Joining domain - different subnet

I currently have a 2012 server (AD) at our company's office (office1).
I would like to setup a hardware vpn connection between our main office and a new department (office2). This requires different subnets for each router.
Is it possible to join the domain from office2?
What would be the required dns setttings?

No, you do not need a DC in the remote office. I thought you were asking if it were possible to create a domain on a different subnet in a remote office, since you said you had another department there. Departments often have other servers,
and then there would be a benefit for a DC there. But if there are no servers there, no need for a DC. If it required a domain in every remote office, it would be next to impossible to have any remote users as every remote user would need
to run a domain controller - which obviously is not a requirement.
The simplest way is VPN with two routers.
Or, Windows Server comes with a capability call Direct Access which would allow people to have access to the corporate information over the internet - no need for a VPN. It even allows users with mobile laptops to have access to corporate from wherever
they have access to the internet - nothing special is required on their machines other than Windows 7 or later.
.:|:.:|:. tim

Similar Messages

Allow join domain and user AD authentication through WatchGuard UTM

The question you have, suggests me, that you are not using WSM to manage your firewall?
You should use the traffic monitor in the Firebox system Manager, zhat is part of the WSM install and watch the traffic between your DC and a test computer. Therefor you can set a filter in the traffic monitor, so you will be shown only the traffic of your test computer. If some kind of traffic is blocked from or to your test computer, it will be shown as a red line. If you analyze this line, you will see exactly what port it was, that was denied.
In general tho I think, that all you need is to appoint your clients the use of a DNS server, that is 'AD aware' (has the needed A records you need for AD) and a SMB rule, that will allow SMB traffic to you MS subnet.

hi all,
I am configuring new WatchGuard UTM to have 3 different VLANs, for server, staff and students. My target is to allow computers from staff and students to connect DCs on server VLAN and join domain; and staff/student to logon successfully.
I found the link below and successfully configured to allow DC replication.
https://support.microsoft.com/en-us/kb/832017
However for computer to join domain and user AD authentication, I could not come up with a list of ports to open on WatchGuard.
Any suggestions on this would be much appreciated.
Peter
This topic first appeared in the Spiceworks Community

ASA 5505: VPN Access to Different Subnets

Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous

Hi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks!

WRV200 IPSEC VPN to a remote site with 2 different subnets

Hi,
My old WRV54G had no problem with this! I'm trying to connect an IPSEC tunnel back to a router at my main office, there are two Subnets there 192.168.0.0/24 and 10.171.131.0/24. In my old router I would set up two tunnels to the same gateway with different subnets and everything would work fine.
When I do this with the WRV200 both tunnels come up but in the view of the VPN status they both have the remote network listed as 192.168.0.0 /24 and I can't seem to get them both to work. If I delete the 192.168.0.0/24 tunnel (tunnel #A) and just use the tunnel#B I can connect to the 10 network.
Anyone been able to get this working?

Hi,
Ok, so the first thing you will have to think about is the encryption domain of the existing L2L VPN. Since your aim is to publish a Web server from another site through a L2L VPN connections you have to consider what the source addresses for the Web server connections can be?
It might be that you would need to have the source address for the L2L VPN in DC1 as "any" and naturally on DC2 the destination would be "any".
Though in that case it would probably cause problems if the Web server would need to use the DC2 Internet connections for something. This is because we would have now defined that traffic from the Web server to "any" destination IP address should be tunneled to the L2L VPN.
One other option might be that you actually configure DC1 site so that all incoming traffic from the Internet towards the 111.111.111.111 will have their source address translated to a single IP address (to be decided) before entering the L2L VPN. This would eliminate the need to use the "any" in the L2L VPN configurations because the Web server would see all connections come from a single IP address and therefore would not cause problems for the DC2 Web server IF it needs to access or be accessed through the local DC2 Internet connection.
Judging by your examples it would seem that you are using a 8.2 or older software level. Would you be willing to share some current configurations (with masked public IP addresses) or should I just give you some example configurations?
Most important ones would naturally be current NAT configurations and configuration related to the L2L VPN connection.
- Jouni

