How to enable communication between Two different lans (subnets)/ domains 2003 server based? Assista

Discussion in 'Windows Networking' started by markm75, Aug 6, 2007.

  1. markm75

    markm75 Guest

    I have our production lan that is on 192.168.100.x.. this is a 2003
    server domain, with a DHCP server running on one of the 2003 boxes.

    I also have a development test lan that is 192.168.227.x.. this too is
    a 2003 domain with a DHCP server running on one of the 2003 boxes
    there.

    I want to be able to share resources between the 2.. ie: if i'm a box
    on 227.x.. i want to be able to either say \\192.168.100.2\apps or \
    \servername\apps..

    I've tried setting up RAS servers on both ends.. then setting static
    routes between them..

    I've also tried adding the 100.x gateway as a secondary gateway on the
    one 227.x server, but this didnt work either...

    One thing to note.. the 227.x lan is actually run completely on my
    Vista machine under Vmware Workstation 6.x I have the servers set to
    "bridged mode" (there is also nat mode, which uses the same ip as the
    host OS, or host only mode, which completely isolates the guest from
    the host).

    Ultimately too, I'd like to have someone running vmware on their
    machine, to create say an XP virtual machine and join the test domain
    that is running from my machine.

    I dont think the issue is VMware related.. I think i'm just missing a
    step in RAS (if ras is even needed) or somewhere else (maybe demand
    dialing between the two ras servers if needed?)?

    One key thing i was worried about was the fact i have a dhcp server on
    both domains.. as i only want dhcp requests in the wild to be
    processed by the 100.x server, so i'm guessing i'd have to turn off
    the dhcp server on the test domain.

    Thanks for any tips
     
    markm75, Aug 6, 2007
    #1
    1. Advertisements

  2. markm75

    Bill Grant Guest

    You would not need two RRAS servers. You just need one RRAS server
    which has an interface in both subnets. I would use one of the vms as a
    router between the physical network an the virtual network. The fact that
    you are using virtual machines and virtual networks doesn't alter the way IP
    routing works.

    You can only run DHCP in the test network if it is isolated from the
    physical network. DHCP works by using broadcasts, so your machines will see
    both DHCP servers if the networks are bridged. I haven't run a setup like
    this with VMWare but it works fine in VPC or Virtual Server. You put the vms
    in the virtual network which is not linked to an interface on the host
    (Local Only in VPC or internal in VS). You set up the RRAS server as a
    router with one NIC linked to the physical network and one in the virtual
    network.

    If you want to connect virtual machines which are running on
    different host machines it is a bit harder. You need to put them in
    different IP subnets and route the traffic between them through the physical
    network (just like linking two isolated physical segments across a linking
    segment).
     
    Bill Grant, Aug 7, 2007
    #2
    1. Advertisements

  3. To add to Bill's comments, I need to clear something up before it becomes a
    point of confusion.

    Domains have nothing to do with subnets,...subnets have nothing to do with
    Domains.
    You can have 100 Domains all on one subnet,...or,..you can have one Domain
    that runs over 100 subnets. There is just no relationship between the two.

    Sharing resources between two Domains is all about properly configured
    Trusts, Share Permissions, and NTFS Permissions.

    Functionality across subnets is a matter of a proper Layer3 LAN Routing
    scheme.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
    Phillip Windell, Aug 7, 2007
    #3
  4. markm75

    markm75 Guest

    Just an update.. thanks for the tip..

    I tried just adding a secondary nic to my virtual server (just the
    main one.. the DC).. i set the ip on it to my production 100.x subnet,
    while leaving the other at 227.x

    I stopped the router (ras) on this machine too for kicks..

    Now I can ping from both domains.. so joining other virtual
    workstations/servers to my virtual domain should now be possible
    (outside of my machine).

    It appears the RAS service isnt needed either.. i can seemingly ping
    any machine in there.

    So all appears good.. i can even browse my 100.x machines/servers by
    name not just ip.

    I guess I'm out of luck on using DHCP in the test domain, unless i
    want clashes in the production.

    Thanks again
     
    markm75, Aug 7, 2007
    #4
  5. markm75

    markm75 Guest

    Update again.. with the secondary nic (alone).. all i can do is ping
    the production domain /lan from the test one...

    I had deleted the static entry from my physical router.. now i cant
    ping the test lan.

