Sign in with
Sign up | Sign in
Your question

DNS for AD in VPN/DMZ

Last response: in Windows 2000/NT
Share
Anonymous
July 4, 2004 6:41:01 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Hello,
I want to configure a DNS server so users can log on to domain(win2k) through Cisco VPN client.

I do not want to put a DC in the DMZ. I would like to put a DNS server with server records in this zone.

Anyone done this or know of any good resources to find.
Challanges include that it is a different network with different IP addressing.
Security to me is a huge concern.

Bill

More about : dns vpn dmz

Anonymous
July 4, 2004 10:24:45 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"sheaff" <sheaff@discussions.microsoft.com> wrote in message
news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
> Hello,
> I want to configure a DNS server so users can log on to domain(win2k)
through Cisco VPN client.

> I do not want to put a DC in the DMZ. I would like to put a DNS server
with server records in this zone.

First, it it is not a DC, just make it a "secondary" (or some variant*).

> Anyone done this or know of any good resources to find.

What do you want? A DNS server?

> Challanges include that it is a different network with different IP
addressing.

That is largely irrelevant to DNS and actually helps in a way,
since you can use the possible "client" addresses to filter out
unathenticated requests.

> Security to me is a huge concern.

If you use a secondary, filtered for only those addresses that
authenticated through the VPN, you pretty much remove the
threat from any machine than cannot defeat your VPN anyway.

DNS in such a situation is NOT a major source of your security
concerns -- the VPN server, and the client accounts are much
higher risks at that point. (Manageable, but much higher than DNS.)

* With Win2003 DNS server you could use a "stub zone" or perhaps
even "conditional forwarding" but this is not a terrifically significant
difference to the overall design. Likewise with BIND you could
use VIEWS as an adjustment on the DMS DNS server.


--
Herb Martin
Anonymous
July 5, 2004 10:47:01 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks for the response.

I have different address (network) in VPN.
A more clear question, what records do I need to create in the DMZ DNS?
_gc
_kerberos
_kpassword
_ldap
??
I wish to put the DNS server in the VPN network, outside of our private network. Is this the correct plan?
??
thanks
"Herb Martin" wrote:

> "sheaff" <sheaff@discussions.microsoft.com> wrote in message
> news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
> > Hello,
> > I want to configure a DNS server so users can log on to domain(win2k)
> through Cisco VPN client.
>
> > I do not want to put a DC in the DMZ. I would like to put a DNS server
> with server records in this zone.
>
> First, it it is not a DC, just make it a "secondary" (or some variant*).
>
> > Anyone done this or know of any good resources to find.
>
> What do you want? A DNS server?
>
> > Challanges include that it is a different network with different IP
> addressing.
>
> That is largely irrelevant to DNS and actually helps in a way,
> since you can use the possible "client" addresses to filter out
> unathenticated requests.
>
> > Security to me is a huge concern.
>
> If you use a secondary, filtered for only those addresses that
> authenticated through the VPN, you pretty much remove the
> threat from any machine than cannot defeat your VPN anyway.
>
> DNS in such a situation is NOT a major source of your security
> concerns -- the VPN server, and the client accounts are much
> higher risks at that point. (Manageable, but much higher than DNS.)
>
> * With Win2003 DNS server you could use a "stub zone" or perhaps
> even "conditional forwarding" but this is not a terrifically significant
> difference to the overall design. Likewise with BIND you could
> use VIEWS as an adjustment on the DMS DNS server.
>
>
> --
> Herb Martin
>
>
>
Related resources
Anonymous
July 6, 2004 7:58:49 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

"sheaff" <sheaff@discussions.microsoft.com> wrote in message
news:E40EC6C3-D456-4635-B644-5736CBFEA7D7@microsoft.com...
> Thanks for the response.
>
> I have different address (network) in VPN.

Why do you mention this?

What about different address ranges do you think is
important to DNS?

> A more clear question, what records do I need to create in the DMZ DNS?
> _gc
> _kerberos
> _kpassword
> _ldap

Actually you should NOT "create" any of those but rather make
the DMZ a secondary and let it pull them automatically from an
internal DNS server.

It is impractical to create AND maintain those records accurately.

> I wish to put the DNS server in the VPN network, outside of our private
network. Is this the correct plan?

Maybe. Once the users "reach" that VPN network, what do
you want them to be ABLE to do and UNABLE to do?

That is, to which resources should they be granted and denied
access?

How will they be granted that access? And with that access,
who will you ensure they don't have access to other resources?




--
Herb Martin


> "Herb Martin" wrote:
>
> > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
> > news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
> > > Hello,
> > > I want to configure a DNS server so users can log on to domain(win2k)
> > through Cisco VPN client.
> >
> > > I do not want to put a DC in the DMZ. I would like to put a DNS
server
> > with server records in this zone.
> >
> > First, it it is not a DC, just make it a "secondary" (or some variant*).
> >
> > > Anyone done this or know of any good resources to find.
> >
> > What do you want? A DNS server?
> >
> > > Challanges include that it is a different network with different IP
> > addressing.
> >
> > That is largely irrelevant to DNS and actually helps in a way,
> > since you can use the possible "client" addresses to filter out
> > unathenticated requests.
> >
> > > Security to me is a huge concern.
> >
> > If you use a secondary, filtered for only those addresses that
> > authenticated through the VPN, you pretty much remove the
> > threat from any machine than cannot defeat your VPN anyway.
> >
> > DNS in such a situation is NOT a major source of your security
> > concerns -- the VPN server, and the client accounts are much
> > higher risks at that point. (Manageable, but much higher than DNS.)
> >
> > * With Win2003 DNS server you could use a "stub zone" or perhaps
> > even "conditional forwarding" but this is not a terrifically significant
> > difference to the overall design. Likewise with BIND you could
> > use VIEWS as an adjustment on the DMS DNS server.
> >
> >
> > --
> > Herb Martin
> >
> >
> >
Anonymous
July 6, 2004 11:06:02 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks again Herb.

The problem is the DNS I wish to create in the DMZ uses different addresses than our private network.

Example
Private Network 172.16.44.0 /22 network
DMZ Network 172.16.181.0 /24 network
So If I create a secondary the address for DCs will not be correct.
If I manually do this it won't be so bad.
For our VPN users I want access to login to Domain and access resources in the Domain. I have a total of 2 DCs and network is static.

thanks,
Bill

"Herb Martin" wrote:

> "sheaff" <sheaff@discussions.microsoft.com> wrote in message
> news:E40EC6C3-D456-4635-B644-5736CBFEA7D7@microsoft.com...
> > Thanks for the response.
> >
> > I have different address (network) in VPN.
>
> Why do you mention this?
>
> What about different address ranges do you think is
> important to DNS?
>
> > A more clear question, what records do I need to create in the DMZ DNS?
> > _gc
> > _kerberos
> > _kpassword
> > _ldap
>
> Actually you should NOT "create" any of those but rather make
> the DMZ a secondary and let it pull them automatically from an
> internal DNS server.
>
> It is impractical to create AND maintain those records accurately.
>
> > I wish to put the DNS server in the VPN network, outside of our private
> network. Is this the correct plan?
>
> Maybe. Once the users "reach" that VPN network, what do
> you want them to be ABLE to do and UNABLE to do?
>
> That is, to which resources should they be granted and denied
> access?
>
> How will they be granted that access? And with that access,
> who will you ensure they don't have access to other resources?
>
>
>
>
> --
> Herb Martin
>
>
> > "Herb Martin" wrote:
> >
> > > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
> > > news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
> > > > Hello,
> > > > I want to configure a DNS server so users can log on to domain(win2k)
> > > through Cisco VPN client.
> > >
> > > > I do not want to put a DC in the DMZ. I would like to put a DNS
> server
> > > with server records in this zone.
> > >
> > > First, it it is not a DC, just make it a "secondary" (or some variant*).
> > >
> > > > Anyone done this or know of any good resources to find.
> > >
> > > What do you want? A DNS server?
> > >
> > > > Challanges include that it is a different network with different IP
> > > addressing.
> > >
> > > That is largely irrelevant to DNS and actually helps in a way,
> > > since you can use the possible "client" addresses to filter out
> > > unathenticated requests.
> > >
> > > > Security to me is a huge concern.
> > >
> > > If you use a secondary, filtered for only those addresses that
> > > authenticated through the VPN, you pretty much remove the
> > > threat from any machine than cannot defeat your VPN anyway.
> > >
> > > DNS in such a situation is NOT a major source of your security
> > > concerns -- the VPN server, and the client accounts are much
> > > higher risks at that point. (Manageable, but much higher than DNS.)
> > >
> > > * With Win2003 DNS server you could use a "stub zone" or perhaps
> > > even "conditional forwarding" but this is not a terrifically significant
> > > difference to the overall design. Likewise with BIND you could
> > > use VIEWS as an adjustment on the DMS DNS server.
> > >
> > >
> > > --
> > > Herb Martin
> > >
> > >
> > >
>
>
>
Anonymous
July 6, 2004 2:02:40 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"sheaff" <sheaff@discussions.microsoft.com> wrote in message
news:1C9FD4FA-9230-4637-9C28-5E533432CF36@microsoft.com...
> Thanks again Herb.
>
> The problem is the DNS I wish to create in the DMZ uses different
addresses than our private network.

You keep saying that like it matters -- for DNS is does NOT
matter.

DNS is an IP service and thus routable. Clients can be on one
network and easily query servers on another -- this happens
millions of times ever day (ever second probably) on the Internet.

Home user query ISP DNS servers that are on another subnet or
even another network.

As long as your IP network is functional (routable) it will be
irrelevant.

> Example
> Private Network 172.16.44.0 /22 network
> DMZ Network 172.16.181.0 /24 network
> So If I create a secondary the address for DCs will not be correct.

What?

As long as your router can deal with those two ranges
then you have no problem.

The ranges do look a bit odd, but there is nothing inherently
incorrect or troublesome about them.

> If I manually do this it won't be so bad.

Huh? You don't have a problem.

> For our VPN users I want access to login to Domain and access resources in
the Domain. I have a total of 2 DCs and network is static.

Then you are depending on you VPN for (virtually) all of your
security. Use a secure authentication mechanism for the VPN,
lile MS-CHAPv2.



--
Herb Martin


>
> thanks,
> Bill
>
> "Herb Martin" wrote:
>
> > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
> > news:E40EC6C3-D456-4635-B644-5736CBFEA7D7@microsoft.com...
> > > Thanks for the response.
> > >
> > > I have different address (network) in VPN.
> >
> > Why do you mention this?
> >
> > What about different address ranges do you think is
> > important to DNS?
> >
> > > A more clear question, what records do I need to create in the DMZ
DNS?
> > > _gc
> > > _kerberos
> > > _kpassword
> > > _ldap
> >
> > Actually you should NOT "create" any of those but rather make
> > the DMZ a secondary and let it pull them automatically from an
> > internal DNS server.
> >
> > It is impractical to create AND maintain those records accurately.
> >
> > > I wish to put the DNS server in the VPN network, outside of our
private
> > network. Is this the correct plan?
> >
> > Maybe. Once the users "reach" that VPN network, what do
> > you want them to be ABLE to do and UNABLE to do?
> >
> > That is, to which resources should they be granted and denied
> > access?
> >
> > How will they be granted that access? And with that access,
> > who will you ensure they don't have access to other resources?
> >
> >
> >
> >
> > --
> > Herb Martin
> >
> >
> > > "Herb Martin" wrote:
> > >
> > > > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
> > > > news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
> > > > > Hello,
> > > > > I want to configure a DNS server so users can log on to
domain(win2k)
> > > > through Cisco VPN client.
> > > >
> > > > > I do not want to put a DC in the DMZ. I would like to put a DNS
> > server
> > > > with server records in this zone.
> > > >
> > > > First, it it is not a DC, just make it a "secondary" (or some
variant*).
> > > >
> > > > > Anyone done this or know of any good resources to find.
> > > >
> > > > What do you want? A DNS server?
> > > >
> > > > > Challanges include that it is a different network with different
IP
> > > > addressing.
> > > >
> > > > That is largely irrelevant to DNS and actually helps in a way,
> > > > since you can use the possible "client" addresses to filter out
> > > > unathenticated requests.
> > > >
> > > > > Security to me is a huge concern.
> > > >
> > > > If you use a secondary, filtered for only those addresses that
> > > > authenticated through the VPN, you pretty much remove the
> > > > threat from any machine than cannot defeat your VPN anyway.
> > > >
> > > > DNS in such a situation is NOT a major source of your security
> > > > concerns -- the VPN server, and the client accounts are much
> > > > higher risks at that point. (Manageable, but much higher than DNS.)
> > > >
> > > > * With Win2003 DNS server you could use a "stub zone" or perhaps
> > > > even "conditional forwarding" but this is not a terrifically
significant
> > > > difference to the overall design. Likewise with BIND you could
> > > > use VIEWS as an adjustment on the DMS DNS server.
> > > >
> > > >
> > > > --
> > > > Herb Martin
> > > >
> > > >
> > > >
> >
> >
> >
Anonymous
July 6, 2004 4:11:14 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:1C9FD4FA-9230-4637-9C28-5E533432CF36@microsoft.com,
sheaff <sheaff@discussions.microsoft.com> posted a question
Then Kevin replied below:
> Thanks again Herb.
>
> The problem is the DNS I wish to create in the DMZ uses
> different addresses than our private network.
>
> Example
> Private Network 172.16.44.0 /22 network
> DMZ Network 172.16.181.0 /24 network
> So If I create a secondary the address for DCs will not
> be correct.
> If I manually do this it won't be so bad.
> For our VPN users I want access to login to Domain and
> access resources in the Domain. I have a total of 2 DCs
> and network is static.
>
Create it as a a secondary, this will bring in all the SRV records then,
change it to a standard primary and manully edit the A records with the
correct IP addresses.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Anonymous
July 6, 2004 5:41:31 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

> Create it as a a secondary, this will bring in all the SRV records then,
> change it to a standard primary and manully edit the A records with the
> correct IP addresses.

He is NOT trying to create a "shadow" or "split" DNS.



--
Herb Martin


"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:#l2TAx3YEHA.1652@TK2MSFTNGP09.phx.gbl...
> In news:1C9FD4FA-9230-4637-9C28-5E533432CF36@microsoft.com,
> sheaff <sheaff@discussions.microsoft.com> posted a question
> Then Kevin replied below:
> > Thanks again Herb.
> >
> > The problem is the DNS I wish to create in the DMZ uses
> > different addresses than our private network.
> >
> > Example
> > Private Network 172.16.44.0 /22 network
> > DMZ Network 172.16.181.0 /24 network
> > So If I create a secondary the address for DCs will not
> > be correct.
> > If I manually do this it won't be so bad.
> > For our VPN users I want access to login to Domain and
> > access resources in the Domain. I have a total of 2 DCs
> > and network is static.
> >
> Create it as a a secondary, this will bring in all the SRV records then,
> change it to a standard primary and manully edit the A records with the
> correct IP addresses.
>
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ============================
> --
> When responding to posts, please "Reply to Group" via your
> newsreader so that others may learn and benefit from your
> issue. To respond directly to me remove the nospam. from my
> email. ==========================================
> http://www.lonestaramerica.com/
> ==========================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ==========================================
> Keep a back up of your OE settings and folders with
> OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ==========================================
>
>
Anonymous
July 6, 2004 6:49:00 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:o IQmOr4YEHA.996@TK2MSFTNGP12.phx.gbl,
Herb Martin <news@LearnQuick.com> posted a question
Then Kevin replied below:
>> Create it as a a secondary, this will bring in all the
>> SRV records then, change it to a standard primary and
>> manully edit the A records with the correct IP addresses.
>
> He is NOT trying to create a "shadow" or "split" DNS.

That is exactly what he is saying he wants, I'm not saying that is what he
needs. His router should be able to route between the two subnets, but he
wants to two subnets to resolve separately.
Why he wants to do it this way, I don't know.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Anonymous
July 6, 2004 7:07:45 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

> >> Create it as a a secondary, this will bring in all the
> >> SRV records then, change it to a standard primary and
> >> manully edit the A records with the correct IP addresses.
> >
> > He is NOT trying to create a "shadow" or "split" DNS.
>
> That is exactly what he is saying he wants, I'm not saying that is what he
> needs. His router should be able to route between the two subnets, but he
> wants to two subnets to resolve separately.
> Why he wants to do it this way, I don't know.

No, you need to re-read more carefully or ask him for
clarification before you confuse him more.
Anonymous
July 7, 2004 1:05:49 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:o RYkSY5YEHA.2016@TK2MSFTNGP09.phx.gbl,
Herb Martin <news@LearnQuick.com> asked for help and I offered my
suggestions below:
>>>> Create it as a a secondary, this will bring in all the
>>>> SRV records then, change it to a standard primary and
>>>> manully edit the A records with the correct IP addresses.
>>>
>>> He is NOT trying to create a "shadow" or "split" DNS.
>>
>> That is exactly what he is saying he wants, I'm not saying that is
>> what he needs. His router should be able to route between the two
>> subnets, but he wants to two subnets to resolve separately.
>> Why he wants to do it this way, I don't know.
>
> No, you need to re-read more carefully or ask him for
> clarification before you confuse him more.

If you ask me, I believe he IS trying to create a shadow zone on the DMZ
DNS. That's the way I read it, unless I misread it, from this part of his
original post:

> I do not want to put a DC in the DMZ.
> I would like to put a DNS server with
> server records in this zone.

Meaning his internal records on this DNS in the DMZ.
As Kevin said, the DMZ needs to communicate with the internal network with
static routes or what have you to make it work.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
July 7, 2004 1:05:58 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com,
sheaff <sheaff@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> Hello,
> I want to configure a DNS server so users can log on to domain(win2k)
> through Cisco VPN client.
>
> I do not want to put a DC in the DMZ. I would like to put a DNS
> server with server records in this zone.
>
> Anyone done this or know of any good resources to find.
> Challanges include that it is a different network with different IP
> addressing.
> Security to me is a huge concern.
>
> Bill

I believe Kevin mentioned to create a secondary on your DMZ DNS of your
internal AD domain zone. THis way the clients can access theinternal subnet
and domain. But you need to make sure you have network connectivity from the
DMZ to the internal subnet, assuming you already have that.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
July 7, 2004 1:05:59 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks guys!

I may have been a little unclear, but I think Kevin understood the question.
The VPN network is secure, we use a Cisco concentrator and the clients use Cisco VPN client.

We only allow hosts that authenticate in. We only allow certain hosts to be seen by the VPN clients. All the mapping is accomplished with a Cisco PIX firewall.

Kevin has me on the correct track, and I think this will be the easiest and the optimal to do.

Thank you for all of your input.

If I have drastic changes, which is unlikely it can be redone (new dcs, etc) it is ok.
I also do not mind manually putiing in some host records.
This looks like it will be much easier than I thought.
Somethings are so automated today, it seems to make things more difficult.


"Ace Fekay [MVP]" wrote:

> In news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com,
> sheaff <sheaff@discussions.microsoft.com> asked for help and I offered my
> suggestions below:
> > Hello,
> > I want to configure a DNS server so users can log on to domain(win2k)
> > through Cisco VPN client.
> >
> > I do not want to put a DC in the DMZ. I would like to put a DNS
> > server with server records in this zone.
> >
> > Anyone done this or know of any good resources to find.
> > Challanges include that it is a different network with different IP
> > addressing.
> > Security to me is a huge concern.
> >
> > Bill
>
> I believe Kevin mentioned to create a secondary on your DMZ DNS of your
> internal AD domain zone. THis way the clients can access theinternal subnet
> and domain. But you need to make sure you have network connectivity from the
> DMZ to the internal subnet, assuming you already have that.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
Anonymous
July 7, 2004 1:53:35 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:3797DB82-3948-4AB2-9186-20A6AF973976@microsoft.com,
sheaff <sheaff@discussions.microsoft.com> posted a question
Then Kevin replied below:
> Thanks guys!
>
> I may have been a little unclear, but I think Kevin
> understood the question.
> The VPN network is secure, we use a Cisco concentrator
> and the clients use Cisco VPN client.
>
> We only allow hosts that authenticate in. We only allow
> certain hosts to be seen by the VPN clients. All the
> mapping is accomplished with a Cisco PIX firewall.
>
> Kevin has me on the correct track, and I think this will
> be the easiest and the optimal to do.
>
> Thank you for all of your input.
>
> If I have drastic changes, which is unlikely it can be
> redone (new dcs, etc) it is ok.
> I also do not mind manually putiing in some host records.
> This looks like it will be much easier than I thought.
> Somethings are so automated today, it seems to make
> things more difficult.


When you edit the A records don't forget to go into
gc._msdcs.<dnsforestname> and edit the Global Catalog record.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
!