2 different subnets on single vlan

I have this setup.
2 3750G switches stacked.
I have 2 servers with IP 10.10.10.1/30 and 10.10.10.2/30 connected into port g1/0/1 and g1/0/2 respectivily on switch1 both in vlan 100
I have another 2 servers with IP 10.10.20.1/30 and 10.10.20.2/30 connected into port g2/0/1 and g2/0/2 respectivily on switch2 both also in vlan 100.
I need to keep this same vlan across the stack. In theory servers on same subnet in vlan 100 should be able to communicate properly, or am I wrong?
What can I do to prevent broadcasts from propagating between subnets of this single vlan?

Edison
Perhaps I read the post from Sparky slightly differently than you do. The first pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine. And the second pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine.
But I agree with you that there are flaws in this implementation. First, since the subnets are /30 they only allow two hosts and with two servers in the subnet there is nothing to act as a gateway and to provide access to "remote" addresses. Also this implementation breaks the assumption that there is a correlation between subnet and VLAN. We tend to assume that a correlation exists and that a subnet is related to a VLAN and a VLAN is related to a subnet. But VLAN is a layer 2 concept and subnet is a layer 3 concept and they are not necessarily related. There is no rule that says that a VLAN have only 1 subnet (though that is common practice). A VLAN interface with a primary IP address and a secondary IP address would certainly support 2 (or more) subnets.
Note that this implementation does not provide the isolation that we tend to assume when we talk about subnets. We generally assume that devices in 1 subnet do not communicate directly with devices in a different subnet (because we tend to assume that each subnet is a separate broadcast domain). But this implementation puts both subnets into the same broadcast domain. So the first pair of servers will hear all the broadcasts (including ARP) from the second pair of servers and any of these servers could communicate directly with any other of the servers - certainly not bounded by the subnet.
Sparky
There is no way to isolate the broadcasts within the same VLAN. The basic definition of VLAN is that it is a broadcast domain. And any broadcast generated will be flooded thoughout the entire broadcast domain. The only way to restrict the broadcasts is to create 2 VLANs.
HTH
Rick

Is it OK to have two SBS Servers with same name, on different subnets but connected over a VPN?

Hi Everyone,
I'm just about to connect up two SBS 2011 Servers with the same server name but on different subnets & domains over a VPN.
So for example both servers will have the name Server01, one would have an ip address of 192.168.85.5, the other 192.168.86.5, they both then would be connected over a VPN.
Can anyone foresee any issues with this configuration, like DNS & DHCP requests, adding new machines to the domain, mapping drives etc.
Many thanks,
Nick

Hi Larry & Strike First,
Thank you for your responses. I understand that this is an unusual situation. Basically I've recently taken over the IT support for this client. The client has just had a new phone system installed
& are asking if they can speak to each office internally, which can easily be done once I setup the VPN.
However I noticed whilst looking at this further that the Server names are the same, hence my question?
Am I right in saying that providing the workstations have a trust relationship with their own domain controllers through their individual domains on separate subnets, that hopefully there shouldn't be any DNS issues between the two domains and Servers?
I could build a new VM if you feel it would be better practice to do so?
Many thanks for your assistance,
Nick

Windows Client Binding Failure in a different subnet - Snow Leopard Server

hi all,
We are running SL 10.6.6 mini mac on a subnetted domain - The svr subnet is 10.20.10.xxx
Clients (mac & win xp) are in subnets 10.20.12.xxx & 10.20.13.xxx
Linux Firewalls separate the subnets although for the purposes of this topic and setup i have set the default policy to accept with no drop rules prior.
The issue is that a win xp client cannot see the SL server. The win XP client does a NETLOGON broadcast i.e. (10.20.13.255 UDP 137) which does not make it to the netlogon service being advertised by the SL Server.
If i put the win xp client in the 10.20.10.xxx (the SL Svr subnet) all works fine and the win xp client authenticates correctly.
Is anyone out there running a similar setup (different subnets with Win XP Clients) I'm interested in how you got the binding/auth process working.
Some side info on the SL Svr - Its a PDC domain master which has 2 replica's attached. All instructions appear to have been followed correctly as per 10.6 OD admin guide. I have all the Mac OS server essentials book and have been trolling through them for answers.
I have setup SMB and configured it as per a previous thread http://discussions.apple.com/thread.jspa?threadID=2014572&tstart=0
Any help/thoughts/ pearls of wisdom would be appreciated.
Cheers
Cowan

Problem Fixed. Windows XP client did not have WINS server IP address is TCP/IP properties.

Management and AP Manager on Different Subnets ...

Hello,
I am getting ready to implement a WLAN where the customer has designed the Management and AP Manger to be on different subnets. I have never done a WLAN implementation in this manner because per Cisco's config guide it states ...
"The AP-manager interface’s IP address must be different from the management interface’s IP address and may or may not be on the same subnet as the management interface. However, Cisco recommends that both interfaces be on the same subnet for optimum access point association."
So, I have always followed this recommendation and have always made the 2 interfaces be in the same subnet with IP's in sequential order. The config guide does say it'll work but I am just not sure what if anything do I have to do for this to work properly ... or if there is really a difference on how the process works doing it either way.
I plan on using LAG with Layer 3 ... most times I place the APs in the same wireless subnet/vlan as the management interface and AP manager but in this case or until I get more info it looks like they all may be in different subnets. So, if that's the case would I just need to use the Option 43 so the APs can find the WLC and if that is the case would I put the AP Manager IP or still use the WLC IP ... guess I would have that same question if I went the DNS route? Or do I still use the WLC IP address for the APs to join and at that point the AP Manager would take over the LWAPP communications?
Thanks for all your help in advance!

You should be using the WLC Management IP as documented in "Cisco 440X Series Wireless LAN Controllers Deployment Guide". Below is quoted from that document.
"The IP address of the WLC Management Interface should be used for Option 43 and DNS resolution of
CISCO-LWAPP-CONTROLLER.localdomain." For further information, see the section on "Understanding
Deployment Basics" beginning on page 13. Detailed information on using vendor specific DHCP Option 43
for WLC discovery is included in Appendices C, D, and E of this document.
Also there is no issue having the AP Manager and Management interfaces in different vlans although not recommended, just be sure to allow both vlans across the trunk to the WLC. I would also recommend placing your APs in different vlans than the WLC Mgmt/AP Mgr vlan. Cisco recommends having no more than 60-100 APs per vlan to minimize re-association problems in case of network failure.

Multiple BDC's one on different subnet

I have just finished an upgrade of our network to 10.5 (we will be going 10.6 when we do XSan 2.2)
OD Master fine all working
PDC fine all working (including keeping old SID)
OD Replica in site 1 all working
BDC on Replica in site 1 all working
OD Replica site 2 (different subnet via WAN connection) all working
BDC on Replica on site 2 - no
with a net rpc testjoin DOMAIN I get this error
getschannel_sessionkey: could NOT fetch trust account password for domain
has anyone seen it before?
net rpc getsid -S DOMAIN -U Administrator%password
does not work but
net rpc getsid -S DOMAIN -I 192.168.1.88 -U Administrator%password
does so I have the SID but Server Admin just spins the little wheel thing and goes back to Standalone, it 'looks' like a subnet issue - help!

Chris,
Is this still an issue?
Thanks!
Ed Price, Power BI & SQL Server Customer Program Manager (Blog,
Small Basic,
Wiki Ninjas,
Wiki)
Answer an interesting question?
Create a wiki article about it!

Is it possible to cluster appliances across different subnets?

We are attempting to cluster two appliances across different subnets in order to provide greater survivability. Although we were able to cluster the appliances, the manageability of the appliances has become somewhat impaired. We've opened ports 443, 22 and 2222 between the two appliances. The appliances are C350s running AsyncOS 7.1.3-010. Are we missing something?
Thanks,
Rob

Rob,
Are these appliances communicating using IP addresses? If yes, in order to a join cluster,using IP addresses there must be a reverse DNS (PTR) record configured in DNS server for the Cisco IronPort appliance.Please check that if the the reverse lookup works. If not, it might be another issue.
Regards,
Jyothi Gandla
Customer Support Engineer

Join computer in Domain and how to get Internet access in Joined domain computer

Dear System Admins,
Actually I am new to this forum and I need help. Let me explain you my scenario. Ours is a small company and I have configured Cisco router with dedicated Public IP. So the private IP default gateway is 192.168.50.254 and DNS is 218.56.43.22 "DNS is
given by ISP". Now what I did is I have configured IP address to server 192.168.50.1/24. Default Gateway IPv4 address 192.168.50.254 DNS 218.56.43.22 on Windows domain server computer. Internet is up on Windows Server. Also I have setup Active directory
successfully. Now I want Windows 7 computer to Join the domain and also it should be able to access to Internet. Let me know how to configure Windows 7 network properties and how to join domain. Please explain me in simple way step by step process. Thank you.

Dear Arnav,
I have configured DNS as 218.56.43.22 in windows server computer which has given by our ISP and
internet is available in server. For users who wants top join domain. I have configured IP details are as follows.
1. Windows 2008 Server IP details
192.168.50.1
255.255.255.0
192.168.50.254
DNS: 218.56.43.22 <--- Given by ISP with Dedicated Public IP
Now comes the Windows 7 computer which has to be join in domain for that how should I have to configure Network properties of Windows 7 computer? let me know. Windows 7 IP details are as fallows:
IPV4 address 192.168.50.2
Subnet Mask 255.255.255.0
Default GW 192.168.50.254
What about DNS? What should I configure in DNS box network properties for Windows 7 user. Shall I enter Windows Server IP details 192.168.50.1 or "DNS 218.56.43.22 <----which is given by ISP" . Let me know further procedure in order
to "Windows 7 user join the domain as well as user should be able to access the Internet. At present I have only installed active directory in widnows 2008 server. Whats Next? please feel free to ask me. Thank you.

DB Server on Different subnet

Hi there, We have SP 2010 installed, we are planning to upgrade to 2013. Our database server is on the different subnet that the new SharePoint 2013 Fron-end and application server. Office Web App server is also on different subnet. We have single network
domain through out the firm. The question - Is there any pre-requisite or special configuration needed to setup such SharePoint 2013 environment?
Regards,
Khushi
Khushi

There is nothing wrong with that. The subnet, in that case, does not matter, as the latency and bandwidth are available, and you're not crossing any "distance". Stretched farms are defined as farms spread across data centers. You do not need
to do anything special for your deployment.
Trevor Seward
Follow or contact me at...
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

HA ACS in two different subnets.

Hello,
I have to configure two ACS 1113 ver 4.1 (4) high reliability, in two different places and two different subnets.
An apparatus will have to manage an office, the second the other office, but if one goes down the other takes responsibility for the entire network.
The two subnets are accessible from all devices.
Will be configured both the Tacacs Server on all systems.
The ACS are connected to Active Directory to authenticate users.
My question is, do I create a profile ACS are replicated on the other even though they are on two different subnets? Can I make a HA on two different subnets?
Thank you.

Hi Fabio,
1. Is it a problem that the ACS are connected to two different Active Directory that belongs to the same Domain?
Ans: I do not think so there should be any pbm when they have in the single domain.
2. Is there a particoular configuration to replicate just the profiles that i'm going to create on the Master ACS?
Yes. But its up to you how you want it and what and all you want to send for replication. You have an check box option to select the wanted configurations to be pointed for replication.
Please do rate if the given information helps.
By
Karthik

WLC and AP on different subnets

I would like to add a new AP to my existing controller. Currently i have about 15 AP's connected to a seperate mgt vlan for the AP's, vlan 10. It is trunked to the controller as well as the other user vlans like Private, Public, WVoIP etc. I have already started to implement EIGRP network wide instead of having a large layer 2 vlan'd network. At one of the newest locations i'm routing at, i have a new AP to connect. I'm trying to make sure this design will work before i implement it. So, i have a 3560 connected to my core 4506 with a layer 3 connection. EIGRP running as well. I plan to have the 3560 do intervlan routing with a voice vlan, data and wireless. The problem i see is how can i get the AP to talk with the controller since they are on a different subnets, over a metro E "WAN"? Any suggestions would be great.

As long as the LAP's have been primed locally first, that LAP will have the ip address of the WLC. If you want to attach the LAP to a different L3 subnet, then configure ip helper-address using the management ip of each wlc. then configure ip forward-protocol udp 12222 & ip forward-protocol udp 12223 globally on the L3 router. this along with the ip helper, will allow the LAP's to join the WLC on the other end.

Windows 8.1 joining domain

Fails to join domain with error:
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "hali88.org":
The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc._msdcs.hali88.org
Common causes of this error include the following:
- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured
to use DNS servers with the following IP addresses:
10.10.10.1
- One or more of the following zones do not include delegation to its child zone:
hali88.org
org
. (the root zone
Joining domain with Windows 7 64bit works fine.

WIN7
Windows IP Configuration
   Host Name . . . . . . . . . . . . : HP-AST0000467
   Primary Dns Suffix . . . . . . . : hali88.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hali88.org
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix . : hali88.org
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 6C-3B-E5-30-4F-6A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b811:b004:6a95:1628%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.164(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 17, 2014 9:40:49 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 25, 2014 9:40:51 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.65
   DHCPv6 IAID . . . . . . . . . . . : 275528677
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-E0-0E-D7-6C-3B-E5-30-4F-6A
   DNS Servers . . . . . . . . . . . : 192.168.1.65
   NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.hali88.org:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : hali88.org
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 12:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
WIN81
Windows IP Configuration
   Host Name . . . . . . . . . . . . : AST0000466
   Primary Dns Suffix . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
Wireless LAN adapter Local Area Connection* 11:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 1A-D2-24-31-BD-CC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Bluetooth Network Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 48-D2-24-32-03-86
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Ethernet:
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Qualcomm Atheros AR8162/8166/8168 PCI-E Fast Ethernet Controller (NDIS 6.30)
   Physical Address. . . . . . . . . : 00-8C-FA-6C-5A-43
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9578:3910:989:e14d%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.10.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 17, 2014 6:46:24 AM
   Lease Expires . . . . . . . . . . : Tuesday, March 18, 2014 6:46:24 AM
   Default Gateway . . . . . . . . . : 10.10.10.1
   DHCP Server . . . . . . . . . . . : 10.10.10.1
   DHCPv6 IAID . . . . . . . . . . . : 251694330
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-A6-E2-6D-00-8C-FA-6C-5A-43
   DNS Servers . . . . . . . . . . . : 10.10.10.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Wi-Fi:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Qualcomm Atheros AR956x Wireless Network Adapter
   Physical Address. . . . . . . . . : 48-D2-24-31-BD-CC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{3137AE13-57A6-47D2-9B53-D70D67F464FC}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 2:
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:34e3:39b1:b49c:ea41(Preferred)
   Link-local IPv6 Address . . . . . : fe80::34e3:39b1:b49c:ea41%9(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 150994944
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-A6-E2-6D-00-8C-FA-6C-5A-43
   NetBIOS over Tcpip. . . . . . . . : Disabled
NSLOOKUP:
WIN7 SYSTEM:
Default Server: haliserv2.hali88.org
Address: 192.168.1.65
WIN81 system:
DNS request timed out
Default server: Unknown
Address: 10.10.10.1
Active Directory entries verified.
AST0000466
User and password verified.
DCDIAG WIN81
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "haliserv2.hali88.org":
The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc._msdcs.haliserv2.hali88.org
Common causes of this error include the following:
- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured
to use DNS servers with the following IP addresses:
10.10.10.1
- One or more of the following zones do not include delegation to its child zone:
haliserv2.hali88.org
hali88.org
org
. (the root zone)

Joining domain - different subnet

Similar Messages

Maybe you are looking for