DNS for AD in VPN/DMZ

Archived from groups: microsoft.public.win2000.dns (More info?)

Hello,
I want to configure a DNS server so users can log on to domain(win2k) through Cisco VPN client.

I do not want to put a DC in the DMZ. I would like to put a DNS server with server records in this zone.

Anyone done this or know of any good resources to find.
Challanges include that it is a different network with different IP addressing.
Security to me is a huge concern.

Bill
13 answers Last reply
More about tomshardware
  1. Archived from groups: microsoft.public.win2000.dns (More info?)

    "sheaff" <sheaff@discussions.microsoft.com> wrote in message
    news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
    > Hello,
    > I want to configure a DNS server so users can log on to domain(win2k)
    through Cisco VPN client.

    > I do not want to put a DC in the DMZ. I would like to put a DNS server
    with server records in this zone.

    First, it it is not a DC, just make it a "secondary" (or some variant*).

    > Anyone done this or know of any good resources to find.

    What do you want? A DNS server?

    > Challanges include that it is a different network with different IP
    addressing.

    That is largely irrelevant to DNS and actually helps in a way,
    since you can use the possible "client" addresses to filter out
    unathenticated requests.

    > Security to me is a huge concern.

    If you use a secondary, filtered for only those addresses that
    authenticated through the VPN, you pretty much remove the
    threat from any machine than cannot defeat your VPN anyway.

    DNS in such a situation is NOT a major source of your security
    concerns -- the VPN server, and the client accounts are much
    higher risks at that point. (Manageable, but much higher than DNS.)

    * With Win2003 DNS server you could use a "stub zone" or perhaps
    even "conditional forwarding" but this is not a terrifically significant
    difference to the overall design. Likewise with BIND you could
    use VIEWS as an adjustment on the DMS DNS server.


    --
    Herb Martin
  2. Archived from groups: microsoft.public.win2000.dns (More info?)

    Thanks for the response.

    I have different address (network) in VPN.
    A more clear question, what records do I need to create in the DMZ DNS?
    _gc
    _kerberos
    _kpassword
    _ldap
    ??
    I wish to put the DNS server in the VPN network, outside of our private network. Is this the correct plan?
    ??
    thanks
    "Herb Martin" wrote:

    > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
    > news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
    > > Hello,
    > > I want to configure a DNS server so users can log on to domain(win2k)
    > through Cisco VPN client.
    >
    > > I do not want to put a DC in the DMZ. I would like to put a DNS server
    > with server records in this zone.
    >
    > First, it it is not a DC, just make it a "secondary" (or some variant*).
    >
    > > Anyone done this or know of any good resources to find.
    >
    > What do you want? A DNS server?
    >
    > > Challanges include that it is a different network with different IP
    > addressing.
    >
    > That is largely irrelevant to DNS and actually helps in a way,
    > since you can use the possible "client" addresses to filter out
    > unathenticated requests.
    >
    > > Security to me is a huge concern.
    >
    > If you use a secondary, filtered for only those addresses that
    > authenticated through the VPN, you pretty much remove the
    > threat from any machine than cannot defeat your VPN anyway.
    >
    > DNS in such a situation is NOT a major source of your security
    > concerns -- the VPN server, and the client accounts are much
    > higher risks at that point. (Manageable, but much higher than DNS.)
    >
    > * With Win2003 DNS server you could use a "stub zone" or perhaps
    > even "conditional forwarding" but this is not a terrifically significant
    > difference to the overall design. Likewise with BIND you could
    > use VIEWS as an adjustment on the DMS DNS server.
    >
    >
    > --
    > Herb Martin
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.dns (More info?)

    "sheaff" <sheaff@discussions.microsoft.com> wrote in message
    news:E40EC6C3-D456-4635-B644-5736CBFEA7D7@microsoft.com...
    > Thanks for the response.
    >
    > I have different address (network) in VPN.

    Why do you mention this?

    What about different address ranges do you think is
    important to DNS?

