Re: NAT and AD
From: Charlie M (CharlieM_at_discussions.microsoft.com)
Date: 09/01/04
- Next message: Laura E. Hunter \(MVP\): "Re: Last user log-on"
- Previous message: Curt Shaffer: "Re: sub domain"
- In reply to: Ace Fekay [MVP]: "Re: NAT and AD"
- Next in thread: Lanwench [MVP - Exchange]: "Re: NAT and AD"
- Reply: Lanwench [MVP - Exchange]: "Re: NAT and AD"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 1 Sep 2004 08:35:09 -0700
Thank you for your comments gentlemen. Allways good having food for thought.
Let me expand a bit.
1. The network has been in place for almost 5 years, and with the exception
of downtime for patches and upgrades has been extremely reliable.
2. The private IP's are a legacy of PCAnywhere use.
3. Our firewall is a loaded Sonicwall 3060 ($3,000)
4. As a one man shop with 50 Wall Street attorneys as clients, to be
truthful, I am a little daunted about the prospect of changing the IP
addresses on 4 server and 50 PCs and having all my applications work without
having to re-install and re-patch them.
5) Why is it that the NAT configuration worked for 2 months and then broke
when the only changes to the server was the installation of MS's security
patches?
6) All my Exchange, SQL and web apps work just fine from my NAT clients.
7) DNSlint shows no errors.
8) I have disabled Round Robin.
9) The NAT is not on a DC it is on a Member Server.
10) The Nat clients can browse "Entire Network" and see and connect to all
of the PCs and Servers on the normal LAN and the normal LAN PCs can browser
the NAT Pcs. (NetBIOS)
11) I can browse the AD printers from a NAT client using the "Add Printer
Wizard".
I know that there are other network configuration that would eliminate the
issue, but rebuilding the complete IP Infrastructure at a going concern is
really not a practical choice.
Regards,
Charlie
-- C.E.Morgan "Ace Fekay [MVP]" wrote: > In news:CB882E69-E868-4466-8AD8-58946D8FFF81@microsoft.com, > Charlie M <CharlieM@discussions.microsoft.com> made a post then I commented > below > > Running 4 W2K SP 4, fully patched Servers. 2 are AD 2 are member > > servers. Clients are XP Pro SP1 &2. > > > > We ran out of public ip addresses so I added a NIC card & RRAS w/ NAT > > & seperate DHCP to a Member Server, and put all new clients on a > > separate switch attached to the NAT NIC. I had no difficulty joining > > these NAT clients to the domain, installing AD published printers, > > and all applications worked. > > > > This configuration work until last week when my users started to lose > > connections to the printers (on a AD server) and the server that has > > their redirected folders on it (Member Server). The connection is > > restored almost at once. No errors in the Event Log. The printer > > status changes to 'Opening" and then "Ready". The Reirected Folders > > report "Working Off-line" This happens randomly to all NAT uses at > > the same time. Internet access is not affected. > > > > On the servers DCDIAGS & NETDIAGS run without errors. On the XP PROs > > NATs Network Diagnostic return "Pass". NSLookup works. > > > > I then removed one of the NAT clients from the Domain and tried to > > re-join. The Wizard accepted a User ID, Password, and Domain and > > then asked for a computer Name and Domain. At that point it failed. > > I then created a Computer account in AD and used "Change" to join the > > domain. > > > > After restarting there is an "1006 Usnerv" error in the Application > > log. When I try to add a printer, I can browse the printers in AD but > > when I double click I get a "Unable to Connect" > > > > If I do a Run \\printserver_name I see the printers and can connect > > an print to them. > > > > All my dcom and IIS apps work fine on the NAT clients. Clients on the > > public ip lan work fine. > > > > I have been working on it for three day without success. I saw that > > there is a W2K problem with MS504-011 - 835732 but that seems to be > > directed to Child Domains. > > > > Anyone have a direction I might take? > > I would agree with Lanwench's suggestions. Mutlihoming a DC/DNS/RRAS server > is problematic. The issue is due to your DNS server and client > configuration. There are a number of steps to take care of this, including > registry entries to modify the LdapIpAddress (so it doesn;t register the > inside and outside interface) and the GcIpAddress (so it doesn;t register > the outside IP as a GC record, which is more than likely the main issue. > GPOs won;t work because of the LdapIpAddress. If its referenceing both > internal and external interfaces, then round robin kicks in, and if it gets > the outside IP, then the client can't connect to the server. > On both interfaces you need to only use the internal DNS address. > In DNS properties, need to only listen to the internal address. > Outside NIC: disable F&P, MS CLient and NetBIOS. > Move the internal interface to the top of the binding order. > > Now if you like the reg entries to modify what I was talking about, I will > be glad to post back, but I really really suggest to heed Lanwench's > suggestion for a router (LInksys are about $39.00 after a rebate this > month). After all, it will be protecting your machine from the outside > anyway. If you need RAS, that's fine, just port remap the VPN ports > internally or even get a router that handles NAT and Secure VPNs, like a > Netgear, (about $130.00). > > -- > Regards, > Ace > > Please direct all replies ONLY to the Microsoft public newsgroups > so all can benefit. > > This posting is provided "AS-IS" with no warranties or guarantees > and confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP > Microsoft Windows MVP - Windows Server - Directory Services > > Security Is Like An Onion, It Has Layers > HAM AND EGGS: A day's work for a chicken; > A lifetime commitment for a pig. > -- > ================================= > > >
- Next message: Laura E. Hunter \(MVP\): "Re: Last user log-on"
- Previous message: Curt Shaffer: "Re: sub domain"
- In reply to: Ace Fekay [MVP]: "Re: NAT and AD"
- Next in thread: Lanwench [MVP - Exchange]: "Re: NAT and AD"
- Reply: Lanwench [MVP - Exchange]: "Re: NAT and AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
