Setup a BDC/Wins Server at the Branch office.
Configure your clients so that the local BDC/WINS server will provide
logon/wins services.
Then allow the domain syn traffic from Branch Office BDC/WINS server
throught the PIX to the Central Office PDC/WINS server.
Microsoft's PDC's and BDC's have problems with slow links when it comes to
Domain logons especially when you add a firewall in mix.
This may seem like over kill, but if you look at Microsoft's recommended
configuration for Domain logon/wins services you will see that this is the
optimal configuration.
Another side benefit is that your clients will logon faster, and if you ever
lose your Primay Domain Controller and WINS Server, you have a backup at the
branch site.
Also, Wins replication between the servers should run when there is less
traffic on the link. Domain syn between PDC and BDC should run when changes
are made to the the Windows NT Security Account Manager.
There is a very nice white paper on the subject at the Micorsoft Technet
site.
http://www.microsoft.com/technet
Dave T
>From: "Brian Lodwick" <[EMAIL PROTECTED]>
>Reply-To: "Brian Lodwick" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Still doesn't work: tough VPN question
>Date: Fri, 08 Dec 2000 17:56:25 -0000
>
>How about getting a test machine and running nbtstats to test the WINS
>resolution?
>
> >>>Brian
>
>
> >From: "Benjamin Walling" <[EMAIL PROTECTED]>
> >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]>
> >To: [EMAIL PROTECTED]
> >Subject: Re: Still doesn't work: tough VPN question
> >Date: Fri, 8 Dec 2000 08:27:04 -0500
> >
> >Pinging does not verify name resolution for WINS. Ping will resolve a
>name
> >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for
>mapping
> >drives, etc.
> >
> >Try this link on Cisco's website for help with coordinating your NT
>domain
> >with your network layout:
> >http://www.cisco.com/warp/public/473/winnt_dg.htm
> >
> >It covers WINS and things like that.
> >
> >Ben
> >
> >"Jim Bond" <[EMAIL PROTECTED]> wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hello,
> > >
> > > Thank you guys for the help. Unfortunately, I tried to
> > > put LMHOST file, still doesn't work. We use WINS and I
> > > can ping domain controller using name so I don't think
> > > it's naming issue.
> > >
> > > I used a sniffer captured some data, client is sending
> > > logon request to domain controller but didn't get any
> > > response. Looks like PIX blocks it. How do I open
> > > it(port 137, 138, 139)?
> > >
> > > Thanks in advance.
> > >
> > >
> > > Jim
> > >
> > > --- Scott Morris <[EMAIL PROTECTED]> wrote:
> > > > Your problem is likely the propgation of
> > > > broadcasts... Or lack thereof.
> > > > One thing you can do (I'm assuming you have a router
> > > > before (LAN-side) the
> > > > PIX) is set up an ip-helper address to forward
> > > > UDP-level broadcasts (like
> > > > 138/139 Netbios) to the NT server.
> > > >
> > > > The other thing you can do is bypass that broadcast
> > > > thought process by using
> > > > LMHosts files on the workstations at the branch
> > > > office. That will pre-load
> > > > (if you use the #PRE designation) the NetBIOS cache
> > > > and give you IP
> > > > addresses to go to. So if you have IP reachability,
> > > > things will work just
> > > > fine then.
> > > >
> > > > In LMHOSTS. :
> > > >
> > > > (ip address) (Netbios name) #PRE #DOM:(domain name
> > > > if domain controller)
> > > >
> > > > Also, to refresh without rebooting the PCs, "nbtstat
> > > > -R"
> > > >
> > > > Hope this helps!
> > > >
> > > > Scott
> > > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > > Jim Bond
> > > > Sent: Thursday, December 07, 2000 1:19 AM
> > > > To: [EMAIL PROTECTED]
> > > > Cc: [EMAIL PROTECTED]
> > > > Subject: tough VPN question
> > > >
> > > >
> > > > Hello,
> > > >
> > > > I'm trying to set up a IPSec between a PIX (branch
> > > > office) and router (central office). All PCs at
> > > > branch
> > > > office share 1 ip address. IPSec seems to be working
> > > > fine because clients can ping/telnet/email/map
> > > > drives
> > > > from/to central office. The problem is they can't
> > > > logon NT domain. They can ping domain controller
> > > > though.
> > > >
> > > > Any idea why they can't log on NT domain? (The
> > > > machines were already added to domain)
> > > >
> > > > Thanks in advance.
> > > >
> > > >
> > > > Jim
> > > >
> > > > __________________________________________________
> > > > Do You Yahoo!?
> > > > Yahoo! Shopping - Thousands of Stores. Millions of
> > > > Products.
> > > > http://shopping.yahoo.com/
> > > >
> > > >
> > > _______________________________________________________
> > > > To unsubscribe from the CCIELAB list, send a message
> > > > to
> > > > [EMAIL PROTECTED] with the body containing:
> > > > unsubscribe ccielab
> > > >
> > > > _________________________________
> > > > FAQ, list archives, and subscription info:
> > > > http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations to
> > > [EMAIL PROTECTED]
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! Shopping - Thousands of Stores. Millions of Products.
> > > http://shopping.yahoo.com/
> > >
> > > _________________________________
> > > FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > >
> >
> >
> >_________________________________
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>_____________________________________________________________________________________
>Get more from the Web. FREE MSN Explorer download :
>http://explorer.msn.com
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_____________________________________________________________________________________
Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
