[windows2000] Re: Network Help

  • From: "Rick Fogarty" <rick@xxxxxxxxxxxxx>
  • To: <windows2000@xxxxxxxxxxxxx>
  • Date: Fri, 7 Nov 2003 10:10:24 -0500

Comments inline:
> >I guess what I meant was, do the client computers in the other subnet use
the local machine as a DNS server, or do they do DNS over the link, or are
they set up with ISP DNS entries. 
Yes, they do.  I set the DHCP server to push this address down as the DNS
server for the clients.  I also added the ISP DNS as a forwarder.
>>The second DC should point to itself for DNS... every DC that is also a
DNS server (which, assuming AD integrated DNS zones, should be every DC,
IMNSHO) should point to itself. 
It does and should.  I agree.
>>But I guess I would also make the second DC a GC as well.  No sense having
a DC in the remote site if the clients are going to have to traverse the
link to get to the GC to log in (which, as you found out, is necessary to
Now that was something that I didn't think of...  For some reason, I thought
out of the roles the DC has, that there could only be one GC....  I'll have
to read up on that one...  And yes, I found out the hard way (several miles
away from our normal site) no GC?  No login!
>>Does the VPN traffic get filtered at all?  Probably a tough question to
answer, since you aren't the firewall admin...  Does the VPN go through the
firewall or around it? 
At this point, I'm not sure.  I was told no, but I suspect otherwise.
That's what next weeks project will be.  Yes the VPN goes through the
firewall as the firewall is the device that setup the VPN.  From what I've
been told - a tunnel between the two firewalls...


Glenn Sullivan, MCSE+I  MCDBA
David Clark Company Inc. 

-----Original Message-----
From: Rick Fogarty [mailto:rick@xxxxxxxxxxxxx]
Sent: Friday, November 07, 2003 9:11 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: Network Help

No problem Glenn... It seems a bit odd that things don't work as expected,
but I'm really not sure if the Network Admin has things setup correctly at
the firewall level.
Connectivity does work both ways.  I can ping devices from either side of
the network.
DNS was a bit tricky... I wasn't sure how to work this one... I setup the
sat account (first) pointing back to the original DC - however, considering
the network issues, it didn't work.  So, I then changed it and set it up to
point to itself.  
Make sense?  Although, I didn't know one could setup a DNS server to serve
only one subnet (he says while searching MS' site)


-----Original Message-----
From: windows2000-bounce@xxxxxxxxxxxxx
[mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Sullivan, Glenn
Sent: Friday, November 07, 2003 8:59 AM
To: 'windows2000@xxxxxxxxxxxxx'
Subject: [windows2000] Re: Network Help

You mention that you have connectivity to them.  Does it work the other way?
How is the DNS set up when you add that other DC?  Is it the DNS for that
subnet?  If so, is it synched with your main DNS, so it can find the GC?
Shooting from the hip, of course...

Glenn Sullivan, MCSE+I  MCDBA
David Clark Company Inc. 

-----Original Message-----
From: Rick Fogarty [mailto:rick@xxxxxxxxxxxxx]
Sent: Friday, November 07, 2003 8:41 AM
To: W2K
Subject: [windows2000] Network Help

This is more a theory question, but I'm hoping someone will jump on board to
help me out....
Here is the way our network is setup, perhaps you can tell me why things
aren't working as expected.
On our main campus in my county, we have a T1 that is provided by the state.
That's pushed to three separate subnets - two private (172.16.12 &
172.16.20) and one public address (198.85.71.x).  Each of these subnets has
many computers that we need to manage.  I've created a new W2k3 AD domain
and at present only have one DC - all the roles reside on it.  DNS, DHCP and
Wins are setup and running flawlessly - at least for now....
The DC (Zeus) has a network card per subnet that allows each subnet to login
and get network resources.  This appears to be working fine.  I've setup a
site for each subnet and logins and name service request work well.
Now, the strange part -  We have a satellite site that has a commercial
cable modem setup providing access to 150 computers.  Each site ours and
theirs is setup with a Watchgaurd Firebox 2500.  The two sites are linked
with an encrypted VPN.  So, I can sit at my desk and tracert to a machine
over there and it traverses exactly as expected.  However, when I place a DC
over there so they can login to our domain, it can't find the global
To me, it seems that not all traffic is passing through the firewall.  Does
that sound right?  Is there a better setup for something like this?

Rick Fogarty
Coordinator, Technical Support and Computer Servicing
Sandhills Community College
3395 Airport Rd
Pinehurst, NC 28374
1(910) 695-3943
Fax 1(910)695-1823
http://www.sandhills.edu <http://www.sandhills.edu/> 

Other related posts: