Re: DNS and Domain problem
From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 04/03/04
- Next message: Nat: "Re: DNS and Domain problem"
- Previous message: Natasha: "DNS and Domain problem"
- In reply to: Natasha: "DNS and Domain problem"
- Next in thread: Nat: "Re: DNS and Domain problem"
- Reply: Nat: "Re: DNS and Domain problem"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 3 Apr 2004 12:46:19 -0500
In news:14fc601c419a2$992ff5b0$a601280a@phx.gbl,
Natasha <anonymous@discussions.microsoft.com> posted their thoughts, then I
offered mine
> Hello, I'm having a little problem with a test domian I've
> just built, but problem could simply be with firewall
> access that wasn't setup correctly but here is what I can
> and cannot do.
>
> I have a domain with three W2000 servers. Had no problems
> setting up the first DC. Setup DNS fine, only one server
> hosting AD Integrated for secure updates and replication
> and zone info storing within AD.
> I added the other two servers to the domain without
> problems and they added themselves into DNS. All these are
> on the asame subnet.
>
> Onm another subnet I have a W2000, on a different V-lan
> and seperated by a firewall. IP routing and port UDP 53 are
> open and avialable. I'm able to ping from this server to
> all server on the other subnet. I can even do NSlookups
> from this seperate server and it returns the result of the
> DNS server's IP and domain name. I specified this on the
> NIC's DNS entry.
> THough I can see, ping the DC and the other servers on the
> other subnet, I can't add this server to the Domain.
>
> I get the error that this could be a DNS problem, or there
> could be a problem with DNS lookup.
>
> Have I missed something out on the firewall access...?
>
> Please advise if you know....I guess there could be a mis-
> config on the firewall
>
> thanks
>
> Nat
Hi Nat,
You did everything perfect. The issue is the firewall. There are about 30
ports that need to be allowed pass thru. Read these articles below to
describe what ports need to be opened. However, on another note, if you can
possibly create a Tunnel Mode VPN between the subnets, that would be your
better bet, since opening all these ports for AD communication can lead to
security issues.
Active Directory Replication over Firewalls - Microsoft Service Providers:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
Download details Active Directory in Networks Segmented by Firewalls:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=c2ef3846-43f0-4caf-9767-a9166368434e
Q289241 - A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q289241&
Restricting Active Directory Replication Traffic to a Specific Port
(Q224196):
http://support.microsoft.com/?id=224196
My take on it is to use a VPN so as to allow all traffic between the VPN
endpoints (each router between the VPNs). Much more secure.
I hope this helps.
-- Regards, Ace Please direct all replies to the newsgroup so all can benefit. This posting is provided "AS-IS" with no warranties and confers no rights. Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP Microsoft Windows MVP - Active Directory -- =================================
- Next message: Nat: "Re: DNS and Domain problem"
- Previous message: Natasha: "DNS and Domain problem"
- In reply to: Natasha: "DNS and Domain problem"
- Next in thread: Nat: "Re: DNS and Domain problem"
- Reply: Nat: "Re: DNS and Domain problem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
