NAT probably blocking netlogon traffic

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am in the process of migrating from winows 2000 to 2003. I am setting up a
testlab to test this upgrade prior to do it live.
I configured 5 domains, with a few member servers. There qre 3 subnets.
I also configured a standaolne windows 2000 server with RRAS and three NIC's

I configured NAT and i can ping and connect everthing on my LAN, and browse
the internet.
But tools like Replication monitor, and active directory domain a trust are
not working. The error i get in replication monitor is:
"The source domain controller (SERVERNAME) is not reachable by Active
Directory Replication Monitor. This may be the result of a network problem."

If i disable are delete NAT, those tools do work, but then i cannot connect
to the internet.
I came across the following article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;172227 and
http://www.microsoft.com/technet/pr...chnologies/activedirectory/plan/bpaddsgn.mspx.

How can i install RRAS so that i can browse the internet, and not have any
netlogon problem.
Thanx
 
The most common problem is DNS. AD depends on DNS for its operation, so
all AD machines need to use your local DNS. Set all machines to use the
local DNS server and configure this local server to forward to a public DNS
server. Disable the option in RRAS to act as a DNS proxy.

The second problem is DHCP. Do not use the DHCP-type allocator in NAT.
(ie do not give it a pool of addresses). Use DHCP on server to hand out the
config for machines which are not configured manually.
 
Thanx for replying Bill. I am not a TCP/IP goeroe.
Maybe your suggestion is the solution, but for now this won't work.
My Forest:
I have 3 domain, 1 root level and 2 childdomains.
3 subnets:

Amsterdam 10.128.0.0/16 GW 10.128.10.5
London 10.192.0.0/16 GW 10.192.10.1
NewYork 10.32.0.0/16 GW 10.32.10.1
(GW=gateway)
I have a standalone server wit 4 NIC's, one for each subnet and one for the
internet acces.
Internet is an ADSL connection: 10.0.0.0/8 GW 10.0.0.138
Every Domain controller is it's own DNS server. the childdomains have the
rootdomain as there forwarder. The rootdomain does not have any forwarder. I
though this was the DNS server from the ADSL connection.(10.0.0.138)
but i can not even ping it.
Is the problem maybe the subnetmask of the ADSL connection. I don't know.
I don't use the DHCP-type allocator in NAT

In my Live enviroment i have a ISA server as forwarder for the root level
domain, so i thougt in my testlab the forwarder would be the RRAS server.

I deleted all the interfaces from NAT except the internet interface.
I can not ping 10.0.0.138. So adding a Public DNS won't work.
Adding for example Amsterdam to NAT resolved the routing problem for
amsterdam, but then i have problems with the tools i mentioned earlier.

Configuring RRAS, do i have to select the option "Internet Connection
Server" are "Network Router".
I selected the first option. I think that's the correct one.

Thanx
 
Tools like that won't work across NAT. You should not need NAT to get
from one site to the other. They are all on private addresses.

In the real world, the DNS server in each domain would be set up to
forward to a public DNS server. There is no reason why you can't do that in
your setup. Trying to use the RRAS server as a DNS proxy would not be a good
idea.

You really need to get the routing working, then look at the name
resolution. You will need IP routing enabled on the RRAS server. You do not
need it to do NAT because the public NIC is still a private IP address.
Obviously the DSL device at 10.0.0.138 is doing NAT for you. Basically all
you need the RRAS machine to do is IP routing.

If the three sites are in their own subnet and use the RRAS server as
their default gateway, they should be able to route OK from site to site.
From a machine in one site, check that you can ping a machine in another
site by its IP address. Then check if you can ping the gateway at 10.0.0.138
.. If you can, try pinging a public address by its IP address.

With the addressing scheme you are using, everything should work with
only IP routing enabled on the RRAS server. All traffic from any site will
come to the RRAS server. Traffic destined to another local site will be
routed by the RRAS server (which has an interface in each site). Remaining
traffic will go to the RRAS server's default gateway which is the DSL
router. Everything from there on should be using the DSL router's public
IP.

Return traffic coming in from the Internet will be translated back to
its private IP address by NAT. Since the "public" IP of the RRRAS router is
in the 10.0.0.0/8 subnet, it should receive this traffic and route it on the
the correct internal subnet.

For DNS, I would set the DNS server in each domain to forward to a
public DNS service. Each will resolve all local names itself but forward
"foreign" requests to a public DNS service.

How do you cope with DNS requests for a machine which is in your forest
but in a different domain?
 
Back
Top