Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cant logon to domain over VPN

Status
Not open for further replies.

DJRabin

MIS
Sep 28, 2006
139
US
We've got a site-to-site VPN tunnel with all ports open.

When we try to logon to the domain we receive "Domain is not available" error message. I've verified that DNS, WINS, etc are all configured properly - I can logon locally and browse to domain resources by name, and authenticate to shares.

I removed a machine from the domain and attempted to re-add it and get error messages that a domain controller could not be contacted when using the NetBios domain name. I get the same error using the fully-qualified domain name, but the error shows that DNS WAS able to query and found 4 domain controllers (the right ones.)

WTF? I'm at my wits end after 20+ hours working on this. Could Comcast be blocking some ports that would prevent me from authenticating/joining the domain?

Thanks!

-DJ
ACA-I, Convergence+, Net+ A+
 
DJRabin

Let me see if I can get this straight

You have a headquarters with an IP address of (let say) 192.168.1.1/255 Here you all the network resources.

You have another site that you have set up a site-to-site vpn this site has the IP address of 192.168.3.1/255

Now when you utilize the VPN the site IP address stays the same So the domain controller will not reconize the system or even accept it as a computer - yet due to your vpn rules you have allowed systems with the address of 192.168.3.1/255 access to the resources. Thus you can get email. do file sharing and run applications.

So before you beat your brains in do some research on site-to-site VPNs and you will find your systems are working properly.

bob
 
Sorry Bob - I don't believe things are working designed."

It is a very common practice to have HQ setup (10.10.1.0/24) and have branch locations (172.16.X.0/24) and have the branch workstations as members of the domain.

As long as I am using the corporate (internal) DNS/WINS servers I should be able join the domain, login across the VPN etc.

What makes you think that this is not the case and that things are working properly. Why wouldn't the DC recognize these machines? It doesn't care what subnet my workstations are on, only that the machine is a member of the domain or that someone has the authority to add it to the domain.

-DJ
ACA-I, Convergence+, Net+, A+, MCSA
 
So you can browse all resources at the other site. If it is just re-joining the pc to the domain what are typing for the domain? I have times similar to yours but to join a pc I had to type the whole domain name IE: mydomain.local
 
dberg - yeah, I can browse all resources, by IP and name. To join the domain I've tried both the netbios name "mydomain" as well as FQDN mydomain.local. Both result in errors that a domain controller could not be found, but when i use the DNS name, the error shows that it was able to find my DCs - it lists them in the error.

Downright odd.

-DJ
ACA-I, Convergence+, Net+, A+, MCSA
 
Have you tried flushing the DNS cache and what OS is the pc? Also you might try an reboot of the server.
 
All PCs are running XP Pro, SP3. I've flushed DNS, re-registered WINS, and rebooted. No change.

To clarify, all DNS records (including the necessary SRV and A records) resolve correctly and are pingable by IP, NETBIOS, and DNS name.

-DJ
ACA-I, Convergence+, Net+, A+, MCSA
 
I will say this one is interesting. What is doing your VPN at each site? It could be a port that needs to be opened or maybe a reboot, also check the event logs what errors? Have you tried this with another pc?
 
I've run dcdiag on the DCs, everything passes.

-DJ
ACA-I, Convergence+, Net+, A+, MCSA
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top