    So it would seem, naturaly, that you need a static route on a physical
    router or use RAS on a 2003 server with a static route to be able to
    ping the test domain (short of using 2ndary nics on the production
    servers)..
     
    markm75, Aug 7, 2007
    #5
  6. markm75

    markm75 Guest

    sorry for multiple posts in a row.. but now for some reason, despite
    putting the static route back on my physical router and even trying
    static routes in RAS on the virtual side.. i cant get a ping to work
    from the production 100.x side... to the 227.x side.
     
    markm75, Aug 7, 2007
    #6
  7. markm75

    Bill Grant Guest

    And also note that it is not a good idea to use a DC as a router, whatever
    setup you are using. A DC should only have one NIC and one IP. You will get
    all sorts of odd problems with a multihomed DC.

    You will also almost certainly have DNS problems running a domain behind a
    NAT router, if you go down that path. All machines in a domain, including
    the DC itself should use the local DNS. If you want Internet access you need
    to set up this DNS to forward to a public DNS service. Using the NAT router
    for DNS will result in problems for your AD clients.
     
    Bill Grant, Aug 8, 2007
    #7
  8. markm75

    markm75 Guest

    Ill keep the DC thing in mind and make the switch..

    I'm still only able to ping from within my virtual lan (227.x)..

    any thoughts on what to do to enable the ping of the virtual lan from
    the other lan (100.x)?

    Do I need to setup static routes on either the physical router, or a
    2003 router (RAS) on the 100.x side? Do I need to do the dual nic
    thing on the 100.x side?

    I have static routes going on currently from both our physical router
    and the RAS on the 100.x to the other side (192.168.227.0 with the
    gateway being 227.2, that of the RAS server on the other end)..

    But so far no pinging working..
     
    markm75, Aug 8, 2007
    #8
  9. markm75

    Bill Grant Guest


    Have you ever set up a similar network using "real" networks?

    Networking between two segments works fine if the router is the
    default gateway for both subnets. All you need to do is enable IP routing
    and away it goes. eg

    192.168.1.x dg 192.168.1.254
    |
    192.168.1.254 dg blank
    router
    192.168.227.254 dg blank
    |
    192.168.227.x dg 192.168.227.254

    If one subnet uses some other gateway, making changes on the RRAS server
    cannot solve the problem unless you enable NAT. With NAT on the RRAS server
    the "inner" subnet can see the original subnet and the Internet, because NAT
    looks after the routing. eg

    Internet
    |
    Public IP
    Gateway router
    192.168.1.254
    |
    workstations
    192.168.1.x dg 192.168.1.254
    |
    192.168.1.n dg 192.168.1.254
    RRAS/NAT
    192.168.227.254 dg blank
    |
    192.168.227.x dg 192.168.227.254

    The .227 machines can see the machines on the 192.168.1.0 subnet and the
    Internet because the RRAS/NAT server handles the traffic through its
    "public" IP of 192.168.1.n . This is in the same subnet as the gateway
    router and everything works. The machines in 192.168.1.0 cannot see the
    machines in 192.168.227.0 because they are on the public side of the NAT.

    You cannot use this sort of setup if you want to run AD on the internal
    subnet. The way that NAT handles DNS (by relaying DNS to a public DNS
    service) is not compatible with AD. All domain members, including the DC
    itself, need to use the local DNS, because that is where your SRV records
    are. An external DNS cannot tell your client machines how to find the DC,
    for example.

    Whether you are using virtual networks or not, running a domain has
    certain requirements. And if you want the domain members to be able to
    access machines on some other network or access the Internet through some
    other existing LAN it is far from simple.

    I would recommend that you set up your new domain on an isolated network
    and get it working properly on its own subnet using its own DNS and DHCP.
    When that all works, set up a virtual machine (not the DC) as a router
    between that subnet and your existing physical LAN. You will need extra
    routing so that the existing LAN knows where the new subnet is and how to
    reach it. You will also need to set up your DNS on the new domain to forward
    to a DNS server which can resolve public URLs.
     
    Bill Grant, Aug 8, 2007
    #9
  10. markm75

    markm75 Guest

    Working like a charm so far.. All i had to do was add a static route
    in my router to the RAS server on my virtual network.. and on that RAS
    server have a secondary nic with an ip address in the real domain..
    all machines in the virtual realm have the gateway set to the RAS
    server address..


    Now onto secondary thing.. DNS.. what is the usual way to hack this
    one.. should i just put for the secondary dns addresses on every
    machine in the Virtual Network, the dns of the real network? Or can I
    just do a forward from within the DNS manager (right click server
    name.. forwards tab.. enter ip address of the opposite dns servers?)
    on the Virtual network and the same on the real.. i think this one
    would be simpler?

    I can only ping by ip as of now naturally.

    UPDATE: Tried adding the real domains ip addresses to the forwarders
    tab, recycled things, waited, i still cant ping them by name as of
    now. Actually.. i can ping the other domain.. but only if i add the
    domain suffix.. ie: ping serverA.domain.local I'm guessing i can tweak
    the settings to fix this.. hoping i dont need to add this suffix to
    every machine in the virtual realm. This ping with the suffix actually
    works without doing anything to DNS on either side too.
     
    markm75, Sep 12, 2007
    #10
  11. markm75

    Bill Grant Guest

    Have you tried simply setting the new DNS to forward all requests to the
    existing DNS on the physical network? Another solution would be to make the
    new DNS a secondary for the original DNS so that it had a local copy.
     
    Bill Grant, Sep 13, 2007
    #11
  12. markm75

    markm75 Guest

    I think at first i did try the forwarding option, just adding the ips,
    but...

    I fixed the problem.. on the server properties for each dns server on
    each side.. i had to add a new dns domain for the opposite domain (not
    just add the ip), then the dns server(s) ip addresses.. once i did
    this.. they started communicating from either side.. but only by
    FQDN..

    I cant run DHCP on the virtual LAN, or so i think, because if i do..
    it may give out those .227.x addresses to the .100.x machines by
    mistake (hence I think, naturally, the test domain machine names dont
    auto get put into DNS, with their A records).. so everything is manual
    on the virtual side.. meaning now to ping either side.. i use the
    FQDN, but name nonetheless (\\server.domain.local)
     
    markm75, Sep 13, 2007
    #12
  13. markm75

    markm75 Guest


    Actually I have a new problem.. for some reason my virtual lan cannot
    access the internet.. I cant even ping via internet ip addresses.. so
    i dont think it is a dns issue, more likely a routing issue.
     
    markm75, Sep 13, 2007
    #13
  14. markm75

    Bill Grant Guest

    Yes, it probably is a routing issue. The Internet router probably has no
    idea where the new inner subnet is. You need a route on the Internet router
    to forward traffic for the new subnet to the internal router.
     
    Bill Grant, Sep 14, 2007
    #14
  15. markm75

    markm75 Guest

    My virtual network is the one running the RRAS server on .227.6
    while my real network is on .100.1 (gateway, symantec router, internet
    router). I previously added a static route to the Symantec Gateway
    router to the 192.168.227.0 / 6 subnet.. so communication could occur
    between the two.

    Are you saying the RRAS server needs its own static route to the
    Symantec .100.1 router? I dont see why, as i can ping back and forth
    and dns works back and forth (FQDN).. I also tried pinging internet IP
    addresses.. they fail too.
     
    markm75, Sep 14, 2007
    #15
  16. markm75

    Bill Grant Guest

    No, all you need is a static route on the gateway router to forward
    traffic for the 192.168.227 subnet to the RRAS router. If that is in place,
    machines on the 192.168.227 subnet should be able to ping machines in the
    192.168.100 subnet and the Internet. It should look like this.

    Internet
    |
    Public IP
    gateway router {static route 192.168.277.0 255.255.255.0 192.168.100.n}
    192.168.100.1
    |
    LAN machines
    192.168.100.x dg 192.168.100.1
    |
    192.168.100.n dg 192.168.100.1
    RRAS
    192.168.277.1 dg blank
    |
    virtual machines
    192.168.277.x/24 dg 192.168.277.1

    Machines in 192.168.277 can get to the "real" network because the
    gateway router will bounce traffic addressed to the inner subnet to the RRAS
    router. Similarly it will redirect traffic coming from the Internet to the
    RRAS router.
     
    Bill Grant, Sep 14, 2007
    #16
  17. markm75

    markm75 Guest

    Actually, I already have the static route in place on the gateway.. it
    only asks for a few things.. the ip of the subnet.. so i gave it
    192.168.227.0 and then the gateway (RRAS server) 192.168.227.6..
     
    markm75, Sep 14, 2007
    #17
  18. Mark,
    Does the physical layout of your system match the diagram that Bill gave?
    We need to be sure we are picturing the correct thing in our minds.

    By the way, they are all RFC Private Address, there is no "secret" about
    them, we all use them, and they aren't accessable from the "outside" anyway.
    Hiding the exact number with an "x" may only cloud the issue and cause
    confusion,...worse yet, they may actually hide the very misconfigureation
    that we need to see. Please use the actual numbers.

