Difficulty joining domain across site to site VPN

  • Thread starter Thread starter Scott Johnson
  • Start date Start date
S

Scott Johnson

I'm not very knowledgeable about Active Directory, so I appeal to the
collective wisdom of this group.


I am trying (unsuccessfully) to join my company's (Win2k) domain across
a router-based site-to-site VPN. The home PC is running Windows XP Pro.
The home network is running on a separate IP subnet.

This is the error I get when attempting to join the domain:


"The domain name XYZ might be a NetBIOS domain name. If this is the
case, verify that the domain name is properly registered with WINS.
If you are certain that the name is not a NetBIOS domain name, then the
following information can help you troubleshoot your DNS configuration.
DNS was successfully queried for the service location (SRV) resource
record used to locate a domain controller for domain XYZ:
The query was for the SRV record for _ldap._tcp.dc._msdcs.XYZ
The following domain controllers were identified by the query:
xyz-test.xyz
xyz-2k.
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP
addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network
or are not running."


The remote workstation is able to resolve names using the domain DNS
server on the 192.168.4 network without problem. I can also access file
shares on the 192.168.4 network without problem.

Do I need to add some configuration to the domain controller to allow
separate networks?

The IP setup is as follows:

Company Network
IP : 192.168.4.0
subnet : 255.255.255.0

Remote Network:
IP : 10.4.1.0
subnet: 255.255.255.0

Thanks in advance,
Scott Johnson Difficulty joining domain across site to site VPN
 
If the VPN itself functions properly and you know that the routing works
properly then you need to follow this pattern. This is the same pattern even if
you don't have a VPN,...the VPN, more or less, is irrelevant really.

Every single machine uses the AD/DNS for the DNS and *none* other.
The AD/DNS includes the ISP's DNS in the Forwarders List within the Config of
the DNS service and the machine must be allowed by the firewall device to make
outbound DNS queires to the ISP's DNS. The firewall device should deny DNS
queries from any other device/machine so that it provides a way to "weed out"
any machines with "rogue" or incorrect DNS settings.

Anytime there are subnets involved,...and their is with VPN,...an WINS server
should be used. I usually run that on the DC along with the DNS. Every machine
on the system (*every*) needs to use the same WINS Server(s). You will likely
have Netbios resolution issues and Network Browsing (Network Places) issues
otherwise.

Generally speaking it is a bad idea to have hosts in one remote segment over a
WAN link with all the DCs in a different one. The proper way to do this is to
have a DC at each location and then create/use the AD Sites Object to maintain
the replication over the slow WAN link between the two DCs. Then if the WAN
links goes down less functionality is lost.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------
 
Back
Top