Have a situation where the hub site is using cisco 3825 router hosting the windows DC. And 5 remote site with windows XP pc on their lan connected to the hub site using a 1841 router.
Question is: is there any specific configuration to be done at the hub site and remote routers for the remoter site PCs to join the AD.
It's a bit of an open ended question without more details but at a high level if you do not have any access-lists etc. on your routers at either the remote end and the hub end and assuming that your remote sites connect using straight IP connectivity ie. as opposed to IPSEC etc. then no you should not have to do any specific configuration on the routers.
The only thing i can think you may have to do is if your remote site PC's get their IP addresses from the central site via DHCP you will need an ip-helper address under the Lan interface of each of your spoke sites.
Thank Jon.My concern was,whether do we need to configured things like,
eg. ip forward protocol udp netbios-ns
ip forward protocol udp netbios-ss
ip forward protocol udp netbios-dgm
From Cisco doc
Regardless of whether you implement IP helper addressing or UDP flooding, you must use the ip forward-protocol udp global configuration command to enable the UDP forwarding. By default, the ip forward-protocol udp command enables forwarding for ports associated with the following protocols: Trivial File Transfer Protocol, Domain Name System, Time service, NetBIOS Name Server, NetBIOS Datagram Server, Boot Protocol, and Terminal Access Controller Access Control System. To enable forwarding for other ports, you must specify them as arguments to the ip forward-protocol udp command.
So you shouldn't have to explicitly configure them other than have global ip forward protocol udp but you may want to disable some of them.
Are you forwarding to the DC addresses (which is the best way) or to the directed broadcast address (which can be a security hazard)? If you are forwarding to the directed broadcast address, don't forget to enable directed broadcast on the router, and pay attention to the directed-broadcast access list if you have one.
Hi Jon, Kevin
Thank for the inputs. But as Jon said, even though i configure ip forward protocol udp netbios-ns, its not shown up in th running config. Might be as its enabled by default.
But on the production network, when i enabled netflow and see the output of "sh ip cache flow" on the remote router, i see that the brodadcast for eg. from PC 10.10.10.1 with source port of 137 , sent to 10.10.10.255 destination port of 137, was acutally forwarded to null interface on the remote router. Does it means the udp forward is not working? Am i missing somethin here?
My understanding is that you do not need directed broadcasts to work if you are running Netbios over TCP/IP although i could be mistaken here.
I don't believe you want to have directed broadcasts enabled for joining the AD as we do not on our remote site routers, we just have IP helper-addresses configured. The ip helper-address command does not forward on broadcasts but turns a broadcast into a unicast and then forwards it on.
I could be mistaken on this, anyone else please feel free to jump in.
It is enabled by default. Here is a reference that lists the ports that are dorwarded by default. (Isn't it difficult to find such a URL with the new documentaion web - half the links are broken!)
Could you do a show run int for the Ethernet on the remote site please?
Here it is:
ip address 10.10.10.1 255.255.255.0
ip broadcast-address 10.10.10.255
ip helper-address 172.19.10.1
ip flow egress
ip tcp adjust-mss 1452
when i run , sh ip int fa0/0, it say ip directed broadcast forwarding is disabled
For the moment, I don't see what is wrong. If 172.19.10.1 is the host address of the DC, there is not need to do anything about directed broadcasts ... in any case, that would be on the central site.
I presume the clients have the same /24 mask and they are in 10.10.10./24.
I presume also that the DC has a route back to the client. Can the client ping the DC and vice versa?
The network reachability is there between the clients and server. The key thing is the connection between the clients and server is via satellite link
Another point of note is that the server and client are connected thru a mpls ipvpn network and im using static routing at the CE router. And mpls ipvpn is transparent to the CE routers at the hub and remote end.
Appreciate any thoughts!
Thanks for your valuable input..the issue was resolved with out any specific config for ip forward protoco...
The cause was found to be some filtering at the satelite link.