Cant join 2003 Domain over VPN

[gavinseabrook]

Hello All

Ive been having this trouble. I have a client whose 2000 server died, and we transfered all their data to a new server. Setup DHCP on server, WINS, and DNS with Active Directory. Now all the clients that are in the same IP range of the main office have NO PROBLEMS connecting to the domain. Yet all the clients connecting over a hardware VPN cant. Here is a small diagram


MAIN OFFICE (192.9.200.- scheme)>Router>Internet>Router>Other office (192.9.203.-) scheme.

Everytime we try to join the domain, we get an error saying it cant be contacted. Yet we can ping the IP of the domain server, and NSLOOKUP sees that the default server is the proper domain (w11243-1.w11243dom.com).

I have tried everything I could think of, but have no luck what so ever. Anyone able to come up with some suggestions?

 

[Ididmyc600]

Hi

Have the users been given remote login rights in their domain profile.?

Regards

 

[gavinseabrook]

Right now they are on a Hardware VPN. The problem I can see, or at least one of the problems, is that I cant get name resolution.

I can ping FROM the server across the vpn by computer name.

YET

I cant ping the server name from the other end of the VPN.


BTW: It is a hardware VPN between 2 Instagate routers.

 

[Nodsu]

Active DIrectory simply does not work without DNS. Without working name resolution, you can forget about the whole thing.

How is DNS set up on the clients behind the VPN? They should be configured to use the DC(s) as their name servers (unless you have some elaborate separate DNS system configured for AD)..

 

[gavinseabrook]

Thank god someone replied with a good question lol j/k. DNS is setup (properly as I could figure). I have my forward lookup zone, SRV records, ect.

As far as the Clients on the other side of the VPN, they have their preferred DNS server as the IP of the DNS server. One problem that I figured out was that on the Instagate routers, the file server didnt have the IP of the DNS server as its primary WINS server (yes I have wins installed). I pointed the WINS server on the router to the IP of the DNS/WINS server and it got me to a point where when I try to join the domain it pops up the USER/PASSWORD box. Upon entering the username and password, is states "An account for the computer <COMPUTER NAME> was found on the domain <DOMAIN NAME>, would you like to use this account". I was so happy for about 1 minute, until it gave me a new error message.

"The server could not perform the requested operation".

I researched this error and found that it looks to be a firewall problem in Server 2003, yet when I try to access the Firewall (builtin software firewall), I get the error message "Could not open windows firewall because it might be in use" blah blah blah and at the end has (ipnat.sys).

Many people stated to disable Routing and Remote Services, which i did, and to reboot. I have not had the chance to reboot the server till earlier today, but have not tried joining the domain. I hope it is something as simple as that, yet the computers on the other end of the VPN still cant get name resolution.

Can you help me Special Forces Nodsu?! lol

 

[Nodsu]

Another thing that is pretty frequent in VPNs is MTU mismatch.
Try pinging the DC with a long packet: "ping -l 1500 server.name" (that's "ell" there). If that fals, try shorter ones -l 1400, -l 1300 etc.

Sometimes, firewalls, routers, etc are set up so that MTU discovery doesn't work properly and oversized packets are just thrown away. Small stuff like normal ping or DNS goes through while anything more serious just fails mysteriously.

 

[gavinseabrook]

Well i have an interesting update for you Nodsu. I connected to a pc that is at another VPN Remote office, and attempted to join the domain. SUCCESS!! I was able to fully connect to the domain, yet at the other office I still cant. They are using the exact same router, configured the exact same way. This is so confussing. Even the office that I was able to get up and running cant ping the server by name, but still joined the domain no problem. What do you suppose I should make my next step be? I was thinking set the computer I was connecting into to DHCP and try it, if not set it back up to static and be at square one again.

 

[Nodsu]

Did you try the MTU thing? The two offices do not have identical internet connections (the path from the router to your VPN server).

 

[TheWatching]

Back to DNS. I had issues as well with this Name Resolution...and I did not have WINS installed. Nodsu said, "How is DNS set up on the clients behind the VPN? They should be configured to use the DC(s) as their name servers."
I think he is close to something here.

When you look at TCP/IP properties for your server network adapter, what is the DNS address specified there?
When I had this problem, someone had put an external DNS address as the first option...and then the local DNS as the second. In this case i was dealing with a myserver.mydomain.local domain.

Are you hosting a local domain? or is it .com? or .net? etc etc. External DNS servers will never resolve your .local domain or any internal domain.

Hope this helps.