Sign in with
Sign up | Sign in
Your question

VPN + AD + DNS

Tags:
  • VPN
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
January 10, 2005 4:01:16 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello all:

Our XP laptop clients connect directly to our internal network as
domain members. When they are traveling around the world they use our
SonicWall VPN.

The client systems use DHCP to grab the most appropriate information
for their location, and are configured with static WINS addresses to
improve browsing of our internal network. The VPN software is
configured for split tunneling in order to minimize the bandwidth
demands on our VPN.

This configuration has always worked perfectly, until we migrated our
network to Active Directory, and abruptly discovered that these VPN
clients now require persistent access to our internal AD DNS server in
order to properly authenticate internal network resources.

After reading hundreds of posts I am still not clear if any sort of
tinkering with hosts or lmhosts can resolve this. We are considering
statically configuring the client DNS entries for a primary "Internet
root server" and a secondary "internal AD DNS server" but are looking
for better solutions.

Any advice is appreciated...

More about : vpn dns

Anonymous
January 11, 2005 12:15:01 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Some testing and talking to others with similar problems has lead me to
believe that DNS automatically uses the DNS servers on the interface with
the lowest cost gateway. So I would suggest you try this:

-- Configure the costs on the gateway metric for the VPN gateway to be
lower than that of the Internet connection.

HOSTS can't help with SRV records.

The suggestion of configuring DNS with public and then private won't work:
if the first DNS server cannot resolve the name the resolver doesn't then
use the second. The second is only used if the first doesn't respond within
the timeout period.

If these are business machines, I'd only use internal DNS; the internal DNS
can then resolve external. If they use the laptops outside of the VPN
though, you can't do this.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

<EdwardLHall@hotmail.com> wrote in message
news:1105390876.819502.221190@c13g2000cwb.googlegroups.com...
Hello all:

Our XP laptop clients connect directly to our internal network as
domain members. When they are traveling around the world they use our
SonicWall VPN.

The client systems use DHCP to grab the most appropriate information
for their location, and are configured with static WINS addresses to
improve browsing of our internal network. The VPN software is
configured for split tunneling in order to minimize the bandwidth
demands on our VPN.

This configuration has always worked perfectly, until we migrated our
network to Active Directory, and abruptly discovered that these VPN
clients now require persistent access to our internal AD DNS server in
order to properly authenticate internal network resources.

After reading hundreds of posts I am still not clear if any sort of
tinkering with hosts or lmhosts can resolve this. We are considering
statically configuring the client DNS entries for a primary "Internet
root server" and a secondary "internal AD DNS server" but are looking
for better solutions.

Any advice is appreciated...
January 11, 2005 7:36:59 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have the exact same setup. Is the Sonicwall set to use the internal DNS
servers?

Ours worked before and after the AD migration, however our Sonicwall
provides the internal network with the DHCP address, DNS, etc.

