VLAN access to AD Resources 2

[kleinicus]

Recently, we extended our Active Directory to include a second site. Initially, I did not configure the sites and services with the new subnets in this site, and I also did not configure the reverse lookup zones for each of these subnets. After realizing this mistake, I configured them and rebooted the machines in those subnets.
These subnets are VLANs. There are three total, one for infrastructure/applications, one for database, and one for web. I have confirmed that the database and web VLANs do have access to resources on the infrastructure VLAN (otherwise, I wouldn't have been able to join them to the domain, as that is where the DC resides). I can browse shares on specific servers, but I cannot browse DFS shares from the database and web VLANs. Additionally, the web VLAN cannot get GPOs from Active Directory, even though I can ping the DC from the web VLAN. I am stuck and out of ideas. I would appreciate any help available.

 

[baddos]

It sounds like a firewall issue to me. Are there any firewalls or access lists on the router that is routing these vlans?

 

[kleinicus]

I think you're sort of right. After a little more investigating, I've turned up some new information.

On one hand, it's possible that the VLANs cannot communicate with broadcast traffic, because that traffic is not allowed to cross interfaces on the ASA that connects the VLANs together. This broadcast traffic would include NetBIOS, which is required to reach DFS shares and also Sysvol. The latter would explain why I can get GPOs to work; the GPOs reside in the sysvol share.

So, it would seem I need to have an IP helper enabled on the ASA to allow this broadcast traffic. Does anyone know how I might find what traffic to enable?

Secondly, I also need to get the servers at this site communicating ONLY with the domain controllers that are at the this site. I noticed running a netstat on the web server that it had tried to open a connection to a DC at the primary site, which it can't do because of access rules (intentional). The port it tried to open was 1644 and the traffic type was microsoft-ds. Any ideas how I get these servers to only talk to the DCs in their site?

 

[PScottC]

Let's break this down a bit:

1) What is the role of the firewall in your network?
2) When you say sites, do you mean separate physical sites connected by WAN or VPN link?

Here are some points to know...
[ul][li]Broadcast traffic is not allowed across any router or firewall. Also, it is not required for DFS to work.[/li]
[li]IP helper only forwards DHCP/BOOTP broadcasts. (It does not forward others because that would waste the bandwidth you are saving by separating your broadcast domains in the first place.)[/li]
[li]ASA firewalls do not permit traffic between 2 interfaces in the same security zone without special configuration. Communication from a lower security zone to a higher one is not permitted unless rules allowing the traffic are in place.[/li][/ul]

PSC
[—] CCNP [•] CCSP [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[NetRx]

Can you post a network diagram? I would hold off on making any assumptions about broadcast traffic until you get a capture. If possible, I'd run wireshark on the host or setup a SPAN session on the switch. Alternatively you could try a syslog if the traffic is ultimately headed towards the ASA. Any method will work; you basically want to determine what ports the host is trying to use as you stated.

IP helper is not supported on an ASA, only 'dhcprelay' is and that is only for DHCP requests. Depending on the security levels and NAT requirements, you will likely need to explicitly allow the traffic on the firewall.

 

[kleinicus]

Okay, the attachment should explain a little better than I am...
Site 2 is the new site, where WEB2 and SQL2 cannot get resources from Active Directory. I think this is because they are trying to query DC1 in SITE 1 for sysvol and the DFS shares, instead of querying DC2 in SITE 2. This is evidenced by what I mentioned in my previous post, where the WEB2 netstat revealed it was trying to connect to DC1. Because of security requirements, it does not have access to DC1, but it does have access to DC2.

At this point I'm wondering if this has something to do with AD Sites and Services. If I could just get the servers to keep their Active Directory traffic on the local network instead of trying to query AD over the VPN tunnel, I think it would work.

Thank you guys for your help. This is my first time setting up a new site with security restrictions on VLANs.

 

[NetRx]

Thanks for the diagram. Let's try to isolate if this is networking or server related.

-Can you run set l from a command prompt on web2? What dc is it pointing to?
-Does the default gateway or route to dc2 go through the Asa?
-Are any acls applied to the vlan?
-Can you run a trace to the domain? Tracert company.local

 

[NetRx]

Also, assuming dc2 has a folder for dfs, try this from web2
telnet (dc2 ip) 135
telnet (dc2 fqdn) 135
telnet (dc2 hostname) 135

 

[kleinicus]

Thanks for the suggestions.
When I do the set l command, it shows that my logon server is DC2, which is correct. However, I still did not get all my GPOs.
When running tracert domain.ad it shows that the route is indeed going through the ASA. As far as I know, no ACLs exist yet.
Telnet to DC2 on that port does not fail, but also doesn't allow any input.
It seems that the route through the ASA to the infrastructure VLAN is preventing the communication somehow. I will check to make sure that port 135 is allowed.
Thanks!

 

[kmcferrin]

Did you go into AD Sites and Services and put DC2 into the site that represents Site 2? By default your devices should try to communicate with their local DC as defined in Sites and Services, and only try to communicate with remote DCs if the local DC is unavailable.

Is DC2 functioning correctly?

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[NetRx]

Since you can telnet to the DC over 135, I'd almost rule the ASA out at this point. TCP 135 is used for a lot of AD-related services, file shares, etc...You won't be able to enter any commands after the telnet, however, that telnet demonstrates that a successful TCP session was established. If it was a firewall issue then you would see a failed telnet attempt.

Provided communication over TCP 135 works, it would be reasonably safe to assume that connections over most other ports will work as well. I'm sure if you tried 'telnet DC2 389' and 'telnet DC2 139' that would work. 389 is LDAP and 139 is the netbios session service. Try those same commands from DC2 --> WEB2.

You can post a scrubbed config of the ASA if you would like although I would double-check the server settings. I'm not much of a server guy but you may want to look into DNS/WINS.

 

[kleinicus]

Thanks for getting back to me.
I think it must have something to do with Active Directory. Like I said, there is no restriction on traffic between WEB2 and DC2. The restriction is between WEB2 and DC1. This connection is not allowed, but it is automatically attempted. This is evidenced by the attempted ping of the domain name. When I ping domain.ad from WEB2, it fails because it resolves to DC1, instead of DC2. Any ideas how I can get the machines in Site 2 to use the domain controllers only in Site 2?

Thanks.

 

[NetRx]

That is a DNS or WINS issue then. As far as I know, when you ping the domain name, it should resolve to the local DC. Hopefully some of these folks can provide clarification.

 

[kmcferrin]

If you built this new DC2 server after WEB2 was long since up and running then the WEB2 server wouldn't know anything about DC2 until it gets data from DC1.

What kind of connection is it trying to make to DC1? That might be a clue about what it is missing.

What is WEB2 using for DNS servers? Is DC2 at the top of the list (assuming that it is a DNS server). Your clients in AD will get the list of DCs from DNS, so if DNS isn't working correctly then AD is not going to work.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[kleinicus]

The DC2 server was the first server constructed in this new site (Site 2). Following it were FILE2 and a WSUS server. It was only after the infrastructure servers were in place that I began creating the application servers WEB2, SQL2, etc.
The TCP stack of the servers in Site 2 uses DC2 as the primary DNS server and another as secondary, but the second one doesn't exist yet.

It's trying to query the domain's sysvol to get Group Policy objects. When it does so, it's trying to make a connection to DC1 to contact sysvol, but network restrictions prevent it from doing so. It has no trouble making connections to DC2, but the automatic selection of DC1 as the "domain" is what's causing it to fail.

Thanks.