Problems with domain access across a firewall

I have 2 subnets (A and B) connected with a firewall, which allow all trafic
from A to B, but nothing from B to A. The DC is placed on subnet B. A server
(Windows 2003) is connected to subnet A, and has been added to the domain. I
can log on the server using domain accounts, and I have access to all shares
on the B subnet - fine. BUT when I want to change security settings on a
shared folder on the server, I am only allowed to add local users, not domain
users !!!
What have I done wrong ?

An other problem is, that I have added a pc (Windows XP) on the A-subnet to
the domain, but I am not allowed to log on the domain, only on the local
computer. But doing this I can get access to all shares on the B-subnet. The
error message is, that a domain controller can not be found.

I have set up another network in exactly the same way with no problems, and
I really cant see, what I have done wrong this time.

It could be the name resolution issue. Any error if using nslookup command to check the DNS status?

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"John-GE" <John-(E-Mail Removed)> wrote in message news:C6BDA737-711C-4B17-BD7A-(E-Mail Removed)...
I have 2 subnets (A and B) connected with a firewall, which allow all trafic
from A to B, but nothing from B to A. The DC is placed on subnet B. A server
(Windows 2003) is connected to subnet A, and has been added to the domain. I
can log on the server using domain accounts, and I have access to all shares
on the B subnet - fine. BUT when I want to change security settings on a
shared folder on the server, I am only allowed to add local users, not domain
users !!!
What have I done wrong ?

An other problem is, that I have added a pc (Windows XP) on the A-subnet to
the domain, but I am not allowed to log on the domain, only on the local
computer. But doing this I can get access to all shares on the B-subnet. The
error message is, that a domain controller can not be found.

I have set up another network in exactly the same way with no problems, and
I really cant see, what I have done wrong this time.

hi,
i dont think will work like this.you have to permit from B to A at least DNS
and logon traffic.
that is happening because the clients can interogate dns (is on site B) but
they will never get the response back(because the traffic from B to A is
denied).

--
Dragos CAMARA
MCSA Windows 2003 server


"John-GE" wrote:

> I have 2 subnets (A and B) connected with a firewall, which allow all trafic
> from A to B, but nothing from B to A. The DC is placed on subnet B. A server
> (Windows 2003) is connected to subnet A, and has been added to the domain. I
> can log on the server using domain accounts, and I have access to all shares
> on the B subnet - fine. BUT when I want to change security settings on a
> shared folder on the server, I am only allowed to add local users, not domain
> users !!!
> What have I done wrong ?
>
> An other problem is, that I have added a pc (Windows XP) on the A-subnet to
> the domain, but I am not allowed to log on the domain, only on the local
> computer. But doing this I can get access to all shares on the B-subnet. The
> error message is, that a domain controller can not be found.
>
> I have set up another network in exactly the same way with no problems, and
> I really cant see, what I have done wrong this time.
>
>

Hey
Thanks for your answer. I will try it monday morning
John

"Robert L [MVP - Networking]" wrote:

> It could be the name resolution issue. Any error if using nslookup command to check the DNS status?
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> "John-GE" <John-(E-Mail Removed)> wrote in message news:C6BDA737-711C-4B17-BD7A-(E-Mail Removed)...
> I have 2 subnets (A and B) connected with a firewall, which allow all trafic
> from A to B, but nothing from B to A. The DC is placed on subnet B. A server
> (Windows 2003) is connected to subnet A, and has been added to the domain. I
> can log on the server using domain accounts, and I have access to all shares
> on the B subnet - fine. BUT when I want to change security settings on a
> shared folder on the server, I am only allowed to add local users, not domain
> users !!!
> What have I done wrong ?
>
> An other problem is, that I have added a pc (Windows XP) on the A-subnet to
> the domain, but I am not allowed to log on the domain, only on the local
> computer. But doing this I can get access to all shares on the B-subnet. The
> error message is, that a domain controller can not be found.
>
> I have set up another network in exactly the same way with no problems, and
> I really cant see, what I have done wrong this time

Hey
Thanks for your answer.
I have it working on another network with excatly the same
firewall-configuration. The only difference is, that here the dc is a
W2k-server.
When I say, that all trafic is blocked from B to A, I mean, that it is not
possible to initiate a process on subnet A from B. But when a process is
initiated at subnet A, answers will be returned from B.
Still I wonder, why I can logon to the domain from the server, but not from
the pc.
But I will try to look at the DNS-settings monday.
Thanks again
John

"Dragos CAMARA" wrote:

> hi,
> i dont think will work like this.you have to permit from B to A at least DNS
> and logon traffic.
> that is happening because the clients can interogate dns (is on site B) but
> they will never get the response back(because the traffic from B to A is
> denied).
>
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "John-GE" wrote:
>
> > I have 2 subnets (A and B) connected with a firewall, which allow all trafic
> > from A to B, but nothing from B to A. The DC is placed on subnet B. A server
> > (Windows 2003) is connected to subnet A, and has been added to the domain. I
> > can log on the server using domain accounts, and I have access to all shares
> > on the B subnet - fine. BUT when I want to change security settings on a
> > shared folder on the server, I am only allowed to add local users, not domain
> > users !!!
> > What have I done wrong ?
> >
> > An other problem is, that I have added a pc (Windows XP) on the A-subnet to
> > the domain, but I am not allowed to log on the domain, only on the local
> > computer. But doing this I can get access to all shares on the B-subnet. The
> > error message is, that a domain controller can not be found.
> >
> > I have set up another network in exactly the same way with no problems, and
> > I really cant see, what I have done wrong this time.
> >
> >

It was a DNS-problem !!!
Both the server and the pc on the A subnet had external DNS-references.
I changed the primary DNS to the DNS-server on the B-subnet - and then
everything worked fine.
Thanks for the help
John

"John-GE" wrote:

> I have 2 subnets (A and B) connected with a firewall, which allow all trafic
> from A to B, but nothing from B to A. The DC is placed on subnet B. A server
> (Windows 2003) is connected to subnet A, and has been added to the domain. I
> can log on the server using domain accounts, and I have access to all shares
> on the B subnet - fine. BUT when I want to change security settings on a
> shared folder on the server, I am only allowed to add local users, not domain
> users !!!
> What have I done wrong ?
>
> An other problem is, that I have added a pc (Windows XP) on the A-subnet to
> the domain, but I am not allowed to log on the domain, only on the local
> computer. But doing this I can get access to all shares on the B-subnet. The
> error message is, that a domain controller can not be found.
>
> I have set up another network in exactly the same way with no problems, and
> I really cant see, what I have done wrong this time.
>
>

because of cached credentials?
--
Dragos CAMARA
MCSA Windows 2003 server


"John-GE" wrote:

> Hey
> Thanks for your answer.
> I have it working on another network with excatly the same
> firewall-configuration. The only difference is, that here the dc is a
> W2k-server.
> When I say, that all trafic is blocked from B to A, I mean, that it is not
> possible to initiate a process on subnet A from B. But when a process is
> initiated at subnet A, answers will be returned from B.
> Still I wonder, why I can logon to the domain from the server, but not from
> the pc.
> But I will try to look at the DNS-settings monday.
> Thanks again
> John
>
> "Dragos CAMARA" wrote:
>
> > hi,
> > i dont think will work like this.you have to permit from B to A at least DNS
> > and logon traffic.
> > that is happening because the clients can interogate dns (is on site B) but
> > they will never get the response back(because the traffic from B to A is
> > denied).
> >
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "John-GE" wrote:
> >
> > > I have 2 subnets (A and B) connected with a firewall, which allow all trafic
> > > from A to B, but nothing from B to A. The DC is placed on subnet B. A server
> > > (Windows 2003) is connected to subnet A, and has been added to the domain. I
> > > can log on the server using domain accounts, and I have access to all shares
> > > on the B subnet - fine. BUT when I want to change security settings on a
> > > shared folder on the server, I am only allowed to add local users, not domain
> > > users !!!
> > > What have I done wrong ?
> > >
> > > An other problem is, that I have added a pc (Windows XP) on the A-subnet to
> > > the domain, but I am not allowed to log on the domain, only on the local
> > > computer. But doing this I can get access to all shares on the B-subnet. The
> > > error message is, that a domain controller can not be found.
> > >
> > > I have set up another network in exactly the same way with no problems, and
> > > I really cant see, what I have done wrong this time.
> > >
> > >

Thank you for the update.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"John-GE" <(E-Mail Removed)> wrote in message news:21BFAF81-B55F-4732-970A-(E-Mail Removed)...
It was a DNS-problem !!!
Both the server and the pc on the A subnet had external DNS-references.
I changed the primary DNS to the DNS-server on the B-subnet - and then
everything worked fine.
Thanks for the help
John

"John-GE" wrote:

> I have 2 subnets (A and B) connected with a firewall, which allow all trafic
> from A to B, but nothing from B to A. The DC is placed on subnet B. A server
> (Windows 2003) is connected to subnet A, and has been added to the domain. I
> can log on the server using domain accounts, and I have access to all shares
> on the B subnet - fine. BUT when I want to change security settings on a
> shared folder on the server, I am only allowed to add local users, not domain
> users !!!
> What have I done wrong ?
>
> An other problem is, that I have added a pc (Windows XP) on the A-subnet to
> the domain, but I am not allowed to log on the domain, only on the local
> computer. But doing this I can get access to all shares on the B-subnet. The
> error message is, that a domain controller can not be found.
>
> I have set up another network in exactly the same way with no problems, and
> I really cant see, what I have done wrong this time.
>
>