PDA

View Full Version : Multiple routers in a single AD domain network


Nerm
05-06-2009, 02:24 PM
I have a client that has a fairly large network (over 250 workstations). What they want to do is separate 3 labs that each have over 30 workstations but still be in the same domain/forest. I know it is possible to add a router to each lab and have them access back through that router to the main network and domain controller, file server, etc. The problem is I can't seem to get it to work.

I setup a spare router in one of the labs to test with and it worked in every way (got on internet, etc) except it wouldn't see or access the domain controller. Anyone have any suggestions of things to check so I can figure out why this isn't working?

Primary Network:
Main Router: 192.168.1.1
Domain Controller: 192.168.1.2
DHCP range: 192.168.1.35 - 192.168.1.249
Subnet: 255.255.255.0

Test Lab Network:
Router: 192.168.1.251 (WAN)
Router: 192.168.2.1 (LAN)
DHCP range: 192.168.2.100 - 192.168.2.199
Subnet: 255.255.255.0

brownie
05-06-2009, 02:50 PM
Can you ping the DC from a Test Lab Network client?

Are you running a DHCP relay agent or a local DHCP server on the Test Lab Network as the router may not be passing through DHCP broadcasts? You can tell on the client as it'll have a 169 address.

Name resolution working OK, can you resolve the FQDN of the DC from a Test Lab Network client?

Nerm
05-06-2009, 03:06 PM
The router in the test lab is handling DHCP for that room and that works fine.

I cannot ping the DC nor does name resolution work from test lab client machines.

I know it has got to be something not correctly configured in the test lab router but I cannot figure out what.

brownie
05-06-2009, 03:18 PM
UDP on port 53 passing through the router?

Can you ping the DC by IP address?

ITG Tech
05-07-2009, 01:10 AM
The quick answer is to get a managed switch so that you can set up VLANs.
With the scope/scale of your project a managed swithch will also give you the ability to setup access control from VLAN to VLAN with in the network.

You are dealing with different subnets for the different areas. Is DHCP disabled in all but the main router?

Good luck
:)

Nerm
05-07-2009, 08:51 PM
No the plan is to have the router in each lab handle DHCP for that lab. The whole purpose is to free up more IP addresses on the network. There current DHCP scope has only 8 available address remaining and they are wanting to add another 25 computers.

EDIT: After a second attempt at the test setup I can get the lab PC's to ping the dc but still cannot join and browse the domain.

brownie
05-07-2009, 10:41 PM
Ping the DC by IP only? If so the DNS issue needs resolving.

Reset
05-08-2009, 02:54 PM
Did you config the routers to see each other as in static routes or router rips.

MHCG
05-08-2009, 03:17 PM
No the plan is to have the router in each lab handle DHCP for that lab. The whole purpose is to free up more IP addresses on the network. There current DHCP scope has only 8 available address remaining and they are wanting to add another 25 computers.

You could change to a Class A IP range.

How Domain Controllers Are Located in Windows (http://support.microsoft.com/kb/247811)

EDIT: After a second attempt at the test setup I can get the lab PC's to ping the dc but still cannot join and browse the domain.

Maybe you need to open LDAP port?

Nerm
05-08-2009, 04:35 PM
I really do think it is a DNS issue since I can ping the IP of the DC. The test lab router is pointing to the DC for DNS as it also does the DNS for the network which should take care of any name resolution issues but I still cannot join the domain.

Nerm
05-09-2009, 03:28 PM
I just get a generic "domain not found" error. I don't remember the error code now but when I looked it up it referred to improperly configured DNS forward lookup zone but I don't see how that can be the case when the other 200+ workstations can connect just fine on the main network.

brownie
05-09-2009, 03:50 PM
I don't see how that can be the case when the other 200+ workstations can connect just fine on the main network.

According to your first post, the existing machines are on a 192.168.1 network, your test lab machines are on a 192.168.2 network.

Has a zone for the test lab network been setup on the DNS server? My guess is the existing forward zone is setup for a 192.168.1 network.

Nerm
05-09-2009, 05:50 PM
Oh crap I forgot all about doing that. I will give that a try. :)

SOHO-NZ
05-12-2009, 03:17 AM
I just tried replicating this in my workshop, without any real problems.

I used a Linksys RVS4000 as my 'lab' router, and connected to my SBS2003 server using my laptop quite easily.

I set the router to be in 'router' mode not 'gateway' - so NAT is disabled. I disabled any firewall settings I could, allowed incoming on the 'WAN' interface.

The Linksys is serving DHCP to the 'lab', and setting the DNS to the IP of my SBS Server. I had to put a temporary static route on the SBS Server to show it how to get back to the 'lab' network - this should really be done on the main gateway on the DC's network, or use a routing protocol like RIP (be careful with RIP).

I can logon, see my network drives, browse the Active Directory, print to printers on the server, connect to Exchange.

I might test router as a DHCP relay too. - Oh and VLANs are definitely a better solution than using routers, but the switches can be expensive.

e2346437
05-12-2009, 12:05 PM
DNS resolution is the biggest configuration issue I run into with Windows domains. The ip of your domain controller is the only DNS server that should be specified on the workstations.

Having a DNS zone for 192.168.2.0 is recommended but the workstations will connect without it. The server just won't be able to keep track of the DNS names for that zone.

Working yet?

Eric

brownie
05-12-2009, 10:54 PM
Having a DNS zone for 192.168.2.0 is recommended but the workstations will connect without it. The server just won't be able to keep track of the DNS names for that zone.


