vlan and windows domain

Hello, please help

I have Cisco4503, with few VLANs configured. there are 4 windows 2003 servers in default vlan1, but other PCs are in different VLANs. So, i cann't log on windows domain from them. If I put them in VLAN1 it's working. Can they log on to domain from different VLAN? how?

thank you!

Reply to
Vjeran
Loading thread data ...

Are the DC's pingeble?

The DC's use TCP/IP, and TCP/IP is routeble, so if you can't ping the DC's, there's a routing problem.

Is there routing between the VLANs?

"Vjeran" schreef in bericht news:e7rmnj$kv4$ snipped-for-privacy@ss408.t-com.hr...

Reply to
CCNA Nerd

Are the DC's pingeble?

The DC's use TCP/IP, and TCP/IP is routeble, so if you can't ping the DC's, there's a routing problem.

Is there routing between the VLANs?

"Vjeran" schreef in bericht news:e7rmnj$kv4$ snipped-for-privacy@ss408.t-com.hr...

Reply to
CCNA Nerd

yes, all servers are pingable, and PCs from different VLAN are pingable, and I can connect between them using start>run> \\\\ipaddress , but I don't see PCs from different VLAN in my netw. neigh., and cann't connect to domain from PC in different VLAN ... like it is passing some protocols, but some not

Reply to
Vjeran

here is my conf:

version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption service compress-config ! hostname 4503NB ! enable secret 5 $1$N/M2$V6YQfFyPhm3WcBox1qbla0 enable password ep4503nb ! ip subnet-zero ip host ASA 192.168.100.1 ip host PAT 10.0.0.5 ip host RTG 10.0.0.8 ip host KAR 10.0.0.7 ip host UPR 10.0.0.3 ip host CEN 10.0.0.1 ip host SBC 10.0.0.2 ip host OPE 10.0.0.4 ip host AMB 10.0.0.6 ip host NEU 10.0.0.9 ip dhcp excluded-address 172.16.4.1 172.16.4.10 ip dhcp excluded-address 172.16.4.200 172.16.4.254 ! ip dhcp pool DOKTORI network 172.16.4.0 255.255.255.0 default-router 172.16.1.253 option 150 ip 172.16.4.253 ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id power redundancy-mode redundant ! ! ! vlan internal allocation policy ascending ! interface GigabitEthernet1/1 switchport access vlan 2 ! interface GigabitEthernet1/2 switchport access vlan 9 ! interface GigabitEthernet1/3 ! interface GigabitEthernet1/4 ! interface GigabitEthernet1/5 ! interface GigabitEthernet1/6 ! interface GigabitEthernet1/7 ! interface GigabitEthernet1/8 ! interface GigabitEthernet1/9 ! interface GigabitEthernet1/10 ! interface GigabitEthernet1/11 ! interface GigabitEthernet1/12 ! interface GigabitEthernet1/13 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/14 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/15 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/16 ! interface GigabitEthernet1/17 ! interface GigabitEthernet1/18 ! interface GigabitEthernet1/19 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/20 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet2/1 switchport access vlan 15 spanning-tree portfast ! interface FastEthernet2/2 switchport access vlan 172 spanning-tree portfast ! interface FastEthernet2/3 switchport access vlan 172 spanning-tree portfast ! interface FastEthernet2/4 switchport access vlan 172 spanning-tree portfast ! interface FastEthernet2/5 switchport access vlan 172 spanning-tree portfast ! interface FastEthernet2/6 switchport access vlan 172 spanning-tree portfast ! interface FastEthernet2/7 switchport access vlan 172 spanning-tree portfast ! interface FastEthernet2/8 switchport access vlan 172 spanning-tree portfast ! interface FastEthernet2/9 switchport access vlan 4 spanning-tree portfast ! interface FastEthernet2/10 switchport access vlan 4 spanning-tree portfast ! interface FastEthernet2/11 switchport access vlan 3 spanning-tree portfast ! interface FastEthernet2/12 switchport access vlan 3 spanning-tree portfast ! interface FastEthernet2/13 switchport access vlan 3 spanning-tree portfast ! interface FastEthernet2/14 switchport access vlan 3 spanning-tree portfast ! interface FastEthernet2/15 switchport access vlan 3 spanning-tree portfast ! interface FastEthernet2/16 switchport access vlan 3 spanning-tree portfast ! interface FastEthernet2/17 switchport access vlan 3 spanning-tree portfast ! interface FastEthernet2/18 switchport access vlan 3 spanning-tree portfast ! interface FastEthernet2/19 switchport access vlan 3 spanning-tree portfast ! interface FastEthernet2/20 switchport access vlan 4 spanning-tree portfast ! interface FastEthernet2/21 spanning-tree portfast ! interface FastEthernet2/22 switchport access vlan 4 spanning-tree portfast ! interface FastEthernet2/23 spanning-tree portfast ! interface FastEthernet2/24 switchport access vlan 7 spanning-tree portfast ! interface Vlan1 ip address 10.0.0.1 255.255.255.0 ! interface Vlan3 ip address 172.16.3.253 255.255.255.0 ! interface Vlan4 ip address 172.16.4.253 255.255.255.0 ! interface Vlan5 ip address 172.16.5.253 255.255.255.0 ! interface Vlan7 ip address 192.168.0.253 255.255.255.0 ! interface Vlan8 ip address 172.16.8.253 255.255.255.0 ! interface Vlan9 ip address 192.168.100.253 255.255.255.0 ! interface Vlan10 ip address 172.16.10.253 255.255.255.0 ! interface Vlan15 ip address 192.168.90.253 255.255.255.0 ! interface Vlan172 ip address 172.16.1.253 255.255.255.0 ! router rip network 10.0.0.0 network 172.16.0.0 network 192.168.10.0 network 192.168.90.0 no auto-summary ! ip route 0.0.0.0 0.0.0.0 192.168.100.1 ip http server ! ! ! access-list 2 permit 172.16.10.0 0.0.0.255 access-list 103 permit tcp 172.16.10.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 103 permit icmp 172.16.10.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 104 permit tcp 172.16.1.0 0.0.0.255 172.16.10.0 0.0.0.255 established access-list 104 permit icmp 172.16.1.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list 110 permit tcp 172.16.4.0 0.0.0.255 any eq www ! ! ! line con 0 session-timeout 30 exec-timeout 0 0 stopbits 1 line vty 0 4 password login ! end

