Client PC on VLAN gets IP from DHCP but wont Join Domain

October 30, 2019 at 02:44:29
Specs: Windows Server 2016, Ryzen 1600, 32GB Dominator RAM
Summary ; Apologies in advance this is my first pure IT job , not had much expereince - apart from Academic training . The company is a non profit company with a tight budget , so the internal IT is my solely my Responsibility and I have a small amount of money to get it done . The following project is based on research and my studies .

Since I started I had all employee's clients on a 'Workgroup' network , this was when we had a head count under 20 . Though now with 30 + employees I wanted to manage all privies and security from a physical AD DC . I have been testing this idea and figuring it out in a lab environment ( segmented on a separate subnet/ VLAN)

I wanted a minimum of 3 VLANS , this is mainly from a security standpoint . For example there are hire rooms for visitors with computers , these computers I want to be connected via Ethernet but on a different logical network ( currently using guest Wifi) . To keep things simple , our internal staff clients computers would be on one VLAN . The following two VLANS/ Subnets I wanted to focus on :

10.10.1.X/24, VLAN ID #3 ( Staff)

10.10.10.X/24 VLAN ID #10 ( Visitors)

So Far I have managed to create Two ( three including default) VLANS on my router and on one of the Cisco switches . I created a trunk from the router to the switch , this works fine . To accomplish this , I had to use three of the router NIC Interfaces, each interface had to be given an IP for each of the subnets , each subnet was then assigned VLAN TAGS . The cisco SG300 is a little different , IP addresses are not needed , instead you just tag the ports for trunk , or leave the port with a VLAN ID ( untagged for access). See the image in the link below
Image 1 http://tiny.cc/nf1efz

The server , in the interim , is a re purposed workstation , please dont hate me just yet , I will replace it once I get this working ( via bare-bones image )

On the server I had created DNS , DC, DHCP and AD . For the DHCP server I created two Scopes :

10.10.1.101~150 /24

10.10.10.11~50/24

.

I then figured I needed to create Virtual adapters ( aka VLANS) on the server itself to do this , I opened the Realtek Diagnostics software , and added instances of VLAN , this seems to work OK , see below for Virtual adapters :
http://tiny.cc/j30efz

Then I understood that I needed DHCP relay agents , this was a simple check box on the Switch , for each VLAN

So if you followed this far , The DHCP server seems to be doing the Job just fine . Packets are sent from the server to the clients on both VLANS on the different Subnets , when connected to their respective access ports . The next stage would be for me to add computers . This is where things get a little strange . I can add Computers that share the same IP range as the physical server NIC but for some reason , the VLAN 10 computers cannot contact the domain . Also , it appears I cannot inter Ping between the subnets . For example if I connect a guest computer to a guest VLAN port , it gets an IP address from the server for the guest network ( 10.10.10.X) but , for whatever reason , it does not contact the domain and , I cannot ping the DHCP server . I am a bit stumped .

Can anyone suggest anything to try ? Many thanks

message edited by 90Ninety


See More: Client PC on VLAN gets IP from DHCP but wont Join Domain

Reply ↓  Report •

#1
October 30, 2019 at 03:13:07
wrong post content deleted per trvlr

message edited by trvlr


Reply ↓  Report •

#2
October 30, 2019 at 03:22:34
Pardon , what was deleted ?

Reply ↓  Report •

#3
October 30, 2019 at 03:46:32
Have you configured the default gateways for the DHCP ranges correctly on the DHCP server? Have you checked the full IP settings that the clients get from the server rather than just the address?

Your problem is the lack of IP routing between the two ranges, which would explain why you can't ping the server or join the domain.


Reply ↓  Report •

Related Solutions

#4
October 30, 2019 at 03:59:22
Hi Jack , I presumed the default gateways for each subnet , should be the IP address of the Upstream Router Lan Bridge interface , In this case , it is :
Subnet/VLAN 3: 10.10.1.1
Subnet/VLAN 10: 10.10.10.1

I did allow Inter VLAN routing on the router but , possibly have to do this on the Switches then?

A few things which are further confusing me . From a Windows Client PC on subnet 10.10.10.X , I can ping the server on 10.10.1.10 ( Inter VLAN ) . However I cannot ping vice Versa ( Cannot ping from the server to the Client PC ) I have tried Ping from the separate server VLAN NICs but , nothing returns .

I wondered if the server Virtual nics have been configured correctly , they are as follows:

Ethernet adapter Physical Adapter:

Connection-specific DNS Suffix . :
Autoconfiguration IPv4 Address. . : 169.254.5.239
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :

Ethernet adapter VLAN 3 (staff):

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4977:a2XXXXXXXX
IPv4 Address. . . . . . . . . . . : 10.10.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.1.1

Ethernet adapter VLAN 10:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::91f5:3e27:8XXXXXXXX
IPv4 Address. . . . . . . . . . . : 10.10.10.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.1

message edited by 90Ninety


Reply ↓  Report •

#5
October 30, 2019 at 06:09:39
re' #2 and and ref to #1...