    > A more clear question, what records do I need to create in the DMZ DNS?
    > _gc
    > _kerberos
    > _kpassword
    > _ldap

    Actually you should NOT "create" any of those but rather make
    the DMZ a secondary and let it pull them automatically from an
    internal DNS server.

    It is impractical to create AND maintain those records accurately.

    > I wish to put the DNS server in the VPN network, outside of our private
    network. Is this the correct plan?

    Maybe. Once the users "reach" that VPN network, what do
    you want them to be ABLE to do and UNABLE to do?

    That is, to which resources should they be granted and denied
    access?

    How will they be granted that access? And with that access,
    who will you ensure they don't have access to other resources?


    --
    Herb Martin


    > "Herb Martin" wrote:
    >
    > > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
    > > news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
    > > > Hello,
    > > > I want to configure a DNS server so users can log on to domain(win2k)
    > > through Cisco VPN client.
    > >
    > > > I do not want to put a DC in the DMZ. I would like to put a DNS
    server
    > > with server records in this zone.
    > >
    > > First, it it is not a DC, just make it a "secondary" (or some variant*).
    > >
    > > > Anyone done this or know of any good resources to find.
    > >
    > > What do you want? A DNS server?
    > >
    > > > Challanges include that it is a different network with different IP
    > > addressing.
    > >
    > > That is largely irrelevant to DNS and actually helps in a way,
    > > since you can use the possible "client" addresses to filter out
    > > unathenticated requests.
    > >
    > > > Security to me is a huge concern.
    > >
    > > If you use a secondary, filtered for only those addresses that
    > > authenticated through the VPN, you pretty much remove the
    > > threat from any machine than cannot defeat your VPN anyway.
    > >
    > > DNS in such a situation is NOT a major source of your security
    > > concerns -- the VPN server, and the client accounts are much
    > > higher risks at that point. (Manageable, but much higher than DNS.)
    > >
    > > * With Win2003 DNS server you could use a "stub zone" or perhaps
    > > even "conditional forwarding" but this is not a terrifically significant
    > > difference to the overall design. Likewise with BIND you could
    > > use VIEWS as an adjustment on the DMS DNS server.
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >
  4. Archived from groups: microsoft.public.win2000.dns (More info?)

    Thanks again Herb.

    The problem is the DNS I wish to create in the DMZ uses different addresses than our private network.

    Example
    Private Network 172.16.44.0 /22 network
    DMZ Network 172.16.181.0 /24 network
    So If I create a secondary the address for DCs will not be correct.
    If I manually do this it won't be so bad.
    For our VPN users I want access to login to Domain and access resources in the Domain. I have a total of 2 DCs and network is static.

    thanks,
    Bill

    "Herb Martin" wrote:

    > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
    > news:E40EC6C3-D456-4635-B644-5736CBFEA7D7@microsoft.com...
    > > Thanks for the response.
    > >
    > > I have different address (network) in VPN.
    >
    > Why do you mention this?
    >
    > What about different address ranges do you think is
    > important to DNS?
    >
    > > A more clear question, what records do I need to create in the DMZ DNS?
    > > _gc
    > > _kerberos
    > > _kpassword
    > > _ldap
    >
    > Actually you should NOT "create" any of those but rather make
    > the DMZ a secondary and let it pull them automatically from an
    > internal DNS server.
    >
    > It is impractical to create AND maintain those records accurately.
    >
    > > I wish to put the DNS server in the VPN network, outside of our private
    > network. Is this the correct plan?
    >
    > Maybe. Once the users "reach" that VPN network, what do
    > you want them to be ABLE to do and UNABLE to do?
    >
    > That is, to which resources should they be granted and denied
    > access?
    >
    > How will they be granted that access? And with that access,
    > who will you ensure they don't have access to other resources?
    >
    >
    >
    >
    > --
    > Herb Martin
    >
    >
    > > "Herb Martin" wrote:
    > >
    > > > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
    > > > news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
    > > > > Hello,
    > > > > I want to configure a DNS server so users can log on to domain(win2k)
    > > > through Cisco VPN client.
    > > >
    > > > > I do not want to put a DC in the DMZ. I would like to put a DNS
    > server
    > > > with server records in this zone.
    > > >
    > > > First, it it is not a DC, just make it a "secondary" (or some variant*).
    > > >
    > > > > Anyone done this or know of any good resources to find.
    > > >
    > > > What do you want? A DNS server?
    > > >
    > > > > Challanges include that it is a different network with different IP
    > > > addressing.
    > > >
    > > > That is largely irrelevant to DNS and actually helps in a way,
    > > > since you can use the possible "client" addresses to filter out
    > > > unathenticated requests.
    > > >
    > > > > Security to me is a huge concern.
    > > >
    > > > If you use a secondary, filtered for only those addresses that
    > > > authenticated through the VPN, you pretty much remove the
    > > > threat from any machine than cannot defeat your VPN anyway.
    > > >
    > > > DNS in such a situation is NOT a major source of your security
    > > > concerns -- the VPN server, and the client accounts are much
    > > > higher risks at that point. (Manageable, but much higher than DNS.)
    > > >
    > > > * With Win2003 DNS server you could use a "stub zone" or perhaps
    > > > even "conditional forwarding" but this is not a terrifically significant
    > > > difference to the overall design. Likewise with BIND you could
    > > > use VIEWS as an adjustment on the DMS DNS server.
    > > >
    > > >
    > > > --
    > > > Herb Martin
    > > >
    > > >
    > > >
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.dns (More info?)

    "sheaff" <sheaff@discussions.microsoft.com> wrote in message
    news:1C9FD4FA-9230-4637-9C28-5E533432CF36@microsoft.com...
    > Thanks again Herb.
    >
    > The problem is the DNS I wish to create in the DMZ uses different
    addresses than our private network.

    You keep saying that like it matters -- for DNS is does NOT
    matter.

    DNS is an IP service and thus routable. Clients can be on one
    network and easily query servers on another -- this happens
    millions of times ever day (ever second probably) on the Internet.

    Home user query ISP DNS servers that are on another subnet or
    even another network.

    As long as your IP network is functional (routable) it will be
    irrelevant.

    > Example
    > Private Network 172.16.44.0 /22 network
    > DMZ Network 172.16.181.0 /24 network
    > So If I create a secondary the address for DCs will not be correct.

    What?

    As long as your router can deal with those two ranges
    then you have no problem.

    The ranges do look a bit odd, but there is nothing inherently
    incorrect or troublesome about them.

    > If I manually do this it won't be so bad.

    Huh? You don't have a problem.

    > For our VPN users I want access to login to Domain and access resources in
    the Domain. I have a total of 2 DCs and network is static.

    Then you are depending on you VPN for (virtually) all of your
    security. Use a secure authentication mechanism for the VPN,
    lile MS-CHAPv2.


