Join PCs to a Windows domain at remote site

[thesame]

We have a small branch where they have 4 PCs. It's waste to place a Windows server in the branch, so I'm looking at possibility to include these 4 PCs into the Windows 2000 domain at our head office.

Remote branch:
192.168.2.0
255.255.255.0

Head Office:
192.168.1.0
255.255.255.0

The branch office and head office are connected with E10 that should provide enough bandwidth for this kind of connection (I assume).

Any suggestion is greatly appreciated!!!

 

[thesame]

We don't provide Internet centrally from the head office, although it is technically possible. Again, it's because of the service contract that requires us pay more if we use it more. We actually take advantage of the ADSL service (SB package) that's usually unlimited on usage. Each branch just registers their own ADSL line for Internet. However, we do use the central Internet Gateway as a backup when the local ADSL does't work for an extended period of time.

I don't have time and knowledge to confiure the Cisco routers, so, yeah, the WAN communication is transparent. I'm not sure what you mean by "physical connection". I have only 1 Cisco router and 1 PVC at each site. That's probably what you call 1 physical connection?

 

[Pinheadh]

Hi again,

glad that we got that issue sorted out.

You may need to try and route DNS traffic (Port 53) over your WAN link and then internet traffic (Port 80 (usually)) over the unlimited ADSL.

With the connections, from the PC does it go:
PC -> Switch -> ADSL Router or does it go
PC -> Switch -> CISCO Router -> ADSL Router.

Sorry, that is a strange way to put it, but I can't draw a picture. Pretty much means, how do you use each separate link??

Regards,

Pinhead.

 

[mrmoneymatters]

I think we are on the same track. What I mean by one physical connection is, there are two scenarios you could have.
1. Your routers send everything to sbc, sbc then decides what to do with your traffic.
2. Your router has two connections, one to sbc internet, the other connection would be for wan use.

Here is what we need you to do to figure this out for sure. Go to run, start, type in cmd, hit enter.
From the command line type tracert

http://www.yahoo.com

Then do the same thing but instead of yahoo use your fqdn of the workstation you joined to the domain yesterday.
Do this from the server, then post the results.

 

[thesame]

Thanks both of you!

We have 2 connections based on mrmoneymatters. I find it easier to mix both of your terms... We have 1 WAN connection and 1 ADSL connection at each branch. However, the PC goes to the ADSL router for any non-local request, because the PC uses the ADSL router as its GATEWAY. Based on the destination IP, the ADSL router will forward the request to either Cisco router if it's WAN related or to Internet if not WAN related.

IP: 192.168.2.10
Subnet Mask: 255.255.255.0
Gateway: 192.168.2.200 (ADSL ROUTER)
DNS: 192.168.1.2

I understand you want me to trace the route of how Internet works on that PC. But for some reason, it doesn't tell me the route, although the computer can surf Yahoo.com from the Internet browser.

C:\>tracert

http://www.yahoo.com

Tracing route to

http://www.yahoo.akadns.net

[66.94.230.33]
over a maximum of 30 hops:

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * ^C

 

[dholbrook]

I am completely confused at this point!

To make the system work where the remote users access the Internet via their own DSL link, and other domain traffic to the leased line between the two locations, use need a switch at each location. Your switch must route internal traffic to the switch at the other end of the leased line and send Internet traffic to the local DSL modem. As a fall back, the remote switch should be set to route the Internet traffic to the Domain side if the remote DSL is not available, and the domain switch can do the same the other way if the domain Internet access goes down.

To see the domain, the DNS in the remote area needs to point to the Domain DNS server only, and the Domain DNS needs to point to itself and then to the Internet DNS to resolve the traffic for both locations. That way users at the remote location will resolve other Domain assets, etc.

DRAW OUT A DIAGRAM and label all the IP interfaces, and it should become clearer. If I understand your description correctly, you have a network at each location that has a dsl modem connected to the LAN at that location, and you have a leased link between the two sites (which has a switched router on each end???) which connects both the LANS together. The big question missing here is WHERE ARE YOUR FIREWALLS??? You need one between the Internet and the LAN in both locations, but nothing has been mentioned here. Is you firewall part of the switch, or a box by itself (Please dont say "What firewall"....)?

Need a little more info.

David

 

[mrmoneymatters]

thesame, you have answered my question about your connections. When you pionted your computers to your dns server like I said you are probably using the main location's internet. We have solved the issue of not being able to join the domain now that dns is working internally, but we created another problem. Now all internet traffic is probably going out the main location.

dholbrook, I think you are right about the firewall. The fact that they are using seperate internet connections at the locations to reduce costs on the wan connection suggests limited budget. I reccomend a change there.

thesame, I am not sure what the best solution for you is. I know you don't want to put a server at the branch but you could put just a dns server there. If you did that it would solve this problem. Maybe someone else can help you better.

 

[dholbrook]

thesame,

A thought occurs to me, that the e10 pipe you are referring to is the 10MB ethernet connection via the dsl. Is this what it is? If so, you do not have a 10 mb tie, it is first unsecure, and second , is limited to the slowest side of both of your ethernet links, and third a disaster waiting to happen if you do not have VPN in place on the links and firewalls on both ends.

If you actually have a 10 mb tie line between sites, why the extra expense of the second Internet access? Tie your two location together using VPN as recommended above, and put them all on the same subnet range to reduce problems and the remote end just becomes an extension on your home domain lan.

Just need a little more info to really understand the issues.

HTH
David

 

[thesame]

Hello David, please read below for my answers.

YOU Wrote:
To make the system work where the remote users access the Internet via their own DSL link, and other domain traffic to the leased line between the two locations, use need a switch at each location. Your switch must route internal traffic to the switch at the other end of the leased line and send Internet traffic to the local DSL modem.

My answer: We don't have a dedicated switch to distribute and balance traffic to either Cisco router or ADSL router. We take advantage of the "Static Route" function on the ADSL router. The traffic is all directed to the ADSL router first, and in turn directed to the Cisco router if the destination IP falls into any of our internal subnets.

You wrote:

As a fall back, the remote switch should be set to route the Internet traffic to the Domain side if the remote DSL is not available, and the domain switch can do the same the other way if the domain Internet access goes down.

My answer: Similar to what you said, the bi-directional routings are configured on the ADSL routers residing at both sites.

You wrote:

To see the domain, the DNS in the remote area needs to point to the Domain DNS server only, and the Domain DNS needs to point to itself and then to the Internet DNS to resolve the traffic for both locations. That way users at the remote location will resolve other Domain assets, etc.

My answer: it's the thing I wanna put under control. I haven't messured (no idea how as well ) the amout of traffic for the remote DNS lookup, but I assume it won't be alot as long as the surfing part doesn't go back and forth along our E10 pipes.

You wrote:

DRAW OUT A DIAGRAM and label all the IP interfaces, and it should become clearer. If I understand your description correctly, you have a network at each location that has a dsl modem connected to the LAN at that location, and you have a leased link between the two sites (which has a switched router on each end???) which connects both the LANS together.

My answer: Sorry I don't know how to draw a diagram for you guys. But you are right to understand our network layout, and our LANs are connected via Cisco routers (2600 series).

You wrote:

The big question missing here is WHERE ARE YOUR FIREWALLS??? You need one between the Internet and the LAN in both locations, but nothing has been mentioned here. Is you firewall part of the switch, or a box by itself (Please dont say "What firewall"....)?

My answer: I shouldn't call our firewall as ADSL router from the every beginning. My appology for the confusion! If I don't enable intrusion detect/service filters/etc., it will function like a regular ADSL router. Anyway, the firewall (ADSL router) is in front of all the internal resources. Each branch has one such firewall.

 

[thesame]

Hey David, let's talk about your second post...

A thought occurs to me, that the e10 pipe you are referring to is the 10MB ethernet connection via the dsl. Is this what it is? If so, you do not have a 10 mb tie, it is first unsecure, and second , is limited to the slowest side of both of your ethernet links, and third a disaster waiting to happen if you do not have VPN in place on the links and firewalls on both ends.

thesame: You are right that E10 is connected through the DSL. Why do you think our setting is "unsecure"? Maybe I didn't make clear that we do have a firewall between Internet and our internal devices. If we do have firewall in place, you still believe it a potential risk to join a computer to a remote domain?

If you actually have a 10 mb tie line between sites, why the extra expense of the second Internet access? Tie your two location together using VPN as recommended above, and put them all on the same subnet range to reduce problems and the remote end just becomes an extension on your home domain lan.

thesame: The reason to include the distributed PC's into a Windows domain is not for Internet access but for my admistrative purposes. For instance, we keep up-to-date with Microsoft on rolling out its endless security patches. It's such a pain to manually update every single computer. That's where I start to think of including these isolated PC into domain, so that I can use Group Policy to automate many things. But for sure, I will consider to set up VPN tunnels because of the cost benefits. But the routings will become more complicated to sort out... Nothing is perfect :-(

 

[mrmoneymatters]

thesame, maybe you can add a few route statements to your adsl router that says all traffic on port 53 send to cisco router, and anything using port 80 send out adsl connection.

 

[dholbrook]

If the cost of the traffic on the E10 link is the issue, dump it and buy the highspeed Internet connectivity and use VPN. We dumped our T1 access line ($1500 per month) and switched to a 6 MB DSl link for about $50 per month, unlimited access. The slow side is still over 750 KBS, while our incoming is 6 MB per second, vs the T1's 1.544 MB/s each way.

Since you imply that the E10 DSL link is the way you connect to the home location, then it explains part of your DNS issue. The DNS server at the distant end has to have a real Internet address associated with it, and that will have to be the DNS address listed second in the DNS server at the remote end, not the home end actual address (which sits behind a NAT firewall). If this is the way this link is configured, then all traffic to the Internet (and to the home Domain) at the remote end uses this link, and only the local traffic at the remote end bypasses the Internet.

In reading your comments above I am still confused about exactly what this E10 link is. Is it a leased line, or is it the DSL link at each location? If it is a leased line, how does it connect to your LAN at each end? If it is a leased line between the two sites, why do you need it if high speed Internet links are available? If it is a dedicated leased line, is the cost of routing traffic over it to your home domain more than the cost of the second ISP service?

The statement to draw a diagram is not for us to see, it is for your use to check all the IP values, etc.

Just trying to understand better,

David

 

[thesame]

Thanks for you guys!

I've been toasted from installing XP SP2. It's hard to believe this is something that hundreds of people have kept on testing for several months!!! Fortunately it only affects administrators who use GP. At least I haven't heard of any of ours complaining about the new features.

mrmoneymatters, I will test with your suggestion to restrict HTTP and DNS traffic. Hope that's the simplest go.

David, I did a little more research on E10 with regards to your concerns. Seems E10 is leased lines (not based on DSL – excuse for my wrong info last time) and it's somehow connected to the ATM backbone. Sorry I can't tell you more than this because of my limited knowledge on WAN setup.

The main purpose of E10 is for our business packages that need data transferred in real time. If the Windows network doesn't increase data flow dramatically, we are still fine with it. Otherwise we have to implement VPN tunnels to alleviate the traffic through the cheaper ADSL.

 

[Andreh]

Use the "Netdom" tool/command in windows to remotely add PC's to a domain provided you can route to the PC's.

http://www.ss64.com/nt/netdom.html

Goodluck.

"Assumption is the mother of all f#%kups!