Server with 2 Network Cards + cannot browse domain

Discussion in 'Server Networking' started by Brian, Oct 11, 2004.

  1. Brian

    Brian Guest

    I have just set up a new server running 2003 Server Standard. I have three
    network cards on the server: a 10/100 which is disabled and 2 Gigabit cards
    each with a class B ip address. All the clients on my network currently run
    win2k and winxp and all have class b ip addresses. I have set-up Active
    Directory (this is the first domain) which installed & automatically
    configured Routing and Remote Access on both network cards. I installed and
    configured DNS, DHCP & Wins.

    My problem is on WinXP & Win2K machines. I can add them to the network and
    have DHCP configured for them. Internet browsing works fine but I cannot
    browse the network from these computers - I constantly get this error when
    double clicking on the domain:

    ----------------------
    Domain is not accessible. You might not have permission to use this network
    resource. Contact the administrator of this server to find out if you have
    access permissions.
    The list of servers for this workgroup is not currently available.
    ----------------------

    I am still able to map folders by their ip address and ping to the server
    and the other computers on the network. I also tried the same settings with
    ICF turned off on the XP clients and also have NetBios enabled over TCP/IP.

    Any ideas?

    Regards,
    Brian
     
    Brian, Oct 11, 2004
    #1
    1. Advertisements

  2. Brian

    Bill Grant Guest

    Do you have a particular reason for having two NICs enabled (presumably
    in the same IP subnet)? This will cause no end of problems with the browser
    service. I would also disable RRAS unless you have a particular reason to
    use it (ie either routing or remote access). It will do nothing but cause
    problems with two NICs in the same subnet.
     
    Bill Grant, Oct 12, 2004
    #2
    1. Advertisements

  3. Brian

    Brian Guest

    The server was shipped with three network cards and since it will be the
    domain controller, have dns, wins etc running on it I thought that
    configuring two network cards might ease the networking load - though on
    second thoughts there will only be around 40 client machines connected. And
    yes both network cards are configured on the same subnet.

    Will try your suggestion and disable one of the nic's & RRAS and see if I
    will get any more master browser issues.

    Brian
     
    Brian, Oct 12, 2004
    #3
  4. Brian

    Bill Grant Guest

    If you are running WINS, check that there are not any stale records left
    behind for the domain master browser (ie domainname 1B) pointing to the
    "wrong" IP address.
     
    Bill Grant, Oct 12, 2004
    #4
  5. No it won't. Run only one NIC.


    272294 - Active Directory Communication Fails on Multihomed Domain
    Controllers
    http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

    191611 - Symptoms of Multihomed Browsers
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

    175767 - Expected Behavior of Multiple Adapters on Same Network
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;175767

    157025 - Default Gateway Configuration for Multihomed Computers
    http://support.microsoft.com/default.aspx?scid=kb;en-us;157025&Product=win2000
     
    Phillip Windell, Oct 12, 2004
    #5
  6. Brian

    Brian Guest

    I reconfigured the server today and got everything working whilst disabling
    the other two nic's. I even tried to set up the server by using the nic
    teaming but was still getting some errors when browsing the domain.

    Now with this setup I cannot enable ICF since it is the domain controller -
    enabling ICF on the server results in all clients not able to access the
    server. Are there any other options (maybe by re-enabling one of the
    disabled network cards) to re-enable icf to shield it from the internet)?

    Brian
     
    Brian, Oct 13, 2004
    #6
  7. ICF is for home users. They should have never included it in the "server"
    version of the OS, it just confuses people. Assuming this is the server
    version of the OS use RRAS's NAT features.

    To handle the Nics properly run only two. Make sure the LAN Nic remains at
    the "top" of the priority list. The second Nic should only have TCP/IP bound
    to it but nothing else ( no MS Networking, no F/P Sharing). The priority
    list is found in the properties of Network Places, then "Advanced" from the
    menu at the top and then "Advanced Settings..." from the dropdown
    menu,...then the list is in the upper "box",...use the side arrows to
    adjust.

    How the second one (Internet one) is configured depends on what kind of
    Internet connection you have and what kind of hardware you use to interface
    with the Line.

    (Same for 2003)
    299801 - HOW TO: Configure a Windows 2000 Server as a Network Address
    Translation Server
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299801

    310357 - HOW TO: Configure the NAT Service in Windows 2000
    http://support.microsoft.com/default.aspx?scid=kb;en-us;310357
     
    Phillip Windell, Oct 13, 2004
    #7
  8. Sorry, I was thinking of ICS instead of ICF. Yes, ICF can cause problems on
    the DC as you described.


    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

     
    Phillip Windell, Oct 13, 2004
    #8
  9. Brian

    Brian Guest

    Thanks for the note Philip.

    This was the original setup I wanted to have but was having a lot of master
    browser issues once I enabled two network cards on the server. This is the
    first server on the network and am using Class B IP addresses (this is a
    college setup). All the clients (around 40) have a class B IP address which
    I cannot change since it enables them to use the resources outside the
    college.

    So my problem right now is that the server is not shielded from any attacks
    other than the router which blocks some inbound traffic. I cannot lock down
    the router since it will disable a lot of apps running on the client
    machines.

    If I enable another network card for ICF on the server what settings should
    I put in since it will also have a class B ip?

    Brian


     
    Brian, Oct 13, 2004
    #9
  10. Well, I think you are a bit screwed. You are trying to take what might be
    consided a bad design (or at least an insecure design) and make it behave as
    if it is a good design.

    No one should ever use actual Public IP#s within the private
    network,...*especially* schools with a bunch of "brats" on the machines.
    You should run Private IP#s for the protected machines and use at *least*
    some kind of NAT Device to "translate" between the Public and Private side
    of the system.

    I am assuming when you say Class B you mean an address block the school
    actually owns, and when you say Router you really mean a *real* router and
    not an Internet NAT device. The dictionary has been horribly butered in
    recent times by the SOHO Cable/DSL "[so called] router" market.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


     
    Phillip Windell, Oct 13, 2004
    #10
  11. Brian

    Brian Guest

    Philip,

    I am in the process of re-thinking the whole setup. Maybe I can describe the
    current setup in more detail:

    In location 1 were the server will be located I have around 50 client
    machines all connected to the campus network via public ip addresses which
    are provided by the university. All machines are connected straight to the
    hub with a switch in between the campus connection. Public ip's are used for
    autentication of various applications across the whole campus. Traffic is
    monitored across the campus and some filtering goes on for outbound traffic
    so if a computer is hacked or has a virus etc his ip is blocked across the
    campus network.

    My idea is to implement two network cards on the server - one with a public
    ip and the other with a private ip thus all the client machines in my
    location will have a private ip provided via dhcp. The problem arises when
    the clients try to use the campus wide applications which work via ip
    verification - all of these will stop working. Secondly if excess traffic
    goes out of the server (hack/virus on one pc) all traffic gets blocked on
    the server since that will be the only ip showing on the campus.

    I can also implement a firewall solution either by utlizing an extra server
    between the switch and the hub (two network card setup) running windows
    server 2003 + ICF (ISA Server if i get the funds) on one card(public ip) or
    else a linux based firewall such as smoothwall.

    What I need to figure out is how can i translate addresses going out of the
    firewall from the internal network for authentication. I was told that NAT
    is an option but cannot figure out how can i translate a private ip
    192.168.1.100 into a public ip 128.xxx.xxx.xxx so that applications and
    campus services can be authenticated.

    Regards,
    Brian



     
    Brian, Oct 21, 2004
    #11
  12. That is another example of why this is a bad design. The "IP Verification"
    is a bad way to do this and worse yet it "locks" you even more deeply into
    the bad overall design by forcing all machines to maintain a public address
    that they never should have been using in the first place.
    What is now commonly called NAT is *really* called "NAT Overload". The real
    original "Standard NAT" is almost exactly what you describe,...one external
    IP matched to one internal IP,...but it was a *random* match-up, not a
    static 1-to-1. If you have 50 users *active* on the internal side then you
    needed 50 external addresses on the outside to cover them. You could have
    more than 50, but only 50 could use the internet at once. The number of
    people in the industry that realize this you can probably count on one
    hand,...most never even heard the term NAT Overload and have no idea that
    todays common NAT is actually NAT Overload and not the fisrt original form
    of NAT.

    Is it worth doing?,..no..it is not. If you do a static1-to-1 NAT on all the
    machines then you have effectively recreated the same thing that you already
    have by leaving them the way they are, but just spent more money doing it.
    Hmmm....which is common for the Government,...and most of the school
    systems are run by the Government (don't worry, just having a little
    fun...).

    The bottom line is this:...Until they get rid of this "IP Verification"
    method you can just forget it, you are screwed,...you are forced by this
    verification method to remain "locked" into a bad system design.
     
    Phillip Windell, Oct 21, 2004
    #12
  13. Brian

    Brian Guest

    So it seems like I am stuck with this setup.

    Is there any way of at least locking down connections to my windows server
    within an IP range (public ip range assigned to the location I am at) - I
    know this is not the best design, but at least I will be locking out traffic
    from the outside world + I can control and monitor the clients in my
    building.

    Brian
     
    Brian, Oct 21, 2004
    #13
  14. You could use ACLs on the nearest Router. But it depends on what you really
    are looking to block,...with some things Network Level restrictions doen't
    cut it. There are also Application Level restrictions (IIS, Exchange, SQL
    Server, ect) and File System Level (NTFS) restrictions to consider.

    Also in addition to ACLs on the router, you can have some "rudimentary"
    Network Level restrictions by going into the the Advance properties of
    TCP/IP on an individual machine's interfaces and use Packet Filters (aka
    ACLs) to do a certain amount of restricting. But the more you do, the more
    difficult it will become to manage and troubleshoot, so you will have to
    strike a "balance" somewhere.
     
    Phillip Windell, Oct 21, 2004
    #14
  15. Ah!...and one other thing. With XP-SP2 there is also the built in Personal
    Firewall to consider which can give certain protection, although on a LAN
    that may do more harm than good,...you'll have to decide that for yourself.
     
    Phillip Windell, Oct 21, 2004
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.