<EdwardLHall@hotmail.com> wrote in message
news:1105390876.819502.221190@c13g2000cwb.googlegroups.com...
> Hello all:
>
> Our XP laptop clients connect directly to our internal network as
> domain members. When they are traveling around the world they use our
> SonicWall VPN.
>
> The client systems use DHCP to grab the most appropriate information
> for their location, and are configured with static WINS addresses to
> improve browsing of our internal network. The VPN software is
> configured for split tunneling in order to minimize the bandwidth
> demands on our VPN.
>
> This configuration has always worked perfectly, until we migrated our
> network to Active Directory, and abruptly discovered that these VPN
> clients now require persistent access to our internal AD DNS server in
> order to properly authenticate internal network resources.
>
> After reading hundreds of posts I am still not clear if any sort of
> tinkering with hosts or lmhosts can resolve this. We are considering
> statically configuring the client DNS entries for a primary "Internet
> root server" and a secondary "internal AD DNS server" but are looking
> for better solutions.
>
> Any advice is appreciated...
>
Related resources
Anonymous
January 12, 2005 1:52:49 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have never been a fan of using the 'networking hardware' to provide this
information. Sure, it works but I just feel that it would be better to use
Windows for your DHCP and DNS 'provider'. You loose some of the benefits of
using Windows for this. A person with whom I used to work always used the
Sonic Firewall to provide this information. While there were never any real
problems we were just not taking advantage of Active Directory Integrated
DNS and the like.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"CJ" <chrisj@illicom.net> wrote in message
news:LgTEd.237$cQ1.86146@newshog.newsread.com...
> We have the exact same setup. Is the Sonicwall set to use the internal
> DNS servers?
>
> Ours worked before and after the AD migration, however our Sonicwall
> provides the internal network with the DHCP address, DNS, etc.
>
> <EdwardLHall@hotmail.com> wrote in message
> news:1105390876.819502.221190@c13g2000cwb.googlegroups.com...
>> Hello all:
>>
>> Our XP laptop clients connect directly to our internal network as
>> domain members. When they are traveling around the world they use our
>> SonicWall VPN.
>>
>> The client systems use DHCP to grab the most appropriate information
>> for their location, and are configured with static WINS addresses to
>> improve browsing of our internal network. The VPN software is
>> configured for split tunneling in order to minimize the bandwidth
>> demands on our VPN.
>>
>> This configuration has always worked perfectly, until we migrated our
>> network to Active Directory, and abruptly discovered that these VPN
>> clients now require persistent access to our internal AD DNS server in
>> order to properly authenticate internal network resources.
>>
>> After reading hundreds of posts I am still not clear if any sort of
>> tinkering with hosts or lmhosts can resolve this. We are considering
>> statically configuring the client DNS entries for a primary "Internet
>> root server" and a secondary "internal AD DNS server" but are looking
>> for better solutions.
>>
>> Any advice is appreciated...
>>
>
>
Anonymous
January 12, 2005 4:31:33 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hmmm, if I reversed the DNS entries, so that the internal is the
primary and the external is the secondary, then they should work
correctly both in house and over VPN.

When they just need to connect to the Internet without VPN, the
internal "would not respond" and they would resolve using the
external...

I will be running tests next week and will let everyone know what I
discover...

Thanks.
Anonymous
January 23, 2005 8:56:44 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Did you get this working?


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


<EdwardLHall@hotmail.com> wrote in message
news:1105565493.061043.270890@f14g2000cwb.googlegroups.com...
Hmmm, if I reversed the DNS entries, so that the internal is the
primary and the external is the secondary, then they should work
correctly both in house and over VPN.

When they just need to connect to the Internet without VPN, the
internal "would not respond" and they would resolve using the
external...

I will be running tests next week and will let everyone know what I
discover...

Thanks.
Anonymous
January 31, 2005 7:50:59 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

OK, We found two solutions.

1. On the LOCAL AREA ADAPTER statically configure the PRIMARY DNS
server as the Internal AD DNS server and the SECONDARY DNS server with
any public server that is appropriate.

The only stability problem here is that roaming VPN users may not pick
up the most appropriate public DNS server for their location.

2. In our case, using a SonicWall VPN, we configured the Sonicwall to
pass out a virtual IP address, along with our internal DNS and WINS
servers, via DHCP to the VPN clients. This resolved the problem
entirely and allowed us to leave the LOCAL AREA ADAPTER without any
static configuration.

Hope this helps.
Anonymous
January 31, 2005 9:33:15 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks for the follow-up, I'm sure this info. will help others.

I'll also note this, as it's somewhat easier to manage than my solution ;-)


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

<EdwardLHall@hotmail.com> wrote in message
news:1107175859.061402.286790@c13g2000cwb.googlegroups.com...
OK, We found two solutions.

1. On the LOCAL AREA ADAPTER statically configure the PRIMARY DNS
server as the Internal AD DNS server and the SECONDARY DNS server with
any public server that is appropriate.

The only stability problem here is that roaming VPN users may not pick
up the most appropriate public DNS server for their location.

2. In our case, using a SonicWall VPN, we configured the Sonicwall to
pass out a virtual IP address, along with our internal DNS and WINS
servers, via DHCP to the VPN clients. This resolved the problem
entirely and allowed us to leave the LOCAL AREA ADAPTER without any
static configuration.

Hope this helps.
!