3 NIC IP routing issue & local dhp client issue

hi! i'm stuck with a routing issue that really causes me a severe headache.
hope you can help me out here:

I have set up a new domain for my fellow developers that's supposed to
relieve us from sbs with its non-AD-replication policies (that has been
really annoying).

As our PDC, I have set up a ProLiant ML370 G4 connected to a ProCurve
switched network. We route to the internet via an shdsl modem with a static
WAN IP. The server runs Win2k3 srv std ed, with sp1 installed. Besides the
role as a PDC, it also runs exchange 2k3 sp1, dns, wins and dhcp. I
configured routing and remote access with dial-up and vpn as well, but
decided to postspone it until i had resolved my routing and dhcp issues.

The plot:

the server itself routes fine to the internet, but I am only able to ping
the dsl-router (195.1.30.230) and the server NIC connected to it
(195.1.30.229 on subnet 255.255.255.252) (WAN GW) from outside our domain.

Exchange has a dedicated interface on a separate NIC with the ip
81.0.176.164 on subnet 255.255.255.248, which is pingable from inside our
domain, but not from the outside.

In addition to this, my dhcp clients won't recieve dhcp. I found a temp
solution earlier by disabling RRAS and enabling ICS, but after altering my
routing table and bindings order for my NIC's (LAN on top), it won't work at
all.

In the ml 370, there are 4 NIC's (one is dedicated to ILO, which in this
case is not relevant to my post here).

Nonetheless, here are my current config, maybe some of you can tell me where
I have gone wrong:

\\.. ROUTE 03052005 20:50 - pms-prod-pdc-01


IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 11 85 bc 06 f9 ...... HP NC7781 Gigabit

Server Adapter
0x10004 ...00 04 75 d1 b2 ae ...... 3Com EtherLink XL 10/100 PCI For
Complete PC Management NIC

(3C905C-TX) #2
0x10005 ...00 04 75 f4 ae 4e ...... 3Com EtherLink XL 10/100 PCI For
Complete PC Management NIC

(3C905C-TX)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 195.1.30.230 195.1.30.229 20
81.0.176.160 255.255.255.248 81.0.176.164 81.0.176.164 20
81.0.176.164 255.255.255.255 127.0.0.1 127.0.0.1 20
81.255.255.255 255.255.255.255 81.0.176.164 81.0.176.164 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.16.0 255.255.255.0 192.168.16.2 192.168.16.2 10
192.168.16.2 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.16.255 255.255.255.255 192.168.16.2 192.168.16.2 10
195.1.30.228 255.255.255.252 195.1.30.229 195.1.30.229 20
195.1.30.229 255.255.255.255 127.0.0.1 127.0.0.1 20
195.1.30.255 255.255.255.255 195.1.30.229 195.1.30.229 20
224.0.0.0 240.0.0.0 81.0.176.164 81.0.176.164 20
224.0.0.0 240.0.0.0 192.168.16.2 192.168.16.2 10
224.0.0.0 240.0.0.0 195.1.30.229 195.1.30.229 20
255.255.255.255 255.255.255.255 81.0.176.164 81.0.176.164 1
255.255.255.255 255.255.255.255 192.168.16.2 192.168.16.2 1
255.255.255.255 255.255.255.255 195.1.30.229 195.1.30.229 1
Default Gateway: 195.1.30.230
===========================================================================
Persistent Routes:
None




\\.. NETDIAG 03052005 20:50 - pms-prod-pdc-01


Computer Name: PMS-PROD-PDC-01
DNS Host Name: pms-prod-pdc-01.PMS.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : LAN 192.168.16.2

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : pms-prod-pdc-01.pms.local
IP Address . . . . . . . . : 192.168.16.2
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Primary WINS Server. . . . : 192.168.16.2
Dns Servers. . . . . . . . : 192.168.16.2


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS' names is

missing.

WINS service test. . . . . : Passed

Adapter : WAN Interface

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : pms-prod-pdc-01.mail.mp3pro.no
IP Address . . . . . . . . : 81.0.176.164
Subnet Mask. . . . . . . . : 255.255.255.248
Default Gateway. . . . . . :
Primary WINS Server. . . . : 81.0.176.164
Dns Servers. . . . . . . . :

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.

NetBT name test. . . . . . : Passed
No names have been found.

WINS service test. . . . . : Passed

Adapter : WAN Gateway

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : pms-prod-pdc-01
IP Address . . . . . . . . : 195.1.30.229
Subnet Mask. . . . . . . . : 255.255.255.252
Default Gateway. . . . . . : 195.1.30.230
NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . :

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Skipped
NetBT is disabled on this interface. [Test skipped]

WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test skipped].


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{6FB40E7C-F5EC-43A4-A12F-64AAB633B4C3}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20>

'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
[WARNING] Cannot find a primary authoritative DNS server for the
name
'pms-prod-pdc-01.PMS.local.'. [ERROR_TIMEOUT]
The name 'pms-prod-pdc-01.PMS.local.' may not be registered in
DNS.
[WARNING] Cannot find a primary authoritative DNS server for the
name
'pms-prod-pdc-01.mail.mp3pro.no.'. [ERROR_TIMEOUT]
The name 'pms-prod-pdc-01.mail.mp3pro.no.' may not be registered
in DNS.
PASS - All the DNS entries for DC are registered on DNS server
'192.168.16.2' and other DCs also have some of

the names registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{6FB40E7C-F5EC-43A4-A12F-64AAB633B4C3}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{6FB40E7C-F5EC-43A4-A12F-64AAB633B4C3}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully


\\.. DCDIAG 03052005 20:50 - pms-prod-pdc-01


Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\PMS-PROD-PDC-01
Starting test: Connectivity
......................... PMS-PROD-PDC-01 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\PMS-PROD-PDC-01
Starting test: Replications
......................... PMS-PROD-PDC-01 passed test Replications
Starting test: NCSecDesc
......................... PMS-PROD-PDC-01 passed test NCSecDesc
Starting test: NetLogons
......................... PMS-PROD-PDC-01 passed test NetLogons
Starting test: Advertising
......................... PMS-PROD-PDC-01 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... PMS-PROD-PDC-01 passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... PMS-PROD-PDC-01 passed test RidManager
Starting test: MachineAccount
......................... PMS-PROD-PDC-01 passed test MachineAccount
Starting test: Services
......................... PMS-PROD-PDC-01 passed test Services
Starting test: ObjectsReplicated
......................... PMS-PROD-PDC-01 passed test
ObjectsReplicated
Starting test: frssysvol
......................... PMS-PROD-PDC-01 passed test frssysvol
Starting test: frsevent
......................... PMS-PROD-PDC-01 passed test frsevent
Starting test: kccevent
......................... PMS-PROD-PDC-01 passed test kccevent
Starting test: systemlog
......................... PMS-PROD-PDC-01 passed test systemlog
Starting test: VerifyReferences
......................... PMS-PROD-PDC-01 passed test
VerifyReferences

Running partition tests on : TAPI3Directory
Starting test: CrossRefValidation
......................... TAPI3Directory passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... TAPI3Directory passed test CheckSDRefDom

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : PMS
Starting test: CrossRefValidation
......................... PMS passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... PMS passed test CheckSDRefDom

Running enterprise tests on : PMS.local
Starting test: Intersite
......................... PMS.local passed test Intersite
Starting test: FsmoCheck
......................... PMS.local passed test FsmoCheck


hope you guys and girls can help me out here!


Sincerely,

Torgrim Nyerrød, Norway (please use alt. e-mail for replies:
mailto:)

-- ...::::--- no source, no pay ---::::...

 

Do you have a topology map that is accuarte? "Domains" are
irrelevant,...they have nothing to do with network connectivity,...domains
are a Windows Administration entity only.

You are simply dealing with Layer3 routing among several subnets that are
all "directly connected" to the Server which is acting as its own
router,...can you re-describe the problem with that in mind?

DHCP will not work across subnets,...it is broadcast based. For it to work
accross subnets with RRAS you must add/configure the DHCP Agent in RRAS.

That was not a temporary solution, you only created a situation that created
a "deception" that made things appear to be working in a certain way when
they were not. There is no way that ICS should ever be used in this
situation, at all, ever.

 

--
....::::--- no source, no pay ---::::...

 

sorry, forgot some basic info:

the dhcp relay agent is configured on both lan and wan interface (not the
gateway nic). you are talking aboud broadcasting for the dhcp relay agent, do
you mean that i should add a brodcast ip to the wan interface adapter? I have
a reserved broadcast ip (81.0.176.167) that i could add, and a gw ip
(81.0.176.166), both on subnet 255.255.255.248. I don't think that will make
any difference to my problem, my main concern is to make the servers routing
work for my dhcp clients.

should I change the order of the adapter- an client bindings?

the bindings for providers are:

Windows Networks
Terminal Services
Web Client

Adapter order is:

LAN 192.168.16.2
Wan 81.0.176.164
Wan 195.1.30.229 (dgw 195.1.30.230)
RAS Connections

File/printer sharing and Client for MS Networks are only enabled on the lan
adapter.


hope this provides you with a little more help

....::::--- no source, no pay ---::::...

 

Like Phillip I am not at all sure what you are trying to do here. But
here is a bit of advice. It is too complex. Running multiple NICs in a DC is
a bad idea. Using a DC as a router is a bad idea. Using a DC for remote
access is a bad idea. It can be done (else SBS wouldn't exist) but it can be
a real pain. You will find it all much simpler if you use a separate machine
for routing and remote access.

Why are you trying to run DHCP relay? Aren't all your DHCP clients on
the local LAN? Remember that the DHCP service must be authorised in AD
before it will work.

 

hello, bill!!

apprreciate your advice, and concurr with your and Philip's toughts. I'd
really like to understand, and implement your configl if I only knew that
you understand the issues taht I am targeting.... that really shouldn't be
that complicated. But, afterall, it obvioously seems it is...

I see that it isn't such a good idea to use my pdc as an rras/vpn/gateway
server, but for my company it is indeed a cost issue. I have a HP pl 140 that
is supposed to act as our webserver outside our local domain (NO other
roles), and a custom built sql server running MBS Navision (NOT to be visible
to the internet).

I need to have a server that routes our dhcp clients to the internet, also
being able to connect to their exchange mailboxes (assuring that they can
send/ recieve email), resolving DNS names and lookup wins names.

due to the routing table, and the netdiag/dcdiag tables provided for you
(top of this post), the tasks should be obvious, but the resolution might be
much less obvious.

I have been workingg really late night shifts trying to solve this problem,
but haven't gotten there yet...




....::::--- no source, no pay ---::::...

 

OK. Let's look at just the routing question. The LAN you have set up is
using private IP addresses. These cannot be seen from the Internet, and they
cannot access the Internet without address translation. ICS is not suitable
for use with Active Directory, so you need to use RRAS/NAT on your routing
server. This will give your private LAN access to the Internet (but it will
not give machines on the "public" side of the NAT router access to the
private LAN).

The default config for NAT is not suitable for an AD domain setup. You
need to use the local DNS server for AD, and you want to use your local DHCP
server. So you do not give NAT a pool of addresses to use for its DHCP-style
allocator, and you do not enable the name resolution option in NAT (which is
just a DNS proxy).

You modify your local DNS server so that it forwards requests which it
cannot resolve itself to a public DNS service (such as your ISP). You
configure your DHCP scope so that it allocates your local server IP
(192.168.16.2) as the default gateway and the DNS server for the LAN
clients. You authorise the DHCP server in AD so that it will operate.

Your LAN setup should now look like this.

Internet
|
router
195.1.30.230
|
195.1.30.229 dg 195.1.30.230
RRAS/NAT
192.168.16.2 dg blank
|
LAN clients
192.168.16.x dg 192.158.16.2

The LAN clients can access the Internet because of NAT on the server.
This allows them to share the server's public Internet connection. They can
resolve URLs because the local DNS server forwards requests to a public DNS
server.