Cannot add workstation to domain when negotiating ISL on Cisco routers.

[Scott]

I am having a problem joining workstations to a new child
domain when the traffic has to negotiate a Cisco router
with ISL trunking configured.

I have successfully joined a workstation to the domain by
plugging it directly into the switch where the DC's are so
I assume this has to be down to ISL.

Does anybody know if there is anything that can be done on
the Windows 2000 side to sort this out? (I have joined a
windows 2000 workstation to the old NT 4.0 doimain over
the current network without any issues, so I assume this
is down to the differences between NT 4.0 and Win2k)

 

[Robert Greene [MSFT]]

First, make sure that any End station ports are configured for Port Fast
and NOT SPANNING TREE on the switches.


If this is correct, on the workstation at a command prompt type the
following:

ping <Remote DC Name> -f -l 1492

it does not ping the more then likely your router is fragmenting packets.
Kerberos Packets by default use UDP. You can keep lowering the -l
parameter until you find where the pings start succeeding then use the
following article to configure Kerberos Over TCP to be used after packets
get so big:


244474 How to force Kerberos to use TCP instead of UDP
http://support.microsoft.com/?id=244474


Also Verify that the following Ports are allowed through the Router:

179442 How to Configure a Firewall for Domains and Trusts
http://support.microsoft.com/?id=179442



Best regards:

(e-mail address removed)

This posting is provided "AS IS"
with no warranties, and confers no rights