two domains sharing the same physical network 1

[GeminiDaddy]

I'm trying to maintain 2 distinct networks, but want to use the same physical cabling. All my users log into DOMAIN1. I have set up DOMAIN2 as a test environment - there are no trusts between the two. My W2K3 Server authenticates its own clients, and is set up as a domain controller for DOMAIN2.

Everything seems to work fine except for when someone on DOMAIN1 logs off. When they try to log back in (like after a reboot), they cannot log back in - I think this is happening because it is the nearest physically located domain controller to the other users on my local network. Therefore, authentications for DOMAIN1 users are somehow ending up trying to authenticated by my DOMAIN2 server. If I shut DOMAIN2 server down, then everything is fine.

Question is, how can I get the computers on DOMAIN1 to ignore my DOMAIN2 server when it's online? Is it even possible?? I considered removing its status as a domain controller, but then, how would the other machines in my test environment log into DOMAIN2 so I can do stuff?

pain makes man think. thought makes man wise. wisdom makes life endurable

 

[58sniper]

There should be no problem - I do it all the time. Do you have DHCP running on your test environment? The two domains aren't called the same thing, are they?

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[GeminiDaddy]

yes, I have DHCP, and no, they aren't called the same thing. The test environment scope is very small, only from 192.168.0.1 thru 192.168.0.20

The other domain uses 10.98.x.x and also is on a different subnet(255.255.255.0, as opposed to 255.255.240.0 for DOMAIN1), so I just can't figure out why the domain controller from DOMAIN2 is messing up client logins from DOMAIN1.

pain makes man think. thought makes man wise. wisdom makes life endurable

 

[58sniper]

So you have two DHCP servers running on the same network, right? Ya might want to put a stop to that.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[GeminiDaddy]

I don't have admin rights to DOMAIN1, only DOMAIN2 - plus it doesn't seem to matter if I use static or DHCP - the problem is the same. I tried it both ways. If I demote it from domain controller to regular file server, then none of my pc's in my test environment will have a place to authenticate, isn't that right?

but I don't understand why if they're on entirely different subnets, pc's in DOMAIN1 attempt to authenticate from my DOMAIN2 controller. Maybe I'll just have to make it an entirely independent network - but I shouldn't have to, should I? I was hoping to be able to set up a one way trust though in an effort to at least share some data between the two networks - is there something wrong with my reasoning here?

pain makes man think. thought makes man wise. wisdom makes life endurable

 

[DColcl]

if memory serves, your clients in Domain1 are requesting that "A" DHCP server grants them an IP address. If you have two DHCP servers running, and Domain1 server is unattainable, then your Domain2 server will answer the call, give that client a new IP address to that of Domain2, then continue on with the authentication of that client to Domain2.

I resolved the issue by placing a router between both servers and connecting Domain2 to that router. On the router I configured the WAN IP with a static, reserved IP Address of Domain1. Essentially, I made Domian1 the ISP for Domain2.

Novice here, so wait for the pros to confirm what I'm saying. But I will say that it worked splendidly for me.

I hope this helps.

Dan

 

[ScottCr]

You shouldn't have to make them entirely seperate networks.

Just make sure that clients in Domain 1 only point to Domain1 DNS Servers and the same for Domain2.

Doing this should mean that Domain 1 doesn't even realise Domain2 exists. However......if either domain has a wins server then it will find the other domain. Assuming DNS is working properly this shouldn't matter.

You could utilise the class id function on Domain1's DNS Server however as you do not have admin access to domain1 this is a not an option.

http://scottcross.blogspot.com

Windows and NT Admin.

 

[DColcl]

thanks, Scott, for the clarification.

Dan

 

[ScottCr]

No problem.

GeminiDaddy I would make sure that your Domain2 DC hasn't registered itself in Domain1 DNS.

http://scottcross.blogspot.com

Windows and NT Admin.

 

[58sniper]

Yep - check the zone transfers tab in DNS and see how that's being done as well.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[GeminiDaddy]

pardon me for being such a dingbat....i'm going to ask anyway:

"Just make sure that clients in Domain 1 only point to Domain1 DNS Servers and the same for Domain2."

what utility/applet do i use to do that? is that done on the workstation?

"GeminiDaddy I would make sure that your Domain2 DC hasn't registered itself in Domain1 DNS....check the zone transfers tab in DNS"

OK, so i'm in DNS applet on my DOMAIN2 domain controller (W2k3) - i don't immediately see a zone transfers tab - might you provide me with more specifics - thanks


pain makes man think. thought makes man wise. wisdom makes life endurable

 

[GeminiDaddy]

figured it out:

thanks all for posting. I found that I was able to get it to work by the following combo

1. Stopping DHCP services on the Domain2 server
2. Configuring an lmhosts file to point to the Domain1 DNS server and domain name on the client pcs
3. Configuring TCPIP with an explicit default gateway and preferred DNS server of domain1




pain makes man think. thought makes man wise. wisdom makes life endurable