Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: unable to join domain from dmz

from [Wozny, Scott \(US - New York\)] Network Security [Permanent Link]
Subject: RE: unable to join domain from dmz
Date: Tue, 24 Aug 2004 13:22:03 -0400 
This could be a lot of things but in my experience (on new segments)
it's usually related to name resolution problems.  

First suggestion is make sure you've statically configured your WINS
resolver address so when you server calls out for WINS resolution you're
actually getting to a machine that can resolve names for you (i.e. the
PDC of the domain you want to join).

Also, check
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\No
deType to make sure you're not a B-node (enumerated as 1) that is
broadcasting for name resolution and not getting anything back (a WINS
helper on your firewall's DMZ interface could fix that but you don't
really want helper addresses on your DMZ segment if you can prevent it).
On a DMZ, I'd recommend setting it as a P-node (enumerated as 2), but,
once again, that requires making sure your WINS resolvers are statically
defined on the server.

Other than that, without a trace of the events that occur when you try
and join the domain it could be almost anything.  If this doesn't fix
it, hit the MS Knowledge Base up with your error message and see what it
suggests.

Good luck,

Scott

-----Original Message-----
From: Bilal Dar [mailto:bdar@pbad.sbg.com.sa] 
Sent: Monday, August 23, 2004 5:13 AM
To: firewalls@securityfocus.com
Subject: unable to join domain from dmz


I am having a problem, i couldn't figure out the reason till now. We are
having our NT 4 Primary Domain Controller on the inside network, now i
am
installing another server in the DMZ as a Backup Domain Controller. When
i
try to join the domain during installation i get an error stating "The
domain controller for the domain cannot be located"

Dmz = 172.17.0.0/16
Inside = 172.16.0.0/16

PDC = 172.16.4.2
NewServer = 172.17.0.10/16

conduit permit icmp any any
conduit permit ip host 172.17.0.10 172.16.0.0 255.255.0.0
conduit permit ip host 172.17.0.10 172.17.0.0 255.255.0.0
conduit permit tcp host 172.17.0.10 eq smtp any
conduit permit tcp host 172.17.0.10 eq pop3 any
conduit permit tcp host 172.17.0.10 eq domain any
conduit permit udp host 172.17.0.10 eq domain any
conduit permit ip host 172.17.4.2 host 172.17.0.10


I can ping NewServer from Inside network. Am i missing something?


Thanks





This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law.  If 
you are not the intended recipient, you should delete this message.  Any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, is strictly prohibited.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IDS & NetProwler, Marc S. O'Leary
Next by Date:  Re: unable to join domain from dmz, Roger McLaren
Previous by Thread:  Re: unable to join domain from dmz, Shane B. Milburn
Next by Thread:  RE: unable to join domain from dmz, Paul Chung
Indexes:  [Date] [Thread] [Top] [All Lists]