cannot logon to domain from different subnet (resolved)

We have a separate subnet that contains a few computers which were originally joined to the Win2003 domain locally then shipped out.

Any users that were logged on to the machines at the start can still use them with cached credentials and the DC's are located in the main subnet only.

Each subnet can browse the other in explorer, networked printers work fine, I can use vnc ok etc, but new users cannot logon, not even domain admins.

Is there some kind of forwarding I have to set up between subnets?

I have looked aroung the dns settings and at trusts but cannot see anything obvious.

Hope someone can help

Ta

 

What are the 2 subnets?

What is the subnet mask?

Default gateway?

DNS address?

Why 2 subnets?

 

Hi thanks for replying,

The 2 subnets are separate offices (400 miles apart) linked by an mpls link across the internet with routers and firewalls at each end
Subnet mask is 255.255.255.0 in both cases with each router being the default gateway for its own subnet.

The dns servers are in the main subnet and double as DC's

I just find it odd that users can browse seamlessly across the link but Windows cannot validate logons.

 

I think this may be one place where you don't want to use NetBIOS over TCP/IP. At least in the remote office. NetBIOS doesn't route well, so you probably want to force your authentication system to use DNS defined pathways rather than NetBIOS.

Should be fairly simple to test. Turn off NetBIOS over TCP/IP on one or two PCs in the remote office and see if that improves the situation. In XP, the setting is on the WINS tab of the connections TCP/IP properties.

It might also be worth talking to your VPN provider to see how they handle NetBIOS requests.

Also, how big is your remote office? If larger that 10 users, it would be worth putting a small authentication server in there and synchronise the servers over the VPN.

 

Thanks for the reply,

I tried disabling and then force-enabliing netbios over tcpi/ip and neither worked.

I am not familiar with how authentication requests work so don't know where to start looking for an answer, but I checked the ipconfig of the test machine and it gives the correct dns servers so I would have thought requests should be routed ok.

The office only has 5 users but a spare server is not out of the question, but I would like to have a go at solving this before shelling out for another server licence.

 

something very odd - as previously explained, if I try to log on as DOMAIN\Administrator , it fails because it cannot authenticate with the DC (an entry in the event log lists failure to connect to the named DC because of No authentication protocol being available)

I have logged on to the machine as local admin, I then tried to connect to a network share in explorer - it prompted me for a domain account to do this so I use the domain administrator account and password and it let me in!

I wouldnt have thought that this kind of authentication would be any different from the log on kind.

 

Dont you have to have a DC assigned to a subnet to answer logon requests?
If not all the DCs will just use the default install site subnet. I believe this is done in Sites and Services.

 

Thanks for the reply. I foubnd the subnets bit where you said and added the subnet to the DC but still no joy.

I was wondering if there is something I have to do on the client. The DC will know that it can accept authentication requests from the new subnet but how does the client know to forward the request to the main subnet?

 

dns

first you should check to see where the dns is pointing to, is it all behind and on private networks?? if so do a tracert to see if the pc an actually contact the domain by ip address and what route it takes. if it does not route it correctly you are most likely using a none private dns server, you need to use a private dns server so it knows to foward all request to the DC,

in a case like this i would log in remotely and remove then rejoin to the domain,

i think it's just a dns issue

 

I think it is too. You say the DNS is correct but you never said what it was. The clients have to have their DNS requests pointed to the Domain Controller.
Otherwise they can't find the DC.

 

Sorted it. I just needed to rejoin the pc to the domain, then all was well.

DNS was already working fine and routers forwarding traffic.