    --
    Herb Martin


    >
    > thanks,
    > Bill
    >
    > "Herb Martin" wrote:
    >
    > > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
    > > news:E40EC6C3-D456-4635-B644-5736CBFEA7D7@microsoft.com...
    > > > Thanks for the response.
    > > >
    > > > I have different address (network) in VPN.
    > >
    > > Why do you mention this?
    > >
    > > What about different address ranges do you think is
    > > important to DNS?
    > >
    > > > A more clear question, what records do I need to create in the DMZ
    DNS?
    > > > _gc
    > > > _kerberos
    > > > _kpassword
    > > > _ldap
    > >
    > > Actually you should NOT "create" any of those but rather make
    > > the DMZ a secondary and let it pull them automatically from an
    > > internal DNS server.
    > >
    > > It is impractical to create AND maintain those records accurately.
    > >
    > > > I wish to put the DNS server in the VPN network, outside of our
    private
    > > network. Is this the correct plan?
    > >
    > > Maybe. Once the users "reach" that VPN network, what do
    > > you want them to be ABLE to do and UNABLE to do?
    > >
    > > That is, to which resources should they be granted and denied
    > > access?
    > >
    > > How will they be granted that access? And with that access,
    > > who will you ensure they don't have access to other resources?
    > >
    > >
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > > > "Herb Martin" wrote:
    > > >
    > > > > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
    > > > > news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
    > > > > > Hello,
    > > > > > I want to configure a DNS server so users can log on to
    domain(win2k)
    > > > > through Cisco VPN client.
    > > > >
    > > > > > I do not want to put a DC in the DMZ. I would like to put a DNS
    > > server
    > > > > with server records in this zone.
    > > > >
    > > > > First, it it is not a DC, just make it a "secondary" (or some
    variant*).
    > > > >
    > > > > > Anyone done this or know of any good resources to find.
    > > > >
    > > > > What do you want? A DNS server?
    > > > >
    > > > > > Challanges include that it is a different network with different
    IP
    > > > > addressing.
    > > > >
    > > > > That is largely irrelevant to DNS and actually helps in a way,
    > > > > since you can use the possible "client" addresses to filter out
    > > > > unathenticated requests.
    > > > >
    > > > > > Security to me is a huge concern.
    > > > >
    > > > > If you use a secondary, filtered for only those addresses that
    > > > > authenticated through the VPN, you pretty much remove the
    > > > > threat from any machine than cannot defeat your VPN anyway.
    > > > >
    > > > > DNS in such a situation is NOT a major source of your security
    > > > > concerns -- the VPN server, and the client accounts are much
    > > > > higher risks at that point. (Manageable, but much higher than DNS.)
    > > > >
    > > > > * With Win2003 DNS server you could use a "stub zone" or perhaps
    > > > > even "conditional forwarding" but this is not a terrifically
    significant
    > > > > difference to the overall design. Likewise with BIND you could
    > > > > use VIEWS as an adjustment on the DMS DNS server.
    > > > >
    > > > >
    > > > > --
    > > > > Herb Martin
    > > > >
    > > > >
    > > > >
    > >
    > >
    > >
  6. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:1C9FD4FA-9230-4637-9C28-5E533432CF36@microsoft.com,
    sheaff <sheaff@discussions.microsoft.com> posted a question
    Then Kevin replied below:
    > Thanks again Herb.
    >
    > The problem is the DNS I wish to create in the DMZ uses
    > different addresses than our private network.
    >
    > Example
    > Private Network 172.16.44.0 /22 network
    > DMZ Network 172.16.181.0 /24 network
    > So If I create a secondary the address for DCs will not
    > be correct.
    > If I manually do this it won't be so bad.
    > For our VPN users I want access to login to Domain and
    > access resources in the Domain. I have a total of 2 DCs
    > and network is static.
    >
    Create it as a a secondary, this will bring in all the SRV records then,
    change it to a standard primary and manully edit the A records with the
    correct IP addresses.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your
    issue. To respond directly to me remove the nospam. from my
    email. ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
  7. Archived from groups: microsoft.public.win2000.dns (More info?)

    > Create it as a a secondary, this will bring in all the SRV records then,
    > change it to a standard primary and manully edit the A records with the
    > correct IP addresses.

    He is NOT trying to create a "shadow" or "split" DNS.


    --
    Herb Martin


    "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
    news:#l2TAx3YEHA.1652@TK2MSFTNGP09.phx.gbl...
    > In news:1C9FD4FA-9230-4637-9C28-5E533432CF36@microsoft.com,
    > sheaff <sheaff@discussions.microsoft.com> posted a question
    > Then Kevin replied below:
    > > Thanks again Herb.
    > >
    > > The problem is the DNS I wish to create in the DMZ uses
    > > different addresses than our private network.
    > >
    > > Example
    > > Private Network 172.16.44.0 /22 network
    > > DMZ Network 172.16.181.0 /24 network
    > > So If I create a secondary the address for DCs will not
    > > be correct.
    > > If I manually do this it won't be so bad.
    > > For our VPN users I want access to login to Domain and
    > > access resources in the Domain. I have a total of 2 DCs
    > > and network is static.
    > >
    > Create it as a a secondary, this will bring in all the SRV records then,
    > change it to a standard primary and manully edit the A records with the
    > correct IP addresses.
    >
    >
    > --
    > Best regards,
    > Kevin D4 Dad Goodknecht Sr. [MVP]
    > Hope This Helps
    > ============================
    > --
    > When responding to posts, please "Reply to Group" via your
    > newsreader so that others may learn and benefit from your
    > issue. To respond directly to me remove the nospam. from my
    > email. ==========================================
    > http://www.lonestaramerica.com/
    > ==========================================
    > Use Outlook Express?... Get OE_Quotefix:
    > It will strip signature out and more
    > http://home.in.tum.de/~jain/software/oe-quotefix/
    > ==========================================
    > Keep a back up of your OE settings and folders with
    > OEBackup:
    > http://www.oehelp.com/OEBackup/Default.aspx
    > ==========================================
    >
    >
  8. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:OIQmOr4YEHA.996@TK2MSFTNGP12.phx.gbl,
    Herb Martin <news@LearnQuick.com> posted a question
    Then Kevin replied below:
    >> Create it as a a secondary, this will bring in all the
    >> SRV records then, change it to a standard primary and
    >> manully edit the A records with the correct IP addresses.
    >
    > He is NOT trying to create a "shadow" or "split" DNS.

    That is exactly what he is saying he wants, I'm not saying that is what he
    needs. His router should be able to route between the two subnets, but he
    wants to two subnets to resolve separately.
    Why he wants to do it this way, I don't know.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your
    issue. To respond directly to me remove the nospam. from my
    email. ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
  9. Archived from groups: microsoft.public.win2000.dns (More info?)

    > >> Create it as a a secondary, this will bring in all the
    > >> SRV records then, change it to a standard primary and
    > >> manully edit the A records with the correct IP addresses.
    > >
    > > He is NOT trying to create a "shadow" or "split" DNS.
    >
    > That is exactly what he is saying he wants, I'm not saying that is what he
    > needs. His router should be able to route between the two subnets, but he
    > wants to two subnets to resolve separately.
    > Why he wants to do it this way, I don't know.

    No, you need to re-read more carefully or ask him for
    clarification before you confuse him more.
  10. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:ORYkSY5YEHA.2016@TK2MSFTNGP09.phx.gbl,
    Herb Martin <news@LearnQuick.com> asked for help and I offered my
    suggestions below:
    >>>> Create it as a a secondary, this will bring in all the
    >>>> SRV records then, change it to a standard primary and
    >>>> manully edit the A records with the correct IP addresses.
    >>>
    >>> He is NOT trying to create a "shadow" or "split" DNS.
    >>
    >> That is exactly what he is saying he wants, I'm not saying that is
    >> what he needs. His router should be able to route between the two
    >> subnets, but he wants to two subnets to resolve separately.
    >> Why he wants to do it this way, I don't know.
    >
    > No, you need to re-read more carefully or ask him for
    > clarification before you confuse him more.

    If you ask me, I believe he IS trying to create a shadow zone on the DMZ
    DNS. That's the way I read it, unless I misread it, from this part of his
    original post:

    > I do not want to put a DC in the DMZ.
    > I would like to put a DNS server with
    > server records in this zone.

    Meaning his internal records on this DNS in the DMZ.
    As Kevin said, the DMZ needs to communicate with the internal network with
    static routes or what have you to make it work.


