Active Directory Server on different network

[Netmasker]

I would like my Windows 2000 Active Directory Server to be on a different
network from the workstations' network provided that the workstations
default gateway can communicate (via routing) with the AD Server

e.g:
AD Server IP: 192.168.1.10
Workstations IPs: 192.168.2.0 network (with this DNS Server: 192.168.1.10)

The first problem that I noticed when I tried this configuration concerns
the Group Policy:
- I assigned the new workstations' IPs (with a DHCP server)
- I noticed that the last Group Policy settings that I had made were applied
successfully, but when
- I made changes to the Group Policy I noticed that they were not applied to
the workstations!!

Is this configuration right and what problems it can cause??

Thanks in advance.

 

[Steven L Umbach]

It does not matter if the dc is on a different subnet as long as the networking
configuration is correct. I would run netdiag and dcdiag on the domain controller
first and then netdiag on one of the domain members looking for any failed tests.
Also check ipconfig /all on one of the domain members looking to see that ip, dns
server, and gateway are correct. --- Steve

 

[Craig Mercer \(MCT\)]

OK, a couple of issues to address here.

1. Check the speed of the links between clients and the DC. If the link
speed is slow, (DC runs an algorithm to check speed) then
only a subset of GP settings will apply over the slow link.

2. Are the clients able to communicate with the DC that the GP were created
on over the routed network? (or are they logging onto another DC)
You may have to wait until the DC's have replicated before the GP's are
available.

3. OS running on the client machines. Some W2k Gp settings dont work
correctly on legacy/non MS OS's

4. Did you refresh the GP's on the clients after making changes. If not not
you may have to reboot the client machines, or have users log off/log on,
(depending on whether they are user or machine GP's) before they will apply.
You can look these up on the M/S site, (sorry I havent got the KB article
numbers for you). Also look up the 2154 courseware (assuming you have done
the course) there is some valuable info in their.

Hope that helps.

Craig Mercer (MCT)

 

[Ace Fekay [MVP]]

In

I would like my Windows 2000 Active Directory Server to be on a
different network from the workstations' network provided that the
workstations default gateway can communicate (via routing) with the
AD Server

e.g:
AD Server IP: 192.168.1.10
Workstations IPs: 192.168.2.0 network (with this DNS Server:
192.168.1.10)

The first problem that I noticed when I tried this configuration
concerns the Group Policy:
- I assigned the new workstations' IPs (with a DHCP server)
- I noticed that the last Group Policy settings that I had made were
applied successfully, but when
- I made changes to the Group Policy I noticed that they were not
applied to the workstations!!

Is this configuration right and what problems it can cause??

Thanks in advance.

I have one question here, what OS is performing the NAT?

If it's W2k or W2k3, with 3 interfaces, one external and two internal with
private subnets, then there is an issue with these internal interfaces
routing to each other in regards to LDAP communication being blocked. GPO
won;t apply, can't access domain, etc.

If this is true (W2k being the NAT machine), there's an article showing how
to fix it on a W2k server (applies to W2k3 too) and will be glad to post
back with it. If not W2k, then I would consult the documentation on the
router/NAT you are using in regards to defualt MTU alterations and/or
removing H.323 support.

If this doesn't apply, can you ping the server from the workstation's
subnet?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kurt L]

Probably you are getting cached logons on the workstations. Old policy is
still there, but new policy can't be distributed. Check your settings, make
sure the DC has a route back to the other subnet (ping both ways). Netbios
will not broadcst across the router, so DNS must be properly configured, and
access to the DNS server must be avaliable from both subnets. For any
downlevel clients you will have to have WINS or LMHOSTS.

....kurt

 

[Netmasker]

The OS that performs the NAT is an other Windows 2000 Server with two
interface cards (one for each private subnet) with ISA Server installed on
it. That is, because I want my workstations to use this ISA firewall and
proxy to access the internet.
The problem is that the Domain Controler must belong to the other subnet!

From the workstations I can successfully ping the DC Server and the ISA
Server of course but
from the DC Server I can not ping the workstations because they belong to
the other subnet.

Does it mean that the DC can not send the Group Policy settings and other
information to the WS's?
How can I make a route back from the DC to the other subnet ??

That's my network configuration:
--------------------------------------------
Win2k Active Directory and DNS Server:
IP address: 192.168.1.10
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.1 (my router)
DNS Server: 192.168.1.10 (with external DNS Servers forwarders)

Win2k ISA Server and DHCP Server serving the Workstations (two interfaces):
IP address 1: 192.168.1.11 (as the external interface)
IP address 2: 192.168.2.11 (the 192.168.2.0 subnet belongs to the ISA Server
LAT)
Subnet mask for both interfaces: 255.255.255.0
Default gateway: 192.168.1.1
DNS Server: 192.168.1.10

Win2k Workstations (they take IPs from the DHCP Server):
IPs: 192.168.2.0 network
Subnet mask: 255.255.255.0
Default gateway: 192.168.2.11 (the ISA Server internal interface)
DNS Server: 192.168.1.10

What if I run the DNS Service on my ISA and DHCP Server ???

