Joining domain when on different subnet

I have 2 DC's both running DNS. 1 is W2K and the other is W2K3. There are
about 30 computers connected on the LAN using the IP range 192.168.46.x and a
255.255.255.0 subnet. I have 4 remote offices that are all in seperate
workgroups. They are connected over a VPN and the workstations use the W2K3
server for DNS and WINS. They use the 192.168.47.x range with subnet of
either 255.255.255.192 or 255.255.255.224. The remote offices can ping,
transfer files, and do DNS resolution with the servers. When i try to join
the domain, it prompts me for a username and PW. It creates the computer
account on the server and then kicks but that the RPC server is unavailable
and won't let me join. It then disables the computer account in AD. I have
talked to the company responsible for the routers and VPN and they said all
traffic is permitted. Am i missing something? Is there anything I need to
on the servers to allow a different subnet to join the domain? Are there any
settings needed on the workstations to join the servers across the WAN.
Thanks in advance
Rich

Join domain over VPN is not easy. if you ping DNS server IP with -a option, what do you have (FQDN or NetBIOS name)? for example ping -a 10.0.0.1.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"rknapke" <(E-Mail Removed)> wrote in message news:A00BEF76-C1B3-4B8E-8463-(E-Mail Removed)...
I have 2 DC's both running DNS. 1 is W2K and the other is W2K3. There are
about 30 computers connected on the LAN using the IP range 192.168.46.x and a
255.255.255.0 subnet. I have 4 remote offices that are all in seperate
workgroups. They are connected over a VPN and the workstations use the W2K3
server for DNS and WINS. They use the 192.168.47.x range with subnet of
either 255.255.255.192 or 255.255.255.224. The remote offices can ping,
transfer files, and do DNS resolution with the servers. When i try to join
the domain, it prompts me for a username and PW. It creates the computer
account on the server and then kicks but that the RPC server is unavailable
and won't let me join. It then disables the computer account in AD. I have
talked to the company responsible for the routers and VPN and they said all
traffic is permitted. Am i missing something? Is there anything I need to
on the servers to allow a different subnet to join the domain? Are there any
settings needed on the workstations to join the servers across the WAN.
Thanks in advance
Rich

In news:A00BEF76-C1B3-4B8E-8463-(E-Mail Removed),
rknapke <(E-Mail Removed)> stated, which I commented on
below:
> I have 2 DC's both running DNS. 1 is W2K and the other is W2K3.
> There are about 30 computers connected on the LAN using the IP range
> 192.168.46.x and a 255.255.255.0 subnet. I have 4 remote offices
> that are all in seperate workgroups. They are connected over a VPN
> and the workstations use the W2K3 server for DNS and WINS. They use
> the 192.168.47.x range with subnet of either 255.255.255.192 or
> 255.255.255.224. The remote offices can ping, transfer files, and do
> DNS resolution with the servers. When i try to join the domain, it
> prompts me for a username and PW. It creates the computer account on
> the server and then kicks but that the RPC server is unavailable and
> won't let me join. It then disables the computer account in AD. I
> have talked to the company responsible for the routers and VPN and
> they said all traffic is permitted. Am i missing something? Is
> there anything I need to on the servers to allow a different subnet
> to join the domain? Are there any settings needed on the
> workstations to join the servers across the WAN. Thanks in advance
> Rich

Sounds like to me not all ports are being allowed. Do the VPN boys actually
have ALL ports open, UDP and TCP? AD domain and Windows based communication
uses a wide range of ports, including the ephemeral ports (anywhere and just
about everything above UDP 1023). If anyone of them are blocked, or even if
the link is tooo slow, or even frame relay (which I've seen in the past),
will cause major issues.

--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

Robert
I just now got to one of the offices. When I do a ping -a of either server,
it resolves the FQDN. Is there anything i can do to test whether the proper
ports are open on the firewalls??