    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory

    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
    --
    =================================
  11. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com,
    sheaff <sheaff@discussions.microsoft.com> asked for help and I offered my
    suggestions below:
    > Hello,
    > I want to configure a DNS server so users can log on to domain(win2k)
    > through Cisco VPN client.
    >
    > I do not want to put a DC in the DMZ. I would like to put a DNS
    > server with server records in this zone.
    >
    > Anyone done this or know of any good resources to find.
    > Challanges include that it is a different network with different IP
    > addressing.
    > Security to me is a huge concern.
    >
    > Bill

    I believe Kevin mentioned to create a secondary on your DMZ DNS of your
    internal AD domain zone. THis way the clients can access theinternal subnet
    and domain. But you need to make sure you have network connectivity from the
    DMZ to the internal subnet, assuming you already have that.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory

    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
    --
    =================================
  12. Archived from groups: microsoft.public.win2000.dns (More info?)

    Thanks guys!

    I may have been a little unclear, but I think Kevin understood the question.
    The VPN network is secure, we use a Cisco concentrator and the clients use Cisco VPN client.

    We only allow hosts that authenticate in. We only allow certain hosts to be seen by the VPN clients. All the mapping is accomplished with a Cisco PIX firewall.

    Kevin has me on the correct track, and I think this will be the easiest and the optimal to do.

    Thank you for all of your input.

    If I have drastic changes, which is unlikely it can be redone (new dcs, etc) it is ok.
    I also do not mind manually putiing in some host records.
    This looks like it will be much easier than I thought.
    Somethings are so automated today, it seems to make things more difficult.


    "Ace Fekay [MVP]" wrote:

    > In news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com,
    > sheaff <sheaff@discussions.microsoft.com> asked for help and I offered my
    > suggestions below:
    > > Hello,
    > > I want to configure a DNS server so users can log on to domain(win2k)
    > > through Cisco VPN client.
    > >
    > > I do not want to put a DC in the DMZ. I would like to put a DNS
    > > server with server records in this zone.
    > >
    > > Anyone done this or know of any good resources to find.
    > > Challanges include that it is a different network with different IP
    > > addressing.
    > > Security to me is a huge concern.
    > >
    > > Bill
    >
    > I believe Kevin mentioned to create a secondary on your DMZ DNS of your
    > internal AD domain zone. THis way the clients can access theinternal subnet
    > and domain. But you need to make sure you have network connectivity from the
    > DMZ to the internal subnet, assuming you already have that.
    >
    > --
    > Regards,
    > Ace
    >
    > Please direct all replies ONLY to the Microsoft public newsgroups
    > so all can benefit.
    >
    > This posting is provided "AS-IS" with no warranties or guarantees
    > and confers no rights.
    >
    > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    > Microsoft Windows MVP - Active Directory
    >
    > HAM AND EGGS: A day's work for a chicken;
    > A lifetime commitment for a pig.
    > --
    > =================================
    >
    >
    >
  13. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:3797DB82-3948-4AB2-9186-20A6AF973976@microsoft.com,
    sheaff <sheaff@discussions.microsoft.com> posted a question
    Then Kevin replied below:
    > Thanks guys!
    >
    > I may have been a little unclear, but I think Kevin
    > understood the question.
    > The VPN network is secure, we use a Cisco concentrator
    > and the clients use Cisco VPN client.
    >
    > We only allow hosts that authenticate in. We only allow
    > certain hosts to be seen by the VPN clients. All the
    > mapping is accomplished with a Cisco PIX firewall.
    >
    > Kevin has me on the correct track, and I think this will
    > be the easiest and the optimal to do.
    >
    > Thank you for all of your input.
    >
    > If I have drastic changes, which is unlikely it can be
    > redone (new dcs, etc) it is ok.
    > I also do not mind manually putiing in some host records.
    > This looks like it will be much easier than I thought.
    > Somethings are so automated today, it seems to make
    > things more difficult.


    When you edit the A records don't forget to go into
    gc._msdcs.<dnsforestname> and edit the Global Catalog record.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your
    issue. To respond directly to me remove the nospam. from my
    email. ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
Ask a new question

Read More

DNS Server DNS Windows