Hello, I'm having a little problem with a test domian I've
just built, but problem could simply be with firewall
access that wasn't setup correctly but here is what I can
and cannot do.

I have a domain with three W2000 servers. Had no problems
setting up the first DC. Setup DNS fine, only one server
hosting AD Integrated for secure updates and replication
and zone info storing within AD.
I added the other two servers to the domain without
problems and they added themselves into DNS. All these are
on the asame subnet.

Onm another subnet I have a W2000, on a different V-lan
and seperated by a firewall. IP routing and port UDP 53 are
open and avialable. I'm able to ping from this server to
all server on the other subnet. I can even do NSlookups
from this seperate server and it returns the result of the
DNS server's IP and domain name. I specified this on the
NIC's DNS entry.
THough I can see, ping the DC and the other servers on the
other subnet, I can't add this server to the Domain.

I get the error that this could be a DNS problem, or there
could be a problem with DNS lookup.

Have I missed something out on the firewall access...?

Please advise if you know....I guess there could be a mis-
config on the firewall

thanks

Nat

In news:14fc601c419a2$992ff5b0$(E-Mail Removed),
Natasha <(E-Mail Removed)> posted their thoughts, then I
offered mine
> Hello, I'm having a little problem with a test domian I've
> just built, but problem could simply be with firewall
> access that wasn't setup correctly but here is what I can
> and cannot do.
>
> I have a domain with three W2000 servers. Had no problems
> setting up the first DC. Setup DNS fine, only one server
> hosting AD Integrated for secure updates and replication
> and zone info storing within AD.
> I added the other two servers to the domain without
> problems and they added themselves into DNS. All these are
> on the asame subnet.
>
> Onm another subnet I have a W2000, on a different V-lan
> and seperated by a firewall. IP routing and port UDP 53 are
> open and avialable. I'm able to ping from this server to
> all server on the other subnet. I can even do NSlookups
> from this seperate server and it returns the result of the
> DNS server's IP and domain name. I specified this on the
> NIC's DNS entry.
> THough I can see, ping the DC and the other servers on the
> other subnet, I can't add this server to the Domain.
>
> I get the error that this could be a DNS problem, or there
> could be a problem with DNS lookup.
>
> Have I missed something out on the firewall access...?
>
> Please advise if you know....I guess there could be a mis-
> config on the firewall
>
> thanks
>
> Nat

Hi Nat,

You did everything perfect. The issue is the firewall. There are about 30
ports that need to be allowed pass thru. Read these articles below to
describe what ports need to be opened. However, on another note, if you can
possibly create a Tunnel Mode VPN between the subnets, that would be your
better bet, since opening all these ports for AD communication can lead to
security issues.

Active Directory Replication over Firewalls - Microsoft Service Providers:
http://www.microsoft.com/serviceprov...sec_P63623.asp

Download details Active Directory in Networks Segmented by Firewalls:
http://www.microsoft.com/downloads/d...7-a9166368434e

Q289241 - A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/default...EN-US;Q289241&

Restricting Active Directory Replication Traffic to a Specific Port
(Q224196):
http://support.microsoft.com/?id=224196


My take on it is to use a VPN so as to allow all traffic between the VPN
endpoints (each router between the VPNs). Much more secure.

I hope this helps.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

THanks Ace,..

That makes alot of sense,.. I will go for the VPn,... does
that require alot of work, costs..?

In news:1819801c419ab$6b8aff70$(E-Mail Removed),
Nat <(E-Mail Removed)> posted their thoughts, then I
offered mine
> THanks Ace,..
>
> That makes alot of sense,.. I will go for the VPn,... does
> that require alot of work, costs..?

Depends on if your routers can handle it or the IOS version installed (such
as a Cisco Router). Most routers do. If not, maybe invest in something along
the lines of Netscreen units (I think are better than SonicWall). These
units offer NAT capabilities along with VPN capabilities. So it depends on
your scenario, such as using NAT, how many public IPs you were given, etc.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Ace,..
Would you know which ports would allow me to join the
domain and map network drives from one subnet to the
other...?


I will consider VPN but if there's only one/teo ports then
maybe we can open them.

UDP port 137 Netbios name server and 138 Netbios datagram
springs to mind

Please help

In news:181d401c419b3$844fd000$(E-Mail Removed),
Nat again <(E-Mail Removed)> posted their thoughts, then
I offered mine
> Ace,..
> Would you know which ports would allow me to join the
> domain and map network drives from one subnet to the
> other...?
>
>
> I will consider VPN but if there's only one/teo ports then
> maybe we can open them.
>
> UDP port 137 Netbios name server and 138 Netbios datagram
> springs to mind
>
> Please help


You have to keep in mind, there's authentication and domain communication
traffic before the drive is allowed to be mapped (Kerberos, RPC, LDAP -
which constitutes a handful of ports - see the articles), besides the
NetBIOS port. Also there's SMB ports, since W2k and newer uses SMB Direct
Hosts connections (445). Kerberos needs a few as well. RPC is 135. LDAP is
389, but also need it's secure port (can't remember which) opened as well.
Then you need the GC, 3268, etc..... Sorry it is not as clear cut as one
would like.

Sorry, you'll have to experiment opening up different ports until you get to
your end goal.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================