Solved

Domain Authentication possible over Cisco VPN connection?

Posted on 2004-07-30
16
611 Views
Last Modified: 2008-01-09
Hopefully this will be an easy question...

My company has a VPN connection from here to a remote location. On this end (corporate headquarters) we have a Cisco 1720 series router. On the other end we have a Cisco PIX 501. Right now it just handles print jobs between the two offices. Currently our remote users access our network via a Windows 2000 Terminal Server. What I would like to know is if it is possible with these two routers to have my clients be authenticated as if they were within my LAN. Just for "kicks" I had one of my users attempt to join the domain, but without success because the computer couldn't find the DC. So, with these two routers, would it be possible for my remote users to login to our Windows 2000 domain as if they were on a computer here in the building? Or would a better approach be to setup a VPN connection on each remote client PC? We currently have about 5 users at our remote location.
0
Comment
Question by:mckeough
  • 9
  • 6
16 Comments
 

Author Comment

by:mckeough
ID: 11680229
If anyone needs more specific information to answer the question please let me know.
0
 
LVL 5

Assisted Solution

by:dgroscost
dgroscost earned 150 total points
ID: 11680831
However you set it up, as long as you have DNS resolution, a route, and that you allow domain traffic you should be able to authenticate in the domain at other sites without a problem.
0
 

Author Comment

by:mckeough
ID: 11680885
OK. I must not have DNS resolution then because my users can ping the domain controller by IP but not by name. What do I need to do do fix this? I'm increasing the points to 350.
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11680909
Do you have a DNS server in the remote office?
0
 

Author Comment

by:mckeough
ID: 11680950
No. Just a Cisco Pix 501 router connected to a DSL Modem. Are you saying there is no way to resolve DNS without a DNS server on the other end?
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11680988
Oh, sure, you can resolve without DNS by using LMHOSTS or HOSTS files.  However, you need certain types of DNS records in order for domain authentication/traffic to work.

You need SRV records for example, which handle _kpasswd, _kerberos, _gc, _ldap, etc, etc.
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11681006
You might be able to get away with setting up a DNS server (secondary zone) that pulls a copy of the primary AD integrated zone from one of your DCs and have it provide DNS in your remote off.  
0
 

Author Comment

by:mckeough
ID: 11681036
OK. Thanks. I haven't done this before, so how about I give you the points for this post, and post another 500 pointer so you can walk me through this? Or if you would rather point out an excellant link to a web page telling me how to do this, I'll just increase the point value of this one to 500 and say THANKS!
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:mckeough
ID: 11681082
Oh, I see you posted another comment while I was typing my last comment. Let me create the secondary DNS server and zone to see if that works. I'm pretty comfortable with that. If it doesn't work you want to go ahead with what I mentioned in my last post?

I'm probably going to do this some time Monday. For now I have to go have fun because it's the weekend!
0
 
LVL 5

Accepted Solution

by:
mrpez1 earned 350 total points
ID: 11681109
You don't actually need a DNS server for the remote office. Just tell the hosts there to use the DC's IP address as their primary DNS server and the local ISPs DNS as the secondary. That way as long as the VPN is up you get all the DC's DNS info and if it goes down, your local ISP takes over for internet browsing.
0
 

Author Comment

by:mckeough
ID: 11681197
Oh. OK! If I leave the setting to "Obtain IP Address Automatically" then fill in the IP of my primary DNS server, will that essentially accomplish the same thing? In other words, if my DNS server goes down, will the "Obtain IP Address Automatically" setting go looking for my ISP's server? To put it another way, does it first look to the primary DNS, then if it can't find it, it will look elsewhere? Lol. Do I need to explain that a fourth way? I think you understand what I'm trying to ask.
0
 

Author Comment

by:mckeough
ID: 11681207
ACK! In other words I don't have an IP address for a secondary DNS server, but if I set it to "Obtain IP Address Automatically" will it look for another one automatically if the DNS server goes down. *sigh... It's one of those days.
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11681211
If you use DHCP, you'll need to enter the secondary DNS server address in the DHCP scope options.

Or, you could use DHCP and enter your DNS servers in manually (on each of the 5 machines.)   This will probably be your best option.  I don't know what I was thinking by not telling you this in the first place.  Ah, it's Friday.
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11681227
In order words:

On the NIC properties of each of the 5 PCs:

Leave IP address at DHCP.
For DNS settings, enter the DNS server from your Corp HQ as the primary DNS server.  For the secondary DNS server, enter the internet DNS server which you can get from the DSL router status screen.
0
 

Author Comment

by:mckeough
ID: 11681288
Friday - you said it! OK. I'll do this Monday, and let you guys know how things went. Thanks!
0
 

Author Comment

by:mckeough
ID: 11698097
Things went well. We're authenticating just fine. The only problem is that working with files (such as an excel spreadsheet) is extremely slow. It's much faster to open them when logged onto our terminal server. Is there a way around this bandwidth bottleneck? A 30kb file opens just