cant logon to domain over VPN

[DJRabin]

We've got a site-to-site VPN tunnel with all ports open.

When we try to logon to the domain we receive "Domain is not available" error message. I've verified that DNS, WINS, etc are all configured properly - I can logon locally and browse to domain resources by name, and authenticate to shares.

I removed a machine from the domain and attempted to re-add it and get error messages that a domain controller could not be contacted when using the NetBios domain name. I get the same error using the fully-qualified domain name, but the error shows that DNS WAS able to query and found 4 domain controllers (the right ones.)

WTF? I'm at my wits end after 20+ hours working on this. Could Comcast be blocking some ports that would prevent me from authenticating/joining the domain?

Thanks!

-DJ
ACA-I, Convergence+, Net+ A+

 

[rphips]

DJRabin

Let me see if I can get this straight

You have a headquarters with an IP address of (let say) 192.168.1.1/255 Here you all the network resources.

You have another site that you have set up a site-to-site vpn this site has the IP address of 192.168.3.1/255

Now when you utilize the VPN the site IP address stays the same So the domain controller will not reconize the system or even accept it as a computer - yet due to your vpn rules you have allowed systems with the address of 192.168.3.1/255 access to the resources. Thus you can get email. do file sharing and run applications.

So before you beat your brains in do some research on site-to-site VPNs and you will find your systems are working properly.

bob

 

[DJRabin]

Sorry Bob - I don't believe things are working designed."

It is a very common practice to have HQ setup (10.10.1.0/24) and have branch locations (172.16.X.0/24) and have the branch workstations as members of the domain.

As long as I am using the corporate (internal) DNS/WINS servers I should be able join the domain, login across the VPN etc.

What makes you think that this is not the case and that things are working properly. Why wouldn't the DC recognize these machines? It doesn't care what subnet my workstations are on, only that the machine is a member of the domain or that someone has the authority to add it to the domain.

-DJ
ACA-I, Convergence+, Net+, A+, MCSA

 

[dberg35]

So you can browse all resources at the other site. If it is just re-joining the pc to the domain what are typing for the domain? I have times similar to yours but to join a pc I had to type the whole domain name IE: mydomain.local

 

[DJRabin]

dberg - yeah, I can browse all resources, by IP and name. To join the domain I've tried both the netbios name "mydomain" as well as FQDN mydomain.local. Both result in errors that a domain controller could not be found, but when i use the DNS name, the error shows that it was able to find my DCs - it lists them in the error.

Downright odd.

-DJ
ACA-I, Convergence+, Net+, A+, MCSA

 

[dberg35]

Have you tried flushing the DNS cache and what OS is the pc? Also you might try an reboot of the server.

 

[DJRabin]

All PCs are running XP Pro, SP3. I've flushed DNS, re-registered WINS, and rebooted. No change.

To clarify, all DNS records (including the necessary SRV and A records) resolve correctly and are pingable by IP, NETBIOS, and DNS name.

-DJ
ACA-I, Convergence+, Net+, A+, MCSA

 

[dberg35]

I will say this one is interesting. What is doing your VPN at each site? It could be a port that needs to be opened or maybe a reboot, also check the event logs what errors? Have you tried this with another pc?

 

[Lemon13]

http://technet.microsoft.com/de-de/library/cc776854(WS.10).aspx

M. Knorr

MCSE, MCTS, MCSA, CCNA

 

[DJRabin]

I've run dcdiag on the DCs, everything passes.

-DJ
ACA-I, Convergence+, Net+, A+, MCSA