Can't contact domain controller when using Site to Site VPN

SOLVED
FractalJedi
Here to help

Can't contact domain controller when using Site to Site VPN

Hi all,

           I'm needing some help with troubleshooting a situation where the workstations at a new site cannot find the domain controller. 

 

Preface:

Site 1 = Established domain in another city.  Subnet is 192.168.1.0/24.  DHCP/Authentication is Domain controller

Site 2 = New site (should be on same domain) Subnet is 192.168.2.0/24  DHCP is MX Router.

Successfully created site to site VPN.

 

So I set up a workstation that was shipped over yesterday from site 1 to site 2.  But when I try to log on today, it flat out tells me that no domain controller can be found to authenticate against.  

 

How/what changes can I make so that computers located at site 2 can communicate with DC at site 1 to do basic authentication?   

 

Thank you in advance and let me know if you need more infomation

1 ACCEPTED SOLUTION

Okay given everything you see here, I found the fix.  It's not the best fix in a sense of optimal routing but I added the local DNS server within the DHCP> Custom Nameserver settings and NOT the SD WAN Uplink settings.  

 

FractalJedi_0-1615323130779.png

Originally it was set to the value of "Proxy to upstream DNS".

 

Now traffic is flowing and computers at Site 2 are authenticating to the Domain Controller at Site 1. 

 

 

View solution in original post

9 REPLIES 9
Bruce
Kind of a big deal

I assume you've tried all the basic stuff....

From the computer on Site 2 -

check that you have the DNS nameservers set as the domain controller IP address in the DHCP options

(that's how Windows clients find the Domain Controller)

try pinging the Domain controller by IP address (login with a local account), this will prove you have connectivity

try pinging the Domain controller by hostname, this will prove you have DNS working and DNS suffix or search domains

try pinging the Domain controller by FQDN, this proves DNS is working (even if the suffix/search domains aren't)

Hi Bruce,

         Yes and I even stumped a Meraki technician tonight who also felt like my settings in Meraki were correct.  So it may be the problem lays on my domain controller.  I'll explain but first to confirm....

 

1. From Computer at site 2, yes I can ping the IP address of the DC and it resolves

2. From Computer at site 2, no I cannot ping the DC using the server name or FQDN.

3. Within Meraki MX Gateway under Security & SDWAN>Active Directory, settings are good and status = Green check.  Even the LDAP Groups looked good according to Meraki support.

4. DNS settings reviewed on both MX Gateways.  Each one reflects the Internet Provider's primary DNS & Google or 8.8.8.8

5.  Where I think I'm stuck is about 1/3 of the way down on this link.  https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc... 

 

in the graphic below, I've marked where I was no longer able to follow the instructions.  I'm supposed to view a certificate.  The graphic after this is what I see.

FractalJedi_0-1615289315514.png

This is what I see when i view my certificate.  This was exported to desktop from my Certificate MMC.msc.

FractalJedi_1-1615289610204.png

or from within my Certificate MMC.msc which I created based on another Meraki tutorial.

FractalJedi_2-1615289732752.png

 

The gist of this is, that I create a certificate trust with LDAPS based on a security update from Microsoft back in 2019 or so I read.  So I'm stuck at that point in the tutorial and Meraki technician concurs that it's most likely there I'll find the fix.  So the real question is... what am I missing in that part of the tutorial about "Certificate Requirements for TLS"?

 

Thank you again. 

 

 

dufour_francois
Here to help

hello create a reverse in your dns with the good ip 

Sorry Francois,

          Can you elaborate further?  Do I create the reverse dns within one of two Meraki MX Gateways?  If yes, I assume it's the gateway that hosts the domain controller?  

 

Thanks. 

Hi 

If the dns server was windows  go in dns and create reverse dns zone the reverse  bring the FQDN

 

 

dufour_francois_0-1615292796555.png

Try  and tell me

Yeah, Domain Controller is there in the reverse lookup zone.

 

FractalJedi_0-1615317398698.png

 

FractalJedi_1-1615317413525.png

 

Okay given everything you see here, I found the fix.  It's not the best fix in a sense of optimal routing but I added the local DNS server within the DHCP> Custom Nameserver settings and NOT the SD WAN Uplink settings.  

 

FractalJedi_0-1615323130779.png

Originally it was set to the value of "Proxy to upstream DNS".

 

Now traffic is flowing and computers at Site 2 are authenticating to the Domain Controller at Site 1. 

 

 

Great good job

But for me  DC only in this zone dns dhcp, but all is ok then Great !

Good Job

 

dufour_francois_0-1615359441926.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels