10-02-2007 05:39 PM - edited 03-03-2019 07:00 PM
Have a situation where the hub site is using cisco 3825 router hosting the windows DC. And 5 remote site with windows XP pc on their lan connected to the hub site using a 1841 router.
Question is: is there any specific configuration to be done at the hub site and remote routers for the remoter site PCs to join the AD.
Thanks.
10-02-2007 10:43 PM
Hi
It's a bit of an open ended question without more details but at a high level if you do not have any access-lists etc. on your routers at either the remote end and the hub end and assuming that your remote sites connect using straight IP connectivity ie. as opposed to IPSEC etc. then no you should not have to do any specific configuration on the routers.
The only thing i can think you may have to do is if your remote site PC's get their IP addresses from the central site via DHCP you will need an ip-helper address under the Lan interface of each of your spoke sites.
HTH
Jon
10-02-2007 11:17 PM
Thank Jon.My concern was,whether do we need to configured things like,
eg. ip forward protocol udp netbios-ns
ip forward protocol udp netbios-ss
ip forward protocol udp netbios-dgm
etc?
Tks.
10-02-2007 11:35 PM
Hi
From Cisco doc
=============================================
Regardless of whether you implement IP helper addressing or UDP flooding, you must use the ip forward-protocol udp global configuration command to enable the UDP forwarding. By default, the ip forward-protocol udp command enables forwarding for ports associated with the following protocols: Trivial File Transfer Protocol, Domain Name System, Time service, NetBIOS Name Server, NetBIOS Datagram Server, Boot Protocol, and Terminal Access Controller Access Control System. To enable forwarding for other ports, you must specify them as arguments to the ip forward-protocol udp command.
=============================================
So you shouldn't have to explicitly configure them other than have global ip forward protocol udp but you may want to disable some of them.
Jon
10-02-2007 11:44 PM
Are you forwarding to the DC addresses (which is the best way) or to the directed broadcast address (which can be a security hazard)? If you are forwarding to the directed broadcast address, don't forget to enable directed broadcast on the router, and pay attention to the directed-broadcast access list if you have one.
Kevin Dorrell
Luxembourg
10-03-2007 12:24 AM
Hi Jon, Kevin
Thank for the inputs. But as Jon said, even though i configure ip forward protocol udp netbios-ns, its not shown up in th running config. Might be as its enabled by default.
But on the production network, when i enabled netflow and see the output of "sh ip cache flow" on the remote router, i see that the brodadcast for eg. from PC 10.10.10.1 with source port of 137 , sent to 10.10.10.255 destination port of 137, was acutally forwarded to null interface on the remote router. Does it means the udp forward is not working? Am i missing somethin here?
Tks,
10-03-2007 01:21 AM
My understanding is that you do not need directed broadcasts to work if you are running Netbios over TCP/IP although i could be mistaken here.
I don't believe you want to have directed broadcasts enabled for joining the AD as we do not on our remote site routers, we just have IP helper-addresses configured. The ip helper-address command does not forward on broadcasts but turns a broadcast into a unicast and then forwards it on.
I could be mistaken on this, anyone else please feel free to jump in.
Jon
10-03-2007 01:30 AM
It is enabled by default. Here is a reference that lists the ports that are dorwarded by default. (Isn't it difficult to find such a URL with the new documentaion web - half the links are broken!)
Could you do a show run int for the Ethernet on the remote site please?
Kevin Dorrell
Luxembourg
10-03-2007 07:08 AM
Here it is:
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip broadcast-address 10.10.10.255
ip helper-address 172.19.10.1
ip flow egress
ip tcp adjust-mss 1452
load-interval 30
duplex auto
speed auto
when i run , sh ip int fa0/0, it say ip directed broadcast forwarding is disabled
Tks.
10-03-2007 07:14 AM
And is 172.19.10.1 the IP address of your Domain Controller?
Kevin Dorrell
Luxembourg
10-03-2007 07:22 AM
yes thatz correct.
10-03-2007 08:01 AM
For the moment, I don't see what is wrong. If 172.19.10.1 is the host address of the DC, there is not need to do anything about directed broadcasts ... in any case, that would be on the central site.
I presume the clients have the same /24 mask and they are in 10.10.10./24.
I presume also that the DC has a route back to the client. Can the client ping the DC and vice versa?
Kevin Dorrell
Luxembourg
10-04-2007 06:54 PM
The network reachability is there between the clients and server. The key thing is the connection between the clients and server is via satellite link
10-07-2007 11:12 PM
Hi
Another point of note is that the server and client are connected thru a mpls ipvpn network and im using static routing at the CE router. And mpls ipvpn is transparent to the CE routers at the hub and remote end.
Appreciate any thoughts!
Thks
10-08-2007 07:51 AM
hi All
Thanks for your valuable input..the issue was resolved with out any specific config for ip forward protoco...
The cause was found to be some filtering at the satelite link.
Tks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide