Join domain in different subnet

I have a DC which is running 2k3R2, DNS and proxy service. I had installed
2 NICs 192.168.0.1 and 192.168.1.1. 0 is our corporate network and 1's
network is for public use (ie: internet surfing for customer). My goal is (1.
Isolate the public pcs not to allow access production network), (2. Public
pcs use
the same ADSL line for internet surfing) and (3. Running the group policy
on all public pc which limit the desktop setting being changed by user.) The
first 2 problems hv been solved but when i tried to join the public pcs
into domain in order to run group policy. DC cannot be located. It prompts
something _ldap._tcp.dc._msdcs.domain.com. Below is result of running
nslookup test.

_ldap._tcp.dc._msdcs.domain.com
Server: server004.domain.com
Address: 192.168.0.4
_ldap._tcp.dc._msdcs.tmd.com.hk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = server004.domain.com
server004.domain.com internet address = 192.168.0.1
server004.domain.com internet address = 192.168.1.1

Would really appreciate help on this.

"slickric" <(E-Mail Removed)> wrote in message
news:252F32CE-EA2A-42C9-9D6E-(E-Mail Removed)...
> I have a DC which is running 2k3R2, DNS and proxy service. I had installed
> 2 NICs 192.168.0.1 and 192.168.1.1. 0 is our corporate network and 1's
> network is for public use (ie: internet surfing for customer). My goal is
> (1.
> Isolate the public pcs not to allow access production network), (2. Public
> pcs use
> the same ADSL line for internet surfing) and (3. Running the group policy
> on all public pc which limit the desktop setting being changed by user.)
> The
> first 2 problems hv been solved but when i tried to join the public pcs
> into domain in order to run group policy. DC cannot be located. It prompts
> something _ldap._tcp.dc._msdcs.domain.com. Below is result of running
> nslookup test.
>
> _ldap._tcp.dc._msdcs.domain.com
> Server: server004.domain.com
> Address: 192.168.0.4
> _ldap._tcp.dc._msdcs.tmd.com.hk SRV service location:
> priority = 0
> weight = 100
> port = 389
> svr hostname = server004.domain.com
> server004.domain.com internet address = 192.168.0.1
> server004.domain.com internet address = 192.168.1.1
>
> Would really appreciate help on this.

You should not run a DC/DNS server with multiple NICs (for exactly the
reason you see in the message).

If there are multiple IP addresses associated with the DC you get all
sorts of odd problems with name resolution. Running a proxy server is fine,
but not on your DC!

Hi Bill, thx for help and advice. I had switched a member server now. But
still couldn't accomplish my goal. Is there any solution could solve my
problem?

Appreciate help again~~


"Bill Grant" wrote:

>
>
> "slickric" <(E-Mail Removed)> wrote in message
> news:252F32CE-EA2A-42C9-9D6E-(E-Mail Removed)...
> > I have a DC which is running 2k3R2, DNS and proxy service. I had installed
> > 2 NICs 192.168.0.1 and 192.168.1.1. 0 is our corporate network and 1's
> > network is for public use (ie: internet surfing for customer). My goal is
> > (1.
> > Isolate the public pcs not to allow access production network), (2. Public
> > pcs use
> > the same ADSL line for internet surfing) and (3. Running the group policy
> > on all public pc which limit the desktop setting being changed by user.)
> > The
> > first 2 problems hv been solved but when i tried to join the public pcs
> > into domain in order to run group policy. DC cannot be located. It prompts
> > something _ldap._tcp.dc._msdcs.domain.com. Below is result of running
> > nslookup test.
> >
> > _ldap._tcp.dc._msdcs.domain.com
> > Server: server004.domain.com
> > Address: 192.168.0.4
> > _ldap._tcp.dc._msdcs.tmd.com.hk SRV service location:
> > priority = 0
> > weight = 100
> > port = 389
> > svr hostname = server004.domain.com
> > server004.domain.com internet address = 192.168.0.1
> > server004.domain.com internet address = 192.168.1.1
> >
> > Would really appreciate help on this.
>
> You should not run a DC/DNS server with multiple NICs (for exactly the
> reason you see in the message).
>
> If there are multiple IP addresses associated with the DC you get all
> sorts of odd problems with name resolution. Running a proxy server is fine,
> but not on your DC!
>
>
>
>

Hello slickric,

Multihoming DC's is a bad solution which results in problems like yours.
If you need a connection to the internet, connect all machines to a switch
and the switch to the router. Configure FORWARDERS in the DNS server properties
in the DNS management console to your ISP's DNS server. Also a proxy server
should no trun on a DC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have a DC which is running 2k3R2, DNS and proxy service. I had
> installed
> 2 NICs 192.168.0.1 and 192.168.1.1. 0 is our corporate network and 1's
> network is for public use (ie: internet surfing for customer). My goal
> is (1.
> Isolate the public pcs not to allow access production network), (2.
> Public
> pcs use
> the same ADSL line for internet surfing) and (3. Running the group
> policy
> on all public pc which limit the desktop setting being changed by
> user.) The
> first 2 problems hv been solved but when i tried to join the public
> pcs
> into domain in order to run group policy. DC cannot be located. It
> prompts
> something _ldap._tcp.dc._msdcs.domain.com. Below is result of running
> nslookup test.
> _ldap._tcp.dc._msdcs.domain.com
> Server: server004.domain.com
> Address: 192.168.0.4
> _ldap._tcp.dc._msdcs.tmd.com.hk SRV service location:
> priority = 0
> weight = 100
> port = 389
> svr hostname = server004.domain.com
> server004.domain.com internet address = 192.168.0.1
> server004.domain.com internet address = 192.168.1.1
> Would really appreciate help on this.
>

"slickric" <(E-Mail Removed)> wrote in message
news:C8E0A528-689D-4110-9C13-(E-Mail Removed)...
> Hi Bill, thx for help and advice. I had switched a member server now. But
> still couldn't accomplish my goal. Is there any solution could solve my
> problem?

"I had switched a member server now"..? I don't know what that means.

It just comes down to this:
1. DCs should not be multi-homed (also means no RRAS).
2. DCs commonly run DNS, DHCP, and WINS on the same box. That is fine.
3. Run everything else on a different box.

The Public Use segment should connect into a Tri-homed DMZ interface on the
"firewall". It doesn't matter if the firewall is "proxy based" or "nat
based". It also does not matter if the firewall is an "appliance" or a
"PC",..a firewall is still a firewall.

Since you have DSL you might already have a NAT Firewall on the end of the
DSL to begin with,...in which case causes you to have [possibly unkowingly]
a Back-to-Back DMZ between the "proxy" and the DSL NAT Firewall. This also
can make a big difference in how this is approached,...so knowing those
details is important.

There's probably a bunch of other things to deal with and look out for but I
don't know enough about the situation to comment futher.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Hello All,

Since we hv 2 DCs in corporate network so i took yrs advice replaced a
member server instead of DC server to be multihomed pc. I found a little
trick on other forum that could accomplish my 3rd task. Place all the public
pcs into production network to join the domain and loaded the group policy
first. Then switch it back to 1's network. It is working perfectly and
accomplished my goal.

Again.. thanks for the suggestion and solution, I'm really appreciated
Ricky

"Meinolf Weber" wrote:

> Hello slickric,
>
> Multihoming DC's is a bad solution which results in problems like yours.
> If you need a connection to the internet, connect all machines to a switch
> and the switch to the router. Configure FORWARDERS in the DNS server properties
> in the DNS management console to your ISP's DNS server. Also a proxy server
> should no trun on a DC.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I have a DC which is running 2k3R2, DNS and proxy service. I had
> > installed
> > 2 NICs 192.168.0.1 and 192.168.1.1. 0 is our corporate network and 1's
> > network is for public use (ie: internet surfing for customer). My goal
> > is (1.
> > Isolate the public pcs not to allow access production network), (2.
> > Public
> > pcs use
> > the same ADSL line for internet surfing) and (3. Running the group
> > policy
> > on all public pc which limit the desktop setting being changed by
> > user.) The
> > first 2 problems hv been solved but when i tried to join the public
> > pcs
> > into domain in order to run group policy. DC cannot be located. It
> > prompts
> > something _ldap._tcp.dc._msdcs.domain.com. Below is result of running
> > nslookup test.
> > _ldap._tcp.dc._msdcs.domain.com
> > Server: server004.domain.com
> > Address: 192.168.0.4
> > _ldap._tcp.dc._msdcs.tmd.com.hk SRV service location:
> > priority = 0
> > weight = 100
> > port = 389
> > svr hostname = server004.domain.com
> > server004.domain.com internet address = 192.168.0.1
> > server004.domain.com internet address = 192.168.1.1
> > Would really appreciate help on this.
> >
>
>
>

Hello slickric,

Nice to hear that you solved it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello All,
>
> Since we hv 2 DCs in corporate network so i took yrs advice replaced a
> member server instead of DC server to be multihomed pc. I found a
> little trick on other forum that could accomplish my 3rd task. Place
> all the public pcs into production network to join the domain and
> loaded the group policy first. Then switch it back to 1's network. It
> is working perfectly and accomplished my goal.
>
> Again.. thanks for the suggestion and solution, I'm really appreciated
> Ricky
>
> "Meinolf Weber" wrote:
>
>> Hello slickric,
>>
>> Multihoming DC's is a bad solution which results in problems like
>> yours. If you need a connection to the internet, connect all machines
>> to a switch and the switch to the router. Configure FORWARDERS in the
>> DNS server properties in the DNS management console to your ISP's DNS
>> server. Also a proxy server should no trun on a DC.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I have a DC which is running 2k3R2, DNS and proxy service. I had
>>> installed
>>> 2 NICs 192.168.0.1 and 192.168.1.1. 0 is our corporate network and
>>> 1's
>>> network is for public use (ie: internet surfing for customer). My
>>> goal
>>> is (1.
>>> Isolate the public pcs not to allow access production network), (2.
>>> Public
>>> pcs use
>>> the same ADSL line for internet surfing) and (3. Running the group
>>> policy
>>> on all public pc which limit the desktop setting being changed by
>>> user.) The
>>> first 2 problems hv been solved but when i tried to join the public
>>> pcs
>>> into domain in order to run group policy. DC cannot be located. It
>>> prompts
>>> something _ldap._tcp.dc._msdcs.domain.com. Below is result of
>>> running
>>> nslookup test.
>>> _ldap._tcp.dc._msdcs.domain.com
>>> Server: server004.domain.com
>>> Address: 192.168.0.4
>>> _ldap._tcp.dc._msdcs.tmd.com.hk SRV service location:
>>> priority = 0
>>> weight = 100
>>> port = 389
>>> svr hostname = server004.domain.com
>>> server004.domain.com internet address = 192.168.0.1
>>> server004.domain.com internet address = 192.168.1.1
>>> Would really appreciate help on this