PDA

View Full Version : Setting up server as router


MHCG
02-10-2009, 10:19 PM
Ok, so I have two VLAN subnets that I need to connect via a Windows Server 2003 box with multiple NICs and I can't seem to get the connection working properly.

Currently NIC A is connected to subnet A. The default gateway for the machines on subnet A are set to the IP of NIC A.

Currently NIC B is connected to subnet B. The default gateway for the machines on subnet B are set to the IP of NIC B.

Subnet masks are set up properly and there is no default gateway set on NIC A or B. The server in the middle can ping to machines on both subnets.

My problem is that machines from Subnet A can only ping to NIC B on the server, but can't ping out to Subnet B. What step am I missing?

No, I can't use a router or any other hardware device. I'm certain that it's some stupid box that I forgot to put a checkmark in.

14049752
02-10-2009, 10:38 PM
The connections are bridged, right? I assume so, but you didn't mention it?

MHCG
02-11-2009, 01:15 AM
No they're not. They're different IP subnets. One is 192.168.1.X and the other is 172.16.99.X and the IP ranges can't be changed.

14049752
02-11-2009, 02:56 AM
Maybe the RRAS service, then? It might need to be configured to route data between the two network cards.

MHCG
02-11-2009, 04:27 PM
I'm thinking I need to enable IP forwarding. I have to wait until after lunch before I can reboot the server, so I should know in a few hours.

http://www.home-network-help.com/ip-forwarding.html

MHCG
02-12-2009, 04:45 PM
Ok, so enabling IP forwarding as is described in the previous link worked. I can now ping across the subnets. Now, my issue is that I'm trying to set up a trust relationship between the domains on these two subnets.

I have DNS entries for the two domain controllers, I can ping the domain controllers by FQDN, I'm able to view shares on Subnet A from Subnet B, but when I try to create a new trust, it says that the domain can't be contacted. Does anyone have experience with setting up external trusts?

MHCG
02-12-2009, 07:38 PM
Got it working! External trusts rely on netbios, so I had to set up a WINS server.

MHCG
02-17-2009, 06:10 PM
Ok, sooo this isn't related to the thread other than because it's all part of the same effort.

What I've done is set up a a file server with multiple NICs that is to be used as a file server for two domains (A & B). I have set up a trust relationship between the domains and added the Domain Admins groups from both A & B into the local admin group. I have given share permissions to everyone with full control, NTFS permissions are set to give domain admins full control. The file server is a member of Domain A.

So, if I log in as a domain admin (domain A or B) to the file server locally or through Remote desktop I can administer the shares on the local hard drive. I can add and remove permissions to the folders from both domains. If I connect to the share through the network while logged in to the file server as a Domain A or B admin it works fine.

My problem is that as soon as I log in as a Domain B admin from a remote machine, connect to the network share and try to add permissions, it only allows me to add local (file server) permission to the folders. No domain permissions are allowed to be added from either domain. If I log in as a Domain A admin from a remote machine it works fine.

This seems specific to the machine. What am I missing?

thecoldone06
02-17-2009, 06:33 PM
Admin B can access all shares and change domain/local permissions locally just not remotely, correct?

Stupid question, is the computer you are logging into part of the domain? you can access shares on a domain the computer isn't connected to by logging in when accessing them. Not sure you can change domain permissions this way though.

MHCG
02-17-2009, 06:48 PM
Admin B can access all shares and change domain/local permissions locally just not remotely, correct?

Mostly correct. Admin from domain B can change permissions remotely if he is logged into a machine on Domain A, but not if he's logged in to a machine on Domain B. Remember, there is a trust relationship between the domains, so users can log into either domain, but the machines themselves are assigned to a specific domain.

Stupid question, is the computer you are logging into part of the domain? you can access shares on a domain the computer isn't connected to by logging in when accessing them. Not sure you can change domain permissions this way though.

I don't understand your question.

thecoldone06
02-17-2009, 07:49 PM
You answered my question with your first response. was wondering if the machine Admin B was logging onto was assigned a domain. Where is Admin B's user profile setup at? Is it in an OU associated with Domain B? Also, what groups is Admin B a member of?

MHCG
02-17-2009, 11:27 PM
You answered my question with your first response. was wondering if the machine Admin B was logging onto was assigned a domain. Where is Admin B's user profile setup at? Is it in an OU associated with Domain B? Also, what groups is Admin B a member of?

I know it seemed kind of confusing.

Admin B is a domain admin on domain B, Admin A is an domain admin on Domain A. Both Admin A & B only have problems remotely administering the share when logging into a machine that is a member of Domain B, it works fine when either admin logs into a machine on Domain A or when logging into the file server itself (which is a member computer of Domain A).

I recently discovered that both Admins A & B can remotely administer the share when logged in to the Domain controller of Domain B, but only the domain controller!

Admins are in the Domain admins group.

It is definitely associated with which machine the user is logged into either admin is trying to remotely administer the share permissions from.

MHCG
02-17-2009, 11:55 PM
Figured it out....

When I was writing the last post it made me think, "What does the Domain B DC have that the Domain B member computers don't have....?"

The domain B computers didn't have WINS set up on their network adapters. Domain A doesn't need it because the file server is a member of that domain. This was by design to keep the networks hidden from each other, even the domain admins. Apparently this is a requirement. What a bunch of horseshit. Microsoft, YOU SUCK!

thecoldone06
02-18-2009, 02:04 PM
Glad you got it figured out. If you have DNS running, I find it odd that WINS needed to be running as well. Do you have any pre win2k machines running?