PC joining the windows AD across a wan link

jay77jay77 · ‎10-02-2007

Have a situation where the hub site is using cisco 3825 router hosting the windows DC. And 5 remote site with windows XP pc on their lan connected to the hub site using a 1841 router.

Question is: is there any specific configuration to be done at the hub site and remote routers for the remoter site PCs to join the AD.

Thanks.

Jon Marshall · ‎10-02-2007

Hi

It's a bit of an open ended question without more details but at a high level if you do not have any access-lists etc. on your routers at either the remote end and the hub end and assuming that your remote sites connect using straight IP connectivity ie. as opposed to IPSEC etc. then no you should not have to do any specific configuration on the routers.

The only thing i can think you may have to do is if your remote site PC's get their IP addresses from the central site via DHCP you will need an ip-helper address under the Lan interface of each of your spoke sites.

HTH

Jon

jay77jay77 · ‎10-02-2007

Thank Jon.My concern was,whether do we need to configured things like,

eg. ip forward protocol udp netbios-ns

ip forward protocol udp netbios-ss

ip forward protocol udp netbios-dgm

etc?

Tks.

Jon Marshall · ‎10-02-2007

Hi

From Cisco doc

=============================================

Regardless of whether you implement IP helper addressing or UDP flooding, you must use the ip forward-protocol udp global configuration command to enable the UDP forwarding. By default, the ip forward-protocol udp command enables forwarding for ports associated with the following protocols: Trivial File Transfer Protocol, Domain Name System, Time service, NetBIOS Name Server, NetBIOS Datagram Server, Boot Protocol, and Terminal Access Controller Access Control System. To enable forwarding for other ports, you must specify them as arguments to the ip forward-protocol udp command.

=============================================

So you shouldn't have to explicitly configure them other than have global ip forward protocol udp but you may want to disable some of them.

Jon

Kevin Dorrell · ‎10-02-2007

Are you forwarding to the DC addresses (which is the best way) or to the directed broadcast address (which can be a security hazard)? If you are forwarding to the directed broadcast address, don't forget to enable directed broadcast on the router, and pay attention to the directed-broadcast access list if you have one.

Kevin Dorrell

Luxembourg

jay77jay77 · ‎10-03-2007

Hi Jon, Kevin

Thank for the inputs. But as Jon said, even though i configure ip forward protocol udp netbios-ns, its not shown up in th running config. Might be as its enabled by default.

But on the production network, when i enabled netflow and see the output of "sh ip cache flow" on the remote router, i see that the brodadcast for eg. from PC 10.10.10.1 with source port of 137 , sent to 10.10.10.255 destination port of 137, was acutally forwarded to null interface on the remote router. Does it means the udp forward is not working? Am i missing somethin here?

Tks,

Jon Marshall · ‎10-03-2007

My understanding is that you do not need directed broadcasts to work if you are running Netbios over TCP/IP although i could be mistaken here.

I don't believe you want to have directed broadcasts enabled for joining the AD as we do not on our remote site routers, we just have IP helper-addresses configured. The ip helper-address command does not forward on broadcasts but turns a broadcast into a unicast and then forwards it on.

I could be mistaken on this, anyone else please feel free to jump in.

Jon

Kevin Dorrell · ‎10-03-2007

It is enabled by default. Here is a reference that lists the ports that are dorwarded by default. (Isn't it difficult to find such a URL with the new documentaion web - half the links are broken!)

http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a00804461d0.html#wp1205299

Could you do a show run int for the Ethernet on the remote site please?

Kevin Dorrell

Luxembourg

jay77jay77 · ‎10-03-2007

Here it is:

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.0

ip broadcast-address 10.10.10.255

ip helper-address 172.19.10.1

ip flow egress

ip tcp adjust-mss 1452

load-interval 30

duplex auto

speed auto

when i run , sh ip int fa0/0, it say ip directed broadcast forwarding is disabled

Tks.

Kevin Dorrell · ‎10-03-2007

And is 172.19.10.1 the IP address of your Domain Controller?

Kevin Dorrell

Luxembourg

jay77jay77 · ‎10-03-2007

yes thatz correct.

Kevin Dorrell · ‎10-03-2007

For the moment, I don't see what is wrong. If 172.19.10.1 is the host address of the DC, there is not need to do anything about directed broadcasts ... in any case, that would be on the central site.

I presume the clients have the same /24 mask and they are in 10.10.10./24.

I presume also that the DC has a route back to the client. Can the client ping the DC and vice versa?

Kevin Dorrell

Luxembourg

jay77jay77 · ‎10-04-2007

The network reachability is there between the clients and server. The key thing is the connection between the clients and server is via satellite link

jay77jay77 · ‎10-07-2007

Hi

Another point of note is that the server and client are connected thru a mpls ipvpn network and im using static routing at the CE router. And mpls ipvpn is transparent to the CE routers at the hub and remote end.

Appreciate any thoughts!

Thks

jay77jay77 · ‎10-08-2007

hi All

Thanks for your valuable input..the issue was resolved with out any specific config for ip forward protoco...

The cause was found to be some filtering at the satelite link.

Tks.