"Robert L [MS-MVP]" wrote:

> Join domain over VPN is not easy. if you ping DNS server IP with -a option, what do you have (FQDN or NetBIOS name)? for example ping -a 10.0.0.1.
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> "rknapke" <(E-Mail Removed)> wrote in message news:A00BEF76-C1B3-4B8E-8463-(E-Mail Removed)...
> I have 2 DC's both running DNS. 1 is W2K and the other is W2K3. There are
> about 30 computers connected on the LAN using the IP range 192.168.46.x and a
> 255.255.255.0 subnet. I have 4 remote offices that are all in seperate
> workgroups. They are connected over a VPN and the workstations use the W2K3
> server for DNS and WINS. They use the 192.168.47.x range with subnet of
> either 255.255.255.192 or 255.255.255.224. The remote offices can ping,
> transfer files, and do DNS resolution with the servers. When i try to join
> the domain, it prompts me for a username and PW. It creates the computer
> account on the server and then kicks but that the RPC server is unavailable
> and won't let me join. It then disables the computer account in AD. I have
> talked to the company responsible for the routers and VPN and they said all
> traffic is permitted. Am i missing something? Is there anything I need to
> on the servers to allow a different subnet to join the domain? Are there any
> settings needed on the workstations to join the servers across the WAN.
> Thanks in advance
> Rich

Ace
Any way i can test to see if ports are blocked? I would like some proof if
possible before going to the company responsible for the firewall. Also, i
did a ping -a of the server IP and it resolves it to the FQDN.
Please let me know.
Thanks
Rich

"Ace Fekay [MVP]" wrote:

> In news:A00BEF76-C1B3-4B8E-8463-(E-Mail Removed),
> rknapke <(E-Mail Removed)> stated, which I commented on
> below:
> > I have 2 DC's both running DNS. 1 is W2K and the other is W2K3.
> > There are about 30 computers connected on the LAN using the IP range
> > 192.168.46.x and a 255.255.255.0 subnet. I have 4 remote offices
> > that are all in seperate workgroups. They are connected over a VPN
> > and the workstations use the W2K3 server for DNS and WINS. They use
> > the 192.168.47.x range with subnet of either 255.255.255.192 or
> > 255.255.255.224. The remote offices can ping, transfer files, and do
> > DNS resolution with the servers. When i try to join the domain, it
> > prompts me for a username and PW. It creates the computer account on
> > the server and then kicks but that the RPC server is unavailable and
> > won't let me join. It then disables the computer account in AD. I
> > have talked to the company responsible for the routers and VPN and
> > they said all traffic is permitted. Am i missing something? Is
> > there anything I need to on the servers to allow a different subnet
> > to join the domain? Are there any settings needed on the
> > workstations to join the servers across the WAN. Thanks in advance
> > Rich
>
> Sounds like to me not all ports are being allowed. Do the VPN boys actually
> have ALL ports open, UDP and TCP? AD domain and Windows based communication
> uses a wide range of ports, including the ephemeral ports (anywhere and just
> about everything above UDP 1023). If anyone of them are blocked, or even if
> the link is tooo slow, or even frame relay (which I've seen in the past),
> will cause major issues.
>
> --
> Ace
> Innovative IT Concepts, Inc
> Willow Grove, PA
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, I suggest to use OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. This is a direct link to the Microsoft Public
> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
> to easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject.
> It's easy:
>
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Infinite Diversities in Infinite Combinations
> Assimilation Imminent. Resistance is Futile
> "Very funny Scotty. Now, beam down my clothes."
>
> The only constant in life is change...
>
>
>

In news:29CC8177-7546-40DE-97A3-(E-Mail Removed),
rknapke <(E-Mail Removed)> stated, which I commented on
below:
> Ace
> Any way i can test to see if ports are blocked? I would like some
> proof if possible before going to the company responsible for the
> firewall. Also, i did a ping -a of the server IP and it resolves it
> to the FQDN.
> Please let me know.
> Thanks
> Rich

You could try using a port sniffer such as Languard and target the IP range
from the location you';re trying to join the domain from.

Here are some free ones:

Famatech Advanced Port Scanner v.1.2
http://www.softaward.com/download6744.html

Or Languard Security Scanner:
http://www.gfi.com/downloads/downloa...d=LANSS&lid=EN

Target the range on the other side of the WAN.

Ace