I have a windows NT domain controller and windows NT PC, I want to join the PC to the domain (with a cisco asa 5512-x in between)
both the domain controller and NT PC are connected directly to the firewall and on the same security level too (its set up for offline testing at the minute), and communication between interfaces on security levels is enabled
I can ping from domain controller to NT PC successfully and vice verse, However when I try to join the NT PC to the domain, it wont let me, keeps saying 'the domain controller for this domain can not be located'
If I bypass the firewall, the domain can be joined no problem.
I dont have any ACL created as both PCs are on the same side of the firewall and on the same security level
What is the DNS situation? I don't recall about NT4, but recent windows clients want to find forest domain controllers by querying DNS for SRV records. If the client is on-link, it might fall back to link-local multicast DNS, but that AVAHI stuff won't typically cross a routed firewall interface. The server needs to have registered itself with its DNS server to create the SRV records, the client needs to have a default gateway and DNS server, and it helps if the client's subnet is assigned to a site in active directory sites & services. E.g.
> set querytype=SRV
Plus the firewall needs to permit a lot of UDP and TCP ports to communicate between the client and server, including ports like 88, 135-139, 384, 445, 464, 636, 3268 etc. If you have no access-groups applied to the interfaces, you may need one or both of:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Personally, I recommend at least ingress ACL's on all interfaces, ignoring the security levels.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...