Reply to
Vjeran

Solution:

#interface vlan X #ip helper-address yyyy.yyyy.yyyy.yyyy (ip address of DC-DNS server)

for every VLAN interface its working after

Reply to
Vjeran

On the PC's vlan interface ...

ip helper-address ip forward-protocol 137 ip forward-protocol 138

BernieM

Reply to
BernieM

i can't forward protocol, IOS is not offering that command... there is helper-address on the list, but no ip forward-protocol.. ? is there some other command to forward protocols on VLAN interface?

Reply to
Vjeran

Not that I know of. It's odd that the IOS doesn't have them because they're directly tied to the helper-address but it's ok in your case as I checked what protocols are automatically forwarded when an "ip helper-address" is configured and see that both "137" and "138" are done so 'browsing' of windows networks via the domain controller should be possible as well.

FYI, here's the whole list.of protocols forwarded by default when an "ip helper-address" is applied ...

.Trivial File Transfer Protocol (TFTP) (port 69) .Domain Naming System (port 53) .Time service (port 37) .NetBIOS Name Server (port 137) .NetBIOS Datagram Server (port 138) .Boot Protocol (BOOTP) client and server datagrams (ports 67 and 68) .TACACS service (port 49) .IEN-116 Name Service (port 42)

BernieM

Reply to
BernieM

As much as MS would like to tell you that WINS is no longer needed, it is still best to configure it in a Windows domain. It will take care of your problem.

Set up WINS on your DC(s). Takes about 5 minutes. Don't worry about any fancy setups, the basic stuff will work fine for you.

Either add the WINs servers in the individual IP configs. Or add options 44 and 46 (set to 8) in your DHCP settings.

You didn't need it when you were in a single segment because broadcasts took care of the NETBIOS name resolution.

It is possible to configure the NETBIOS names in a table on each client machine, but that is ugly and inflexible.

The reason the helper address worked is that the NETBIOS is attempting to resolve the names via broadcast. The helper addresses forwards those messages.

Jim

Reply to
Jim McCarty

firstly.. thank you Jim and BernieM for usefull info... you guys helped me a lot... i didn't try WINS, but i would because now I have another problem...

MCSE who was here configured 2 Ter. Servers and load balancing between them, he gave two ip addresses to every TS , and this other virtual address is not pingable from other vlan... i'm confused now ! so it seems that router is still blocking something, because you can reach TS when you put PC into his VLAN.

also, you can reach TS from any other VLAN using TS 'main' ip address, but then you don't have load balancing...

I'm just starting to learn 2003 server so i don't know much about it...

Reply to
Vjeran

as Jim already stated...you need a WINS server since you no longer have flat network.

Reply to
Larry

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.