In an AD environment running Microsoft DNS with Microsoft clients, can you explain this? :confused:

e2346437
05-13-2009, 02:33 AM
In an AD environment running Microsoft DNS with Microsoft clients, can you explain this? :confused:

Not sure what you would like me to explain.

In an AD domain, when a computer that is part of the domain logs in, it's IP address is registered in DNS. As all the computers in the network are using the server as their primary DNS server, they should all be able to do name resolution to each other.

All the DNS records can be contained in the forward DNS zone, even those that are in a different IP subnet.

However, the server can also update the reverse DNS zone, which can resolve IP's to names, a function completely opposite from the forward zone, which resolves names to IP's. The catch is that the reverse DNS zone is NOT created by default! You have to go into the DNS management console and create a reverse DNS zone for each Class C subnet that you are using.

So, workstations can login to the server even though the reverse DNS zone does not exist.

Eric

Nerm
05-13-2009, 03:23 PM
Thanks for the help guys. I have been busy and haven't had time to try the latest suggestions yet. I am pretty sure the issue is the scope not being set for the lab subnet, but will let you know when I try it.

Also I am trying this with a very cheap $50 Linksys router. Any chance the router just isn't sophisticated enough to work in this situation.

brownie
05-13-2009, 07:08 PM
The catch is that the reverse DNS zone is NOT created by default! You have to go into the DNS management console and create a reverse DNS zone for each Class C subnet that you are using.

So, workstations can login to the server even though the reverse DNS zone does not exist.

Eric

Ah ha, I missunderstood your original statement but now get what you are saying. :)

So as nerm has mentioned, it's more than likely there is no DHCP scope setup for the 192.168.2 network.

Omnicef
05-13-2009, 11:49 PM
In the configutration for the lab router, set the dns server to point to the AD server. This is very likely the problem. If you do this, the router will give the Lab PCs the AD server address is the DNS server. The problem is no doubt a DNS issue.

SOHO-NZ
05-14-2009, 12:47 AM
In the configutration for the lab router, set the dns server to point to the AD server. This is very likely the problem. If you do this, the router will give the Lab PCs the AD server address is the DNS server. The problem is no doubt a DNS issue.

I agree. - this was what I experienced with my test setup.

So as nerm has mentioned, it's more than likely there is no DHCP scope setup for the 192.168.2 network.

I disagree - the Domain Controller does not need to know about workstations on other DHCP scopes (unless you're using DHCP relay) - nice to have for reverse DNS, but that won't stop the workstation from logging on.

SOHO-NZ
05-14-2009, 12:52 AM
Thanks for the help guys. I have been busy and haven't had time to try the latest suggestions yet. I am pretty sure the issue is the scope not being set for the lab subnet, but will let you know when I try it.

Also I am trying this with a very cheap $50 Linksys router. Any chance the router just isn't sophisticated enough to work in this situation.

When I did this on my Linksys here (more sophisticated router), I disabled NAT (set to router mode, not gateway mode) , and allowed traffic all traffic from the WAN port. Have you done this?

If you don't disable NAT, your DC server will see lots of connections from the same IP address, which is not ideal.

e2346437
05-14-2009, 04:20 AM
When I did this on my Linksys here (more sophisticated router), I disabled NAT (set to router mode, not gateway mode) , and allowed traffic all traffic from the WAN port. Have you done this?

If you don't disable NAT, your DC server will see lots of connections from the same IP address, which is not ideal.

I was going to say the same thing, just different :p Your Linksys is technically an "Internet gateway" in that it does NAT, firewall, and routing all in one box. You need to make it only do routing, if possible.

When you do that though, the server will no longer be able to communicate with your 192.168.2.x clients because it doesn't know how to route traffic there. The Linksys in it's default mode makes traffic "look" like it is coming from an IP on the 192.168.1.x network, so the server knows where to send it's responses to. Once you shut off NAT though, it's a whole different ballgame.

You can either create an internal route in the router whose IP is specified in the servers' Local Area Connection, OR, go to the command line of the server and issue the command:

route add 192.168.2.0 mask 255.255.255.0 <ip address of Linksys router> -p

This allows the server to route traffic to the 192.168.2.x clients by sending that traffic to the IP address of the Linksys router that connects the 192.168.1.x network to the 2.x network. The "-p" makes the route persistent, so that it survives reboots.

If the route needs to be removed later, do "route delete 192.168.2.0".

Normally, I would use a more robust router such as a Mikrotik or at least a Linksys WRT-54gl that is upgraded to DD-WRT (I sell these on eBay if you are interested ;))



Eric

Nerm
05-14-2009, 07:48 PM
Ok here is an update guys. I resolved the dns scope issue. After doing this 3 or the workstations in the lab started working the other 27 still do not. WTF? lol I am beginning to think that luck is not on my side.

btw, Eric I can do dd-wrt myself lol :P

e2346437
05-15-2009, 12:19 AM
Ok here is an update guys. I resolved the dns scope issue. After doing this 3 or the workstations in the lab started working the other 27 still do not. WTF? lol I am beginning to think that luck is not on my side.

btw, Eric I can do dd-wrt myself lol :P

Can you ping the server by name and by IP from one of the workstations that does not work?

Eric

Nerm
05-15-2009, 02:22 PM
Can you ping the server by name and by IP from one of the workstations that does not work?

Eric

Yes, I have always been able to do that. I am wondering since it is now working on some but not all if it is a propagation issue and I just need to give it some time before trying again.

joejoe
05-15-2009, 10:06 PM
Why not back up the subnet mask and allow the first router to handle ALL the DHCP? This isnt my baliwick but if all you need is more IP addresses on the private network...when you use 255.255.255.0 you can only have 254 hosts.