 

[Ace Fekay [MVP]]

In

The OS that performs the NAT is an other Windows 2000 Server with two
interface cards (one for each private subnet) with ISA Server
installed on it. That is, because I want my workstations to use this
ISA firewall and proxy to access the internet.
The problem is that the Domain Controler must belong to the other
subnet!

From the workstations I can successfully ping the DC Server and the
ISA Server of course but
from the DC Server I can not ping the workstations because they
belong to the other subnet.

Does it mean that the DC can not send the Group Policy settings and
other information to the WS's?
How can I make a route back from the DC to the other subnet ??

That's my network configuration:
--------------------------------------------
Win2k Active Directory and DNS Server:
IP address: 192.168.1.10
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.1 (my router)
DNS Server: 192.168.1.10 (with external DNS Servers forwarders)

Win2k ISA Server and DHCP Server serving the Workstations (two
interfaces): IP address 1: 192.168.1.11 (as the external interface)
IP address 2: 192.168.2.11 (the 192.168.2.0 subnet belongs to the ISA
Server LAT)
Subnet mask for both interfaces: 255.255.255.0
Default gateway: 192.168.1.1
DNS Server: 192.168.1.10

Win2k Workstations (they take IPs from the DHCP Server):
IPs: 192.168.2.0 network
Subnet mask: 255.255.255.0
Default gateway: 192.168.2.11 (the ISA Server internal interface)
DNS Server: 192.168.1.10

What if I run the DNS Service on my ISA and DHCP Server ???


news:[email protected]...

I see., So the NAT is a Windows/ISA machine with only two interfaces.
Obviously, the pings are being blocked by ISA, which is default. If it is
also performing NAT, that will thwart domain communication because NAT does
not support LDAP, Kerberos or RPC, which are essential for domain
communication (which includes GPOs, logons, replication and anything else
domain communication based).

Suggest not to NAT and use routing between the two subnets. If you want to
be able to ping, this article should help you out:

274568 - How to Enable Internet Control Message Protocol Proxy PING
Requests:
http://support.microsoft.com/?id=274568


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kurt L]

You didn't mention the NAT part. Why are you NATing between two private
subnets. I understand NAT for the Internet connections, but not for internal
routing. Why not just route without NAT internally and NAT only on the
outbound interface to the internet? The NAT between your DC and your clients
is the problem. You cannot route backward through a NAT. If you route your
internal subnets without the NAT you'll have no problem.

 

[Netmasker]

In fact I do not use NAT, sorry for the misunderstanding. I am using
routing between the two interfaces of the ISA Server.
The problem is the communication between the DC Server and the
Workstations.
Workstations can successfully "see" the DC Server but not vise versa.

So I need to create on the DC a route to the subnet of the
Workstations.
How can I do this? Must I use the "route add" command ??

Thanks again.

 

[Kurt L]

Yes, you will need a route back to the other subnet, but if no route exists,
you shouldn't be able to get a reply when pinging from client to server.
Still, you can add a route. I've forgotten the subnets, but if the
workstations are on 192.168.1.0 and the DC is on 192.168.2.0, then let's say
the router between the subnets has 192.168.2.1 on the DC side. You would add
the route:

route add 192.168.1.0 mask 255.255.255.0 192.168.2.1

This should instruct the DC to send packets destined for that network to the
correct router. The default route (0.0.0.0) should still point to the
internet gateway router. If this is going to be a permanent setup, you
should configure this as a startup script so the route is automatically
added when the server is rebooted.

....kurt

 

[Ace Fekay [MVP]]

In

In fact I do not use NAT, sorry for the misunderstanding. I am using
routing between the two interfaces of the ISA Server.
The problem is the communication between the DC Server and the
Workstations.
Workstations can successfully "see" the DC Server but not vise versa.

So I need to create on the DC a route to the subnet of the
Workstations.
How can I do this? Must I use the "route add" command ??

Thanks again.

This then seems to point closer to that H.323 issue I previously mentioned.

Try this to turn it off:
netsh routing ip nat delete h323

Since this is an ISA server running on Windows, I would suggest to try that
netsh command with those switches to turn off H.323. This seems to stop LDAP
when enabled (which it is by default, whether it's Windows or ISA installed
on Windows.

Quote:
The root cause of these error messages is that the LDAP proxy that is
incorporated into NAT has a hard-coded limit of 64 KB on the LDAP protocol
data unit (PDU) size. When domain-related LDAP traffic (which is often 300
KB or more in size) exceeds this limit, the H.323/LDAP proxy resets the
connection.
/Quote

Look at it this way, if it doesn't work, re-enable it.

This turns it back on:
netsh routing ip nat add h323

Read more about it here:
261203 - Error Messages When Windows 2000 Client in Windows 2000 Domain
Attempts to Open Active Directory Snap-in [NAT, H.323, PDU size, Netsh and
LDAP issues with mutli NAT'ed NICs]:
http://support.microsoft.com/?id=261203







--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory