Re: NAT and AD
From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 09/01/04
- Next message: Ace Fekay [MVP]: "Re: Replication Problems"
- Previous message: Ace Fekay [MVP]: "Re: Blank Users for Folder Properties"
- In reply to: Charlie M: "NAT and AD"
- Next in thread: Charlie M: "Re: NAT and AD"
- Reply: Charlie M: "Re: NAT and AD"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 1 Sep 2004 00:05:00 -0400
In news:CB882E69-E868-4466-8AD8-58946D8FFF81@microsoft.com,
Charlie M <CharlieM@discussions.microsoft.com> made a post then I commented
below
> Running 4 W2K SP 4, fully patched Servers. 2 are AD 2 are member
> servers. Clients are XP Pro SP1 &2.
>
> We ran out of public ip addresses so I added a NIC card & RRAS w/ NAT
> & seperate DHCP to a Member Server, and put all new clients on a
> separate switch attached to the NAT NIC. I had no difficulty joining
> these NAT clients to the domain, installing AD published printers,
> and all applications worked.
>
> This configuration work until last week when my users started to lose
> connections to the printers (on a AD server) and the server that has
> their redirected folders on it (Member Server). The connection is
> restored almost at once. No errors in the Event Log. The printer
> status changes to 'Opening" and then "Ready". The Reirected Folders
> report "Working Off-line" This happens randomly to all NAT uses at
> the same time. Internet access is not affected.
>
> On the servers DCDIAGS & NETDIAGS run without errors. On the XP PROs
> NATs Network Diagnostic return "Pass". NSLookup works.
>
> I then removed one of the NAT clients from the Domain and tried to
> re-join. The Wizard accepted a User ID, Password, and Domain and
> then asked for a computer Name and Domain. At that point it failed.
> I then created a Computer account in AD and used "Change" to join the
> domain.
>
> After restarting there is an "1006 Usnerv" error in the Application
> log. When I try to add a printer, I can browse the printers in AD but
> when I double click I get a "Unable to Connect"
>
> If I do a Run \\printserver_name I see the printers and can connect
> an print to them.
>
> All my dcom and IIS apps work fine on the NAT clients. Clients on the
> public ip lan work fine.
>
> I have been working on it for three day without success. I saw that
> there is a W2K problem with MS504-011 - 835732 but that seems to be
> directed to Child Domains.
>
> Anyone have a direction I might take?
I would agree with Lanwench's suggestions. Mutlihoming a DC/DNS/RRAS server
is problematic. The issue is due to your DNS server and client
configuration. There are a number of steps to take care of this, including
registry entries to modify the LdapIpAddress (so it doesn;t register the
inside and outside interface) and the GcIpAddress (so it doesn;t register
the outside IP as a GC record, which is more than likely the main issue.
GPOs won;t work because of the LdapIpAddress. If its referenceing both
internal and external interfaces, then round robin kicks in, and if it gets
the outside IP, then the client can't connect to the server.
On both interfaces you need to only use the internal DNS address.
In DNS properties, need to only listen to the internal address.
Outside NIC: disable F&P, MS CLient and NetBIOS.
Move the internal interface to the top of the binding order.
Now if you like the reg entries to modify what I was talking about, I will
be glad to post back, but I really really suggest to heed Lanwench's
suggestion for a router (LInksys are about $39.00 after a rebate this
month). After all, it will be protecting your machine from the outside
anyway. If you need RAS, that's fine, just port remap the VPN ports
internally or even get a router that handles NAT and Secure VPNs, like a
Netgear, (about $130.00).
-- Regards, Ace Please direct all replies ONLY to the Microsoft public newsgroups so all can benefit. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft Windows MVP - Windows Server - Directory Services Security Is Like An Onion, It Has Layers HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a pig. -- =================================
- Next message: Ace Fekay [MVP]: "Re: Replication Problems"
- Previous message: Ace Fekay [MVP]: "Re: Blank Users for Folder Properties"
- In reply to: Charlie M: "NAT and AD"
- Next in thread: Charlie M: "Re: NAT and AD"
- Reply: Charlie M: "Re: NAT and AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
