netlogon to domain for clients at branch office w/o DC

[Guest]

We have a Windows 2000 based domain. We are trying to deploy a small branch
office that will not have a DC on site. There is a T1 VPN connection between
the main office and the branch. I have added the subnet of the branch to AD
and associated it with the Main office site.
We have configured the clients (2000 and XPpro) to be part of the domain and
would like to have users authenticate back to DC in main office.
The only way I have found to successfully make that happen was the add DNS
to the DependOnService under the following .
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
This has made the user logon process work well, but now the Netlogon service
will not start which prevents those clients from connecting to peer machines
at the branch office.
Anyone found a solution to this?
Thanks.
Ric

 

[Doug Sherman [MVP]]

DNS is the service name for the DNS server service. Obviously, this will
prevent the netlogon service from starting unless the machine is a DNS
server. If you want Netlogon to depend on the DNS client service, the
service name is Dnscache.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Guest]

Thanks Doug. I tried this on two clients. The first, an XP machine, worked
fine on the first login. Netlogon started and communication to domain
resources seemed to work fine. The next login on the same machine took over
30 minutes.
I then tried on a 2000 workstation and the login took over 30 minutes at
which point I pulled the network connection so the "loading personal settings
would proceed"
Netlogon service does start, but connecting to the XP machine OR domain
resources including the DC is not working.

 

[Doug Sherman [MVP]]

Yuck, sounds like we're going backwards. Most likely problems:

1. Remove any manually added dependencies for the netlogon service on a
branch office machine.

2. Routing - make sure the branch machine can ping the IP address of the
DC. Make sure the DC can ping the IP address of the branch machine.

3. Firewall - If there is a firewall between the VPN end point and the DC,
you may need to open additional ports - eg. UDP 53 because the branch
machine needs to use the DC for primary DNS.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Guest]

I have done all that. Yes there is a firewall but there are no restrictions
on either end.
All machines can ping the DC/AD/DNS server and it can ping back. name
resolution works. the client machines all have DC as theri primary DNS. I
did also try removing the manual dependant changes to NETLOGON and no luck.

 

[Doug Sherman [MVP]]

Hmmm. This configuration should be simple over a T1/VPN.

Make sure whatever VPN hardware/software you are using does not have
built-in filters or firewalls.

If you can actually log onto the domain with the XP machine (even if it
takes 30 min.), check the Site status. You can do this with the nltest
utility available in the Support Tools:

http://www.microsoft.com/downloads/...f3-b835-4847-b810-bb6539362473&DisplayLang=en

run "nltest /dsgetsite" I'm thinking their may be a problem with the Site
configuration.

Also, on the XP machine disable offline files and drive mappings and Check
Event Viewer for errors.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP