Difficulty joining domain across site to site VPN

  • Thread starter Thread starter Scott Johnson
  • Start date Start date
S

Scott Johnson

I'm not very knowledgeable about Active Directory, so I appeal to the
collective wisdom of this group.


I am trying (unsuccessfully) to join my company's (Win2k) domain across
a router-based site-to-site VPN. The home PC is running Windows XP Pro.
The home network is running on a separate IP subnet.

This is the error I get when attempting to join the domain:


"The domain name XYZ might be a NetBIOS domain name. If this is the
case, verify that the domain name is properly registered with WINS.
If you are certain that the name is not a NetBIOS domain name, then the
following information can help you troubleshoot your DNS configuration.
DNS was successfully queried for the service location (SRV) resource
record used to locate a domain controller for domain XYZ:
The query was for the SRV record for _ldap._tcp.dc._msdcs.XYZ
The following domain controllers were identified by the query:
xyz-test.xyz
xyz-2k.
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP
addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network
or are not running."


The remote workstation is able to resolve names using the domain DNS
server on the 192.168.4 network without problem. I can also access file
shares on the 192.168.4 network without problem.

Do I need to add some configuration to the domain controller to allow
separate networks?

The IP setup is as follows:

Company Network
IP : 192.168.4.0
subnet : 255.255.255.0

Remote Network:
IP : 10.4.1.0
subnet: 255.255.255.0

Thanks in advance,
Scott Johnson
 
Scott Johnson said:
I'm not very knowledgeable about Active Directory, so I appeal to the
collective wisdom of this group.
I am trying (unsuccessfully) to join my company's (Win2k) domain across a
router-based site-to-site VPN. The home PC is running Windows XP Pro. The
home network is running on a separate IP subnet.

Usually this will be due to setting up the DNS incorrectly (probably the
CLIENT NIC->IP->DNS server setting). But see below due to your
specific errors.

It can also be a routing or firewall filtering issue.
This is the error I get when attempting to join the domain:
"The domain name XYZ might be a NetBIOS domain name. If this is the case,
verify that the domain name is properly registered with WINS.

What is the domain DNS name? And the NetBIOS name?
If you are dependent on NetBIOS across the Internet then the
client machine will also need to have the WINS server set correctly,
but this is still likely to cause problems (after joining) due to wrong DNS.
If you are certain that the name is not a NetBIOS domain name, then the
following information can help you troubleshoot your DNS configuration.
DNS was successfully queried for the service location (SRV) resource
record used to locate a domain controller for domain XYZ:
The query was for the SRV record for _ldap._tcp.dc._msdcs.XYZ
The following domain controllers were identified by the query:
xyz-test.xyz
xyz-2k.
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP
addresses are missing or contain incorrect addresses.

This implies the DNS problem is actually with the SERVER side.

Every DCs should be able to pass a complete (/C) DCDiag with NO
FAIL or WARN errors.
- Domain controllers registered in DNS are not connected to the network or
are not running."

And the client must be able to ROUTE to any of the DCs it resolves in
DNS.

Can you ping end to end? Do you have filters setup on the routers/VPN
gateway such that only some protocols can penetrate?
The remote workstation is able to resolve names using the domain DNS
server on the 192.168.4 network without problem. I can also access file
shares on the 192.168.4 network without problem.

This tends to imply that routing (and at least some of) DNS is working.

Is your DNS domain name perhaps a SINGLE LABEL name? (e.g.,
Domain, rather than Domain.com or something longer)?

DNS domain names for AD NEED to be two-labels or more. They
can be made to work if single label but it requires special care and you
will likely never be fully happy.
Do I need to add some configuration to the domain controller to allow
separate networks?

Not just for remote clients, since the VPN should effectively "transport"
the client machine to the same network as the VPN server.
The IP setup is as follows:

Company Network
IP : 192.168.4.0
subnet : 255.255.255.0

Remote Network:
IP : 10.4.1.0
subnet: 255.255.255.0

Check the DCDiag first.

If single label name, then search for that on Google:

[ "active directory" Single label dns name site:microsoft.com ]
 
Herb said:
Usually this will be due to setting up the DNS incorrectly (probably the
CLIENT NIC->IP->DNS server setting). But see below due to your
specific errors.

It can also be a routing or firewall filtering issue.

The DNS on the client is pointing to the DNS server/domain controller
VHP-2K, and it seems to have no problem resolving VHP-2K.vhp.
And the client must be able to ROUTE to any of the DCs it resolves in
DNS.

Can you ping end to end? Do you have filters setup on the routers/VPN
gateway such that only some protocols can penetrate?

I can ping end to end, and there are no filters. I don't think there is
an issue with the actual connectivity.
What is the domain DNS name? And the NetBIOS name?
If you are dependent on NetBIOS across the Internet then the
client machine will also need to have the WINS server set correctly,
but this is still likely to cause problems (after joining) due to wrong DNS.

This implies the DNS problem is actually with the SERVER side.

Every DCs should be able to pass a complete (/C) DCDiag with NO
FAIL or WARN errors.

dcdiag /c /testdomain:VHP is returning the following errors:

Starting test: Services
SMTPSVC Service is stopped on [VHP-2K]
......................... VHP-2K failed test Services
Starting test: OutboundSecureChannels
Could not Check secure channel from VHP-2K to VHP: The
specified domain either does not exist or could not be contacted.
Could not Query Trusted Domain :The system cannot find the
file specified.
Could not Query Trusted Domain :The system cannot find the
file specified.

Any idea on what is going on there?

This tends to imply that routing (and at least some of) DNS is working.

Is your DNS domain name perhaps a SINGLE LABEL name? (e.g.,
Domain, rather than Domain.com or something longer)?

DNS domain names for AD NEED to be two-labels or more. They
can be made to work if single label but it requires special care and you
will likely never be fully happy.

If single label name, then search for that on Google:

[ "active directory" Single label dns name site:microsoft.com ]

Yes, the domain name is simply VHP. I'll look into this.



Thanks for your help!
Scott Johnson
 
Scott Johnson said:
Herb said:
Usually this will be due to setting up the DNS incorrectly (probably the
CLIENT NIC->IP->DNS server setting). But see below due to your
specific errors.

It can also be a routing or firewall filtering issue.

The DNS on the client is pointing to the DNS server/domain controller
VHP-2K, and it seems to have no problem resolving VHP-2K.vhp.
This implies the DNS problem is actually with the SERVER side.

Every DCs should be able to pass a complete (/C) DCDiag with NO
FAIL or WARN errors.

dcdiag /c /testdomain:VHP is returning the following errors:

Starting test: Services
SMTPSVC Service is stopped on [VHP-2K]
......................... VHP-2K failed test Services
Starting test: OutboundSecureChannels
Could not Check secure channel from VHP-2K to VHP: The specified
domain either does not exist or could not be contacted.
Could not Query Trusted Domain :The system cannot find the file
specified.
Could not Query Trusted Domain :The system cannot find the file
specified.

Any idea on what is going on there?

Yes, the DC is not registered properly in DNS. Or the client is using
the wrong DNS (but you say the latter is not so.)

Single label domain names can cause this.
This tends to imply that routing (and at least some of) DNS is working.

Is your DNS domain name perhaps a SINGLE LABEL name? (e.g.,
Domain, rather than Domain.com or something longer)?

DNS domain names for AD NEED to be two-labels or more. They
can be made to work if single label but it requires special care and you
will likely never be fully happy.

If single label name, then search for that on Google:

[ "active directory" Single label dns name site:microsoft.com ]

Yes, the domain name is simply VHP. I'll look into this.

You have the single label DNS problem which prevents some forms
of dynamic registration.
 
Back
Top