General discussion

Locked

VPN - Domain not available

By madroxxx ·
I setup a vpn between a cisco pix 501 and a cisco vpn 3005 concentrator. I am able to ping through and even can log in a user who has logged on before. However when I try to log on a machine I haven't before it tells me that the domain is not available.

I tried lengthing the time it waits for a response in the registry, it just took longer to give me an error.

I am wondering if it is because the workstation and the server are on different subnets? If so how do I get past this?

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

VPN - Domain not available

by acattr In reply to VPN - Domain not availabl ...

I have no info on what your servers or workstation Operating systems are, but try this.

Unless your client machine uses WINS(NT DOMAIN) or DNS(2000 Domain), they contact a domain controller by broadcasting netbios packets. By default Netbios broadcasts do not go over VPNs. I haven't seen this option on ciscos. I couldnt find it on thier support site either.

So you need to install WINS and/or DNS on your network. Setup DNS if the domain is 2000. WINS is setup automatically after installation on a server, as long as you don't want to setup replication between two WINS servers.

95,98,ME use broadcasing or WINS to look for Domain controllers. xp and 2000 use broadcasting or WINS on an NT Domain, or broadcasting,WINS, and DNS in a2000 Domain.

Set all clients and servers to use the new DNS and WINS servers. Do a test afterwards. And let me know.

Collapse -

VPN - Domain not available

by madroxxx In reply to VPN - Domain not availabl ...

Sort of what I was thinking but it doesn't seem to get me there. To give you a bit more info, I have an NT 4.0 server that is the PDC at the main location. This box is a wins server. I have a 2000 server also running WINS at the remote location. I have the client set to get it's wins from the NT box then the 2000 box.

Maybe I'm doing something wrong with WINS but I can ping computers by name from the remote location but still can't log in the domain.
What's extra wierd is that I can log in with a user that has logged in the domain on that computer and I can get to shares etc but my login script doesn't process.

Collapse -

VPN - Domain not available

by acattr In reply to VPN - Domain not availabl ...

I understand you that you can connect to shares, but you still can't logon to the network, hence logon script does not work.

make sure your PDC has the two wins servers in its tcp/ip settings. set it and reboot if not.

If so, query both WINS servers for the name of your Domain. Make sure the domain come up on both WINS servers pointing to the IP address of the PDC. When a domain controller registers its name in WINS, it also registers the fact that it is a domain controller.

Best thing to do, since you have two WINS servers, is set up replication(push/pull) between the two WINS servers. This will ensure both WINS servers are always updated. You can easily do this on both WINS servers via the wins management consoles. simply set the push and pull partner to be the oposite server.

If the entry of the domain does not come up in a query of both wins, and you setup replication already. Then setup a static mapping with in wins. Set the computer name to the DOMain name, the type to "domain name" and the IP to the IP of yor DOmain controller.

Also I hope your using DHCP. Make sure dhcp option "046 WINS/NBT Node Type" is set to "0x8" This option will ensure that clients will try first to contact a WINS server, thentry to broadcast for resolution. And obviously option 044 Wins servers, specify both your wins servers.

most basic of all, I hope you don't have very restrictive access lists on your PIX. WINS runs on tcp port 42.

if all else failed, and I hope you don't get to this step yet, but if you still cant get WINS to authenticate your remote users, have you tried an LMHOSTS(NO EXTENSION) file? LMHOSTS file forces the machine to reference the domain by using the settings with in this text file called LMHOSTS. Link below describes procedure in all Operating systems.

http://tinyurl.com/7g4e


Let me know.

Collapse -

VPN - Domain not available

by madroxxx In reply to VPN - Domain not availabl ...

I do appreiciate you trying to help me. I have tried all the wins stuff including a confirmed working LMHOSTS file with no luck.
I now believe this is routing issue because I cannot ping back to the remote server from this location.

Collapse -

VPN - Domain not available

by Cactus Pete In reply to VPN - Domain not availabl ...

Are you sure the working login isn't simply referring to a cached profile? You might want to see if the login ports are open on the routers, both ways. (137-139)

Collapse -

VPN - Domain not available

by madroxxx In reply to VPN - Domain not availabl ...

Yes it is a cashed profile. I have resolved this. The problem is a cisco issue. Apparently it will not let a packet in and then back out the same interface. I solved this problem by putting a router in front of my pix and vpn concentrator.

