no ping through two-nic dc

G

Guest

I've a two-NIC Win2k3 domain controller with RRAS configured as LAN router.
I've followed every KB article on two-NIC DCs. I seem to have no errors in
the EventViewer. Dcdiag and Netdiag seem to pass with flying colors.

I'm unable to ping IP addresses in front of or behind the DC.

[NAT/Firewall]
IP: 192.168.1.1
|
|
IP: 192.168.1.2
DG: 192.168.1.1
[Win2k3 DC with Lan-router RRAS]
IP: 10.1.0.1
DG: blank
|
|
IP: 10.1.0.z
DG: 10.1.0.1
[client]

From the client, I can't ping the IP address of the NAT/Firewall.
From the NAT/Firewall, I can't ping the IP address of the client.

What am I missing?

Thank you.
 
R

Robert L [MS-MVP]

I believe the problem is the DC DG should be 10.10.x instead of 192.168.1.1.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

I've a two-NIC Win2k3 domain controller with RRAS configured as LAN router.
I've followed every KB article on two-NIC DCs. I seem to have no errors in
the EventViewer. Dcdiag and Netdiag seem to pass with flying colors.

I'm unable to ping IP addresses in front of or behind the DC.

[NAT/Firewall]
IP: 192.168.1.1
|
|
IP: 192.168.1.2
DG: 192.168.1.1
[Win2k3 DC with Lan-router RRAS]
IP: 10.1.0.1
DG: blank
|
|
IP: 10.1.0.z
DG: 10.1.0.1
[client]

From the client, I can't ping the IP address of the NAT/Firewall.
From the NAT/Firewall, I can't ping the IP address of the client.

What am I missing?

Thank you.
 
G

Guest

Bob,

Thank you for your reply.
I believe the problem is the DC DG should
be 10.10.x instead of 192.168.1.1.

I'm not sure I understand.

1. The IP address of the inward-facing adapter is 10.1.0.1, SM 255.255.0.0.

2.

IP: 192.168.1.2
DG: w.x.y.z <--------- what should be here?
[Win2k3 DC with Lan-router RRAS]
IP: 10.1.0.1
DG: w.x.y.z <--------- what should be here?
 
R

Robert L [MS-MVP]

posting the result of ipconfig /all on DC may help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

Bob,

Thank you for your reply.
I believe the problem is the DC DG should
be 10.10.x instead of 192.168.1.1.

I'm not sure I understand.

1. The IP address of the inward-facing adapter is 10.1.0.1, SM 255.255.0.0.

2.

IP: 192.168.1.2
DG: w.x.y.z <--------- what should be here?
[Win2k3 DC with Lan-router RRAS]
IP: 10.1.0.1
DG: w.x.y.z <--------- what should be here?
 
B

Bill Grant

Bill,

You can't fix this by making changes at the Windows router or the
default gateways. The problem is at the firewall. The default route of the
firewall is out to the Internet. There is no reason why it should send
traffic for 10.1 anywhere else! The only internal subnet it knows about is
192.168.1.0

It will work if you add a static route to the firewall to route traffic
for 10.1 to the Windows router. eg

Firewall
192.168.1.1 (static route 10.1.0.0 255.255.0.0 192.168.1.2)
|
192.168.1.2 dg 192.168.1.1
RRAS
10.1.0.1/16 dg blank
|
workstations
10.1.0.x/16 dg 10.1.0.1

If you can't add a route to the firewall, the only solution is to do NAT
again on the Windows server, so that all 10.1 traffic uses the router's
192.168.1 address (which the firewall knows about).

bill said:
Bob,

Thank you for your reply.
I believe the problem is the DC DG should
be 10.10.x instead of 192.168.1.1.

I'm not sure I understand.

1. The IP address of the inward-facing adapter is 10.1.0.1, SM
255.255.0.0.

2.

IP: 192.168.1.2
DG: w.x.y.z <--------- what should be here?
[Win2k3 DC with Lan-router RRAS]
IP: 10.1.0.1
DG: w.x.y.z <--------- what should be here?
 
G

Guest

Bob, Bill,

Thank you for your replies.

Bill, splendid. The static route cured my ill. I've two more questions
about the two-NIC DC.

1.
[NAT/Firewall]
|
|
IP: 192.168.1.2
DG: 191.169.1.1
DNS: w.x.y.z <----- Should anything be here? And what?
[Win2k3 DC]
IP: 10.1.0.1
DG: blank
DNS: 10.1.0.1

2. I don't have WINS installed. On the external NIC's Advanced TCP/IP
Settings WINS tab, does disabling NetBIOS have any positive effect?
 
B

Bill Grant

1. If it is a DC, the only DNS it should use is itself. To get it to
resolve external URLs, set DNS to forward to a public DNS server (such as
your ISP). The client machines should also point to 10.1.0.1 only for DNS.
That is where they will find the AD services.

2. Disabling Netbios over TCP/IP on the "public" NIC is a good idea.
Apart from anything else, it prevents the Netbios name being associated with
two IP addresses (which can cause problems with name resolution and
browsing).
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top