I was posting a response (created in Word to copy into a post here) to another thread here and inadvertently opened this one in error.

So nothing of value/relevance missing here.


Reply ↓  Report •

#6
October 30, 2019 at 06:57:37
Diagram had wrong VLANS on , updated one here:
https://bit.ly/2NiISEc

Reply ↓  Report •

#7
October 30, 2019 at 07:57:12
I can add Computers that share the same IP range as the physical server NIC but for some reason , the VLAN 10 computers cannot contact the domain .

This is correct. You do not want visitors to have access to your internal resources. You want them to have access to the internet only. Or at least, I believe this should be the way it is. You do want "guest" access separated from "staff" do you not?

Only staff should have access to staff resources and the AD domain.

Also , it appears I cannot inter Ping between the subnets

Again, you shouldn't be able to. The whole point of using the VLAN's is to segment the "visitor/guest" subnet from the internal "staff" subnet. Done correctly, this is the result.


. For example if I connect a guest computer to a guest VLAN port , it gets an IP address from the server for the guest network ( 10.10.10.X) but , for whatever reason , it does not contact the domain and , I cannot ping the DHCP server . I am a bit stumped .

If the guest computer is getting a correct IP from the guest subnet (VLAN) then all is working as it should. The fact that you can't ping can be as simple as the windows server (DHCP Server) has ICMP (ping) turned off and that's why it's not replying. Can the client connect to the internet? If so, then it's all working as it should.

As to it not contacting the AD controller to authenticate, again, that's what you want. You want guest VLAN to have access to the internet, but not internal resources.


A couple things I might mention. If you're using virtual network interfaces on your server in order to add VLAN tags to the interface you don't need to. I would recommend using one physical interface per VLAN and let the switch do the tagging. It's simpler to do it that way and makes management/troubleshooting easier as well.

Align your VLAN tags with your subnets.
ex:
VLAN 1 = 10.10.1.0/24
VLAN 2 = 10.10.2.0/24
VLAN 3 = 10.10.3.0/24

It's easier to remember this way.

You might want to disable IPV6 on your interfaces. If you're not using IPV6 internally it's just extra overhead.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Reply ↓  Report •

#8
October 30, 2019 at 09:34:27
Hi Curt , maybe im conflating two ideas; Having WIndows security managed by AD GPO/ OU , and having computers on a different subnet/vlan

The reason for the potential conflation ;the guest machines are within semi-hired rooms that , are also accessed by internal employees 2/5 times a week ( to give training)

Is this not possible? Or would I have to deploy a cluster , or one server per subnet ?

message edited by 90Ninety


Reply ↓  Report •

#9
October 30, 2019 at 11:27:26
I think trying to use AD, OU's and security policies within AD to deal with the training PC's is over complicating things. It's a whole lot simpler to maintain separation between staff and guest networks if you don't try to control the guest PC's through AD.

Might I suggest for the training labs a product like Rollback or DeepFreeze. This way you can leave those computers completely independent of your AD domain yet control what goes on them and how long it stays.

The problem with using AD policies and OU's on your lab computers is that you then need to put those computers into the domain which takes you back around to not being able to easily segregate guest and staff traffic. As an alternative I suppose you could look into using the Local Policy on each PC. If it works, you create one config then copy it to all PC's in the training labs and deploy it that way.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Reply ↓  Report •

#10
November 1, 2019 at 02:40:17
Hi Curt

I removed the server's virtual adapters , as I understand they are not needed . Now the server has one physical adapter and I have put it onto the Staff VLAN ( Via access port on switch ) .

Now Only clients from the Staff VLAN get IP addresses , now Clients do not get IP addresses from the Training/Shared VLAN access ports

message edited by 90Ninety


Reply ↓  Report •

#11
November 4, 2019 at 06:51:03
Removing the trunk from the server ( Removing the VLAN NIC instances ) and putting the server on an access port for 'Staff' has caused the 'Training/Guest' clients to stop getting IP addresses


Any Ideas?

message edited by 90Ninety


Reply ↓  Report •

#12
November 18, 2019 at 09:44:30
Sorry for the delay but it's hunting season and I always take the first two weeks of November off for hunting. I'm back now so let's see if we can help you out.

I removed the server's virtual adapters , as I understand they are not needed . Now the server has one physical adapter and I have put it onto the Staff VLAN ( Via access port on switch ) .

Now Only clients from the Staff VLAN get IP addresses , now Clients do not get IP addresses from the Training/Shared VLAN access ports

As I stated previously, after removing the virtual NIC's, you'll need to install a second physical NIC if you don't have two on your server already. Once you have a second one installed, you will connect it to a port on the switch configured for the "training/shared" network. Then PC's on that subnet will be able to contact your DHCP server.

If you do it the way I'm suggesting, (one NIC per network, connected to the a switch port with the appropriate VLAN defined on said port) you won't need a trunk port between switch and server. In fact, you shouldn't be creating a trunk port between server and switch at all.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Reply ↓  Report •

Ask Question