    Here's Bill's diagram reposted:

    Internet
    |
    Public IP
    gateway router {static route 192.168.277.0 255.255.255.0 192.168.100.n}
    192.168.100.1
    |
    LAN machines
    192.168.100.x dg 192.168.100.1
    |
    192.168.100.n dg 192.168.100.1
    RRAS
    192.168.277.1 dg blank
    |
    virtual machines
    192.168.277.x/24 dg 192.168.277.1

    On the DNS,...I've tried the follow the posts but I may have lost track of
    what you are doing with that. I recommend that you keep it simple, and I
    would recommend this method (maybe it is what you are doing anyway):

    All machines on the 277 LAN use their own DNS for resolution and should not
    use any DNS anywhere else. The 277 DNS would then have the AD/DNS from the
    100 LAN listed in the Forwarders List. The 100 LAN should follow the same
    pattern and have all of the 100 LAN Clients use only their AD/DNS and no
    other. The 100 DNS then uses the ISP's DNS as a Forwarder and the Firewall
    needs to allow that DNS to make the outbound DNS queries.

    This will allow the 277-Machines to resolve names on both the Internet and
    on the 100 LAN. The 100-Machines will resolve their own names and the
    Internet but will *not* be able to resolve name on the 277 LAN. To have
    full resolution in every direction will probably require setting up Zone
    Transfers between the the DNS of both LAN's and the ISPs DNS will be the
    Forwarder on both DNS's.

    Even with DNS Full Resolution, accessing resources would be denied unless
    there is a Trust established between the Domans and have proper permissions
    set up accordingly.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Sep 14, 2007
    #18
  19. markm75

    markm75 Guest


    I'll start the description from scratch.. and maybe this will shed
    some light:

    I have a symantec gateway router.. connected to the internet and my
    internal .100 lan (call it the real lan).
    On this device I setup the static route.. It is set to 192.168.227.0,
    255.255.255.0 mask, 192.168.227.6 gateway (the RRAS on the virtual
    LAN). This static entry also asks what interface to create the route
    on.. so I chose the internal interface.. the other two options are
    WAN1,2.

    In order to resolve names, using at least FQDN.. i then had to goto
    the DNS on the .100 lan and... Right click the DNS server name..
    properties.. Forwarders tab.. then.. rather than just clicking on "all
    other dns domains" and adding the .227.2 (dns server) entry.. it
    seemed i had to click the "new" button.. create a new DNS domain.. so
    i put in psttest.local (our virtual lan domain name).. i then clicked
    on that entry.. and entered the .227.2 address for the DNS server.

    Then on the virtual lan.. i did this same thing.. only i created the
    new dns domain called pst.local and then clicked the entry and added
    the .100.2 (dns server) entry there.

    On the RRAS server.. I have two nics.. (virtual server).. one is
    called "pst.local" while the other is "psttest.local".. the pst.local
    nic has a .100.x address and the other has the .227.x address.

    At this point i can ping either domain.. but only by FQDN.. ie: from
    production: ping vpcServerA.psttest.local works fine and then the
    reverse works fine from the test lan.

    If i try to ping an ip address on the internet.. ie: www.google.com
    's ip address (not domain name).. it Fails.. likewise of course
    pinging it by name fails.

    I tried going into the RRAS server and adding the NAT protocol.. i
    wasnt sure if this was needed .. this didnt help things.. though I may
    have had it configured wrong.

    Any thoughts on the step i'm missing to make internet pings work? Did
    I do the DNS entries correctly in the forwarding tab? (I haven't done
    any zone transfers or adding extra name servers thus far, as they dont
    seem necessary since these are independent domains).

    Thanks
     
    markm75, Sep 14, 2007
    #19
  20. Ok, but...you never answered the #1,... most important,...very first
    question.

    Does the physical layout of your system match the diagram that Bill gave?

    Here's Bill's diagram reposted:

    Internet
    |
    Public IP
    gateway router {static route 192.168.277.0 255.255.255.0 192.168.100.n}
    192.168.100.1
    |
    LAN machines
    192.168.100.x dg 192.168.100.1
    |
    192.168.100.n dg 192.168.100.1
    RRAS
    192.168.277.1 dg blank
    |
    virtual machines
    192.168.277.x/24 dg 192.168.277.1


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Sep 14, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.