DNS and Domain problem

  • Thread starter Thread starter Natasha
  • Start date Start date
N

Natasha

Hello, I'm having a little problem with a test domian I've
just built, but problem could simply be with firewall
access that wasn't setup correctly but here is what I can
and cannot do.

I have a domain with three W2000 servers. Had no problems
setting up the first DC. Setup DNS fine, only one server
hosting AD Integrated for secure updates and replication
and zone info storing within AD.
I added the other two servers to the domain without
problems and they added themselves into DNS. All these are
on the asame subnet.

Onm another subnet I have a W2000, on a different V-lan
and seperated by a firewall. IP routing and port UDP 53 are
open and avialable. I'm able to ping from this server to
all server on the other subnet. I can even do NSlookups
from this seperate server and it returns the result of the
DNS server's IP and domain name. I specified this on the
NIC's DNS entry.
THough I can see, ping the DC and the other servers on the
other subnet, I can't add this server to the Domain.

I get the error that this could be a DNS problem, or there
could be a problem with DNS lookup.

Have I missed something out on the firewall access...?

Please advise if you know....I guess there could be a mis-
config on the firewall

thanks

Nat
 
In
Natasha said:
Hello, I'm having a little problem with a test domian I've
just built, but problem could simply be with firewall
access that wasn't setup correctly but here is what I can
and cannot do.

I have a domain with three W2000 servers. Had no problems
setting up the first DC. Setup DNS fine, only one server
hosting AD Integrated for secure updates and replication
and zone info storing within AD.
I added the other two servers to the domain without
problems and they added themselves into DNS. All these are
on the asame subnet.

Onm another subnet I have a W2000, on a different V-lan
and seperated by a firewall. IP routing and port UDP 53 are
open and avialable. I'm able to ping from this server to
all server on the other subnet. I can even do NSlookups
from this seperate server and it returns the result of the
DNS server's IP and domain name. I specified this on the
NIC's DNS entry.
THough I can see, ping the DC and the other servers on the
other subnet, I can't add this server to the Domain.

I get the error that this could be a DNS problem, or there
could be a problem with DNS lookup.

Have I missed something out on the firewall access...?

Please advise if you know....I guess there could be a mis-
config on the firewall

thanks

Nat
Click to expand...

Hi Nat,

You did everything perfect. The issue is the firewall. There are about 30
ports that need to be allowed pass thru. Read these articles below to
describe what ports need to be opened. However, on another note, if you can
possibly create a Tunnel Mode VPN between the subnets, that would be your
better bet, since opening all these ports for AD communication can lead to
security issues.

Active Directory Replication over Firewalls - Microsoft Service Providers:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Download details Active Directory in Networks Segmented by Firewalls:
http://www.microsoft.com/downloads/...familyid=c2ef3846-43f0-4caf-9767-a9166368434e

Q289241 - A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q289241&

Restricting Active Directory Replication Traffic to a Specific Port
(Q224196):
http://support.microsoft.com/?id=224196


My take on it is to use a VPN so as to allow all traffic between the VPN
endpoints (each router between the VPNs). Much more secure.

I hope this helps.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
THanks Ace,..

That makes alot of sense,.. I will go for the VPn,... does
that require alot of work, costs..?
 
In
Nat said:
THanks Ace,..

That makes alot of sense,.. I will go for the VPn,... does
that require alot of work, costs..?
Click to expand...

Depends on if your routers can handle it or the IOS version installed (such
as a Cisco Router). Most routers do. If not, maybe invest in something along
the lines of Netscreen units (I think are better than SonicWall). These
units offer NAT capabilities along with VPN capabilities. So it depends on
your scenario, such as using NAT, how many public IPs you were given, etc.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Ace,..
Would you know which ports would allow me to join the
domain and map network drives from one subnet to the
other...?


I will consider VPN but if there's only one/teo ports then
maybe we can open them.

UDP port 137 Netbios name server and 138 Netbios datagram
springs to mind

Please help
 
In
Nat again said:
Ace,..
Would you know which ports would allow me to join the
domain and map network drives from one subnet to the
other...?


I will consider VPN but if there's only one/teo ports then
maybe we can open them.

UDP port 137 Netbios name server and 138 Netbios datagram
springs to mind

Please help
Click to expand...


You have to keep in mind, there's authentication and domain communication
traffic before the drive is allowed to be mapped (Kerberos, RPC, LDAP -
which constitutes a handful of ports - see the articles), besides the
NetBIOS port. Also there's SMB ports, since W2k and newer uses SMB Direct
Hosts connections (445). Kerberos needs a few as well. RPC is 135. LDAP is
389, but also need it's secure port (can't remember which) opened as well.
Then you need the GC, 3268, etc..... Sorry it is not as clear cut as one
would like.

Sorry, you'll have to experiment opening up different ports until you get to
your end goal.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top