Re: NAT probably blocking netlogon traffic
- From: "Bill Grant" <not.available@online>
- Date: Sat, 22 Apr 2006 12:10:36 +1000
Tools like that won't work across NAT. You should not need NAT to get
from one site to the other. They are all on private addresses.
In the real world, the DNS server in each domain would be set up to
forward to a public DNS server. There is no reason why you can't do that in
your setup. Trying to use the RRAS server as a DNS proxy would not be a good
idea.
You really need to get the routing working, then look at the name
resolution. You will need IP routing enabled on the RRAS server. You do not
need it to do NAT because the public NIC is still a private IP address.
Obviously the DSL device at 10.0.0.138 is doing NAT for you. Basically all
you need the RRAS machine to do is IP routing.
If the three sites are in their own subnet and use the RRAS server as
their default gateway, they should be able to route OK from site to site.
From a machine in one site, check that you can ping a machine in anothersite by its IP address. Then check if you can ping the gateway at 10.0.0.138
.. If you can, try pinging a public address by its IP address.
With the addressing scheme you are using, everything should work with
only IP routing enabled on the RRAS server. All traffic from any site will
come to the RRAS server. Traffic destined to another local site will be
routed by the RRAS server (which has an interface in each site). Remaining
traffic will go to the RRAS server's default gateway which is the DSL
router. Everything from there on should be using the DSL router's public
IP.
Return traffic coming in from the Internet will be translated back to
its private IP address by NAT. Since the "public" IP of the RRRAS router is
in the 10.0.0.0/8 subnet, it should receive this traffic and route it on the
the correct internal subnet.
For DNS, I would set the DNS server in each domain to forward to a
public DNS service. Each will resolve all local names itself but forward
"foreign" requests to a public DNS service.
How do you cope with DNS requests for a machine which is in your forest
but in a different domain?
Steve wrote:
Thanx for replying Bill. I am not a TCP/IP goeroe.
Maybe your suggestion is the solution, but for now this won't work.
My Forest:
I have 3 domain, 1 root level and 2 childdomains.
3 subnets:
Amsterdam 10.128.0.0/16 GW 10.128.10.5
London 10.192.0.0/16 GW 10.192.10.1
NewYork 10.32.0.0/16 GW 10.32.10.1
(GW=gateway)
I have a standalone server wit 4 NIC's, one for each subnet and one
for the internet acces.
Internet is an ADSL connection: 10.0.0.0/8 GW 10.0.0.138
Every Domain controller is it's own DNS server. the childdomains
have the rootdomain as there forwarder. The rootdomain does not have
any forwarder. I though this was the DNS server from the ADSL
connection.(10.0.0.138)
but i can not even ping it.
Is the problem maybe the subnetmask of the ADSL connection. I don't
know.
I don't use the DHCP-type allocator in NAT
In my Live enviroment i have a ISA server as forwarder for the root
level domain, so i thougt in my testlab the forwarder would be the
RRAS server.
I deleted all the interfaces from NAT except the internet interface.
I can not ping 10.0.0.138. So adding a Public DNS won't work.
Adding for example Amsterdam to NAT resolved the routing problem for
amsterdam, but then i have problems with the tools i mentioned
earlier.
Configuring RRAS, do i have to select the option "Internet Connection
Server" are "Network Router".
I selected the first option. I think that's the correct one.
Thanx
"Bill Grant" wrote:
The most common problem is DNS. AD depends on DNS for its
operation, so all AD machines need to use your local DNS. Set all
machines to use the local DNS server and configure this local server
to forward to a public DNS server. Disable the option in RRAS to act
as a DNS proxy.
The second problem is DHCP. Do not use the DHCP-type allocator
in NAT. (ie do not give it a pool of addresses). Use DHCP on server
to hand out the config for machines which are not configured
manually.
Steve wrote:
I am in the process of migrating from winows 2000 to 2003. I am
setting up a testlab to test this upgrade prior to do it live.
I configured 5 domains, with a few member servers. There qre 3
subnets.
I also configured a standaolne windows 2000 server with RRAS and
three NIC's
I configured NAT and i can ping and connect everthing on my LAN, and
browse the internet.
But tools like Replication monitor, and active directory domain a
trust are not working. The error i get in replication monitor is:
"The source domain controller (SERVERNAME) is not reachable by
Active Directory Replication Monitor. This may be the result of a
network problem."
If i disable are delete NAT, those tools do work, but then i cannot
connect to the internet.
I came across the following article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;172227 and
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx.
How can i install RRAS so that i can browse the internet, and not
have any netlogon problem.
Thanx
.
- References:
- Re: NAT probably blocking netlogon traffic
- From: Bill Grant
- Re: NAT probably blocking netlogon traffic
- From: Steve
- Re: NAT probably blocking netlogon traffic
- Prev by Date: Re: NAT probably blocking netlogon traffic
- Next by Date: Network Path was not found!
- Previous by thread: Re: NAT probably blocking netlogon traffic
- Next by thread: Short Hold Mode or AO/DI
- Index(es):
Relevant Pages
|
Loading
