>

    Me
     
    why?, Oct 12, 2005
    #8
  9. Bababooey

    Bababooey Guest

    You are correct..

    Location A and location b are completely separate and in no wa
    associated with each other in active directory, etc

    When opening up AD & trusts, you will only see locationa.local o
    locationb.local on those servers

    So the ? is I assume I need to set up a trust (server 2003 style
    between the domains

    I right click on the domain in AD Trusts and enter in the othe
    domain. From there, what should I select??

    Thank
     
    Bababooey, Oct 12, 2005
    #9
  10. Bababooey

    why? Guest

    Who you are not replying to replies, you are replying to your own post
    and over snipping, leaving none of the message or op intact.
    Because you set it up that way.
    http://www.google.com/search?q=2003+ad+domain+trust

    There are several ways to go, you need to do some heavy AD reading and
    see what way is suitable for you. You have given some setails on the
    size of the offices however the configuration you have may not be
    reversable or some method I suggest may not be for you.
    Try a book, manual , www.google.com , MS Technet, MS articles , help
    files on AD. Anyway my 2003 box has been scrubbed for Vista and I can't
    remember the very grim details.
    Me
     
    why?, Oct 12, 2005
    #10
  11. Bababooey

    Bababooey Guest

    Alright now - a few updates and a few more questions

    Using the Netbios function on the Linksys BEFSX41, we are now able t
    browse computers on the remote domain (and they can browse us a
    well) using network neighboorhood - provided they have the prope
    username and password for the other domai

    Also was able to set up a trust between the domains sort-of tha
    allowed users that had the same username and password on one domai
    to be authenticated on the other if they were the same there. Bu
    for some reason I am not sure that is 100% the thing to do

    Going back to the netbios thing with Linksys - there has to be
    better way. Now looking for a way to have the DNS in location a abl
    to add the lookup zones from location b - but for some reason the tw
    dns servers will not talk to each other. Any ideas on this?
    Figuring if the DNS server has some records from the other domain
    things might be smoothe

    Thanks for any advise anyone might have about this
     
    Bababooey, Oct 13, 2005
    #11
  12. Bababooey

    why? Guest

    On Thu, 13 Oct 2005 15:14:24 GMT, Bababooey wrote:

    You really like not replying to the post your answers are in and
    removing all previous bits of the discussion.
    Hence the previous mentions about WINS, SMB , a ping is different from a
    the way browse works , ( WINS is still on the way out but it isn't dead
    yet, neither sadly is NetBIOS, and name resolution / caching is still
    confusing ) which is needed for the often default name resolution, hence
    the also do some reading.
    It's really a domin - domain trust, that way you don't need the same
    account at each end. For example at work I have several domain admins
    accounts, but a few plain user accounts that don't exist on each domain.
    But I can still use resources on other domains becase a domian - domain
    trust is setup, and either myself or another admin sets the correct
    permissions on the file / print resources.
    Not by that description and not knowing how you set anything up. Then
    again with AD that shouldn't be an issue if locationa is the primary
    AD/DNS and locationb is the backup. The same info is stored at both
    ends.

    If you pay attention to the MS documentation AD is meant to make things
    much easier.
    Normally to way we do this is have a central dns and local sites have a
    caching only nameserver, in case of WAN outage. the caching only box
    simply gets zone transfers from the central.

    2003/AD/DNS/DHCP will deal correctly with DHCP across subnets, DNS zones
    and every thing will replicate.
    My suggestion, some deep reading at www.microsoft.com starting with
    http://www.microsoft.com/windowsserver2003/default.mspx
    either paper or electronic version of
    http://www.amazon.com/exec/obidos/tg/detail/-/0735614717/002-6755875-8884060?v=glance
    there are also deployment guides
    http://www.amazon.com/exec/obidos/t...5/002-6755875-8884060?_encoding=UTF8&v=glance

    AD/DNS etc., isn't something you want to mess with, you really need to
    decide how you want to set it up and follow a plan. It can be a big
    problem trying to change it later to fit.

    Me
     
    why?, Oct 13, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.