Collapse -

by Cactus Pete In reply to VPN - Domain not availabl ...

First, if this is actually resolved, please close the question [you'll get 1000 points back for doing so].

Second, if you find that it is too costly to run two routers in this case, you need to configure the interface to allow traffic through on those ports I mentioned above.

If you don't care about the configuration [as it's apparently working now] then I'm just letting you know you can close the question and get points back.

Collapse -

by maxwell edison In reply to VPN - Domain not availabl ...

You May Not Be Able to Log On to the Domain with VPN If a Winsock Proxy Is Enabled:

SYMPTOMS
You may not be able to log on to your domain by using a virtual private network (VPN) if you have the Microsoft Proxy 2.0 client or the Microsoft Internet Security and Acceleration (ISA) Server 2000 client installed, and the proxy server can be reached only by using the VPN connection.

This behavior occurs only if you refer to the VPN server by a Domain Name System (DNS) name instead of by the IP address when you create the VPN connection.

CAUSE
Typically, the DNS server's IP address is not contained in the client computer's local address table (LAT). When the client computer tries to resolve the IP address for the VPN server, the client sends the name-resolution request to the proxy server. Because the client cannot reach the proxy server before the VPN connection is established, the name resolution for the VPN server times out.

RESOLUTION
To change this behavior, add the following lines to the master copy of the Mspclnt.ini file on the server that is running Proxy Server 2.0 or ISA Server 2000:

[svchost]
Disable=1

http://support.microsoft.com/default.aspx?scid=kb;en-us;317506&Product=ISAS

---------- OR ----------

Configuring the Calling ISA Server Firewall/VPN Gateway to use EAP/TLS Certificate Authentication - Part 1

http://www.isaserver.org/tutorials/g2geapcertauthpart1.html

http://www.isaserver.org/tutorials/g2geapcertauthpart2.html

continued.....

Collapse -

by maxwell edison In reply to

---------- OR ----------

Using Internet Protocol Security with Network Address Translation and Internet Security Acceleration Server

http://www.experts-exchange.com/Security/Firewalls/Q_20766225.html

---------- OR ----------

VPN Clients May Not Work on ISA Server Perimeter Networks

SYMPTOMS
From a client on an Internet Security and Acceleration (ISA) Server perimeter network, you may be unable to create a virtual private networking (VPN) connection to a server on the external network. The connection does not work using either PPTP and L2TP.

When you try to make a connection, you see the Verifying Username and Password dialog box. However, the connection attempt eventually generates the error message "Error 628: The Connection was closed."

VPN connections from the internal network to a VPN server on the Internet work correctly.

CAUSE
This issue is caused by an incompatibility between the ISA Server Packet filter and the Windows 2000 Network Address Translation (NAT) editor.

RESOLUTION
To resolve this problem, obtain the latest service pack for ISA Server 2000. For additional information about the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

WORKAROUND
To work around this issue, create a perimeter or DMZ network by using two ISA Server computers:
Internet --- ISA1 --- DMZ --- ISA2 --- private network.

This will allow VPN connections to be created successfully from a client in the DMZ to an Internet VPN server.

http://support.microsoft.com/default.aspx?scid=kb;en-us;303530&Product=ISAS

Collapse -

by maxwell edison In reply to VPN - Domain not availabl ...

You Cannot Log On to Your Computer After You Change the Domain User Account Password

SYMPTOMS
On a computer that you use to log on to a domain, you may be unable to log on to the computer when you are disconnected from the domain, even though in the past you could log on to the computer while disconnected from the domain.

CAUSE
This issue may occur if all of the following conditions are true (in the order presented):

1. You successfully log on to the domain with the computer in question, either through a remote access, virtual private network (VPN), or network connection.

2. You log on to the domain and are prompted to change your password.

3. You have not successfully logged on to the domain through a remote access, VPN, or network connection since you changed your domain password.

When you successfully log on to a domain with a domain user account, your domain logon credentials are cached locally on your computer.

If you then disconnect that computer from the network and log on, you are logged on with the cached credentials for the domain.

When you log on to the domain and are prompted to change your password, your cached domain logon credentials are not updated until you successfully log on to the domain with the new password.

After you have successfully logged on to the domain with the new password, your cached domain credentials are updated, and you can then log on to the computer when you are disconnected from the domain.

continued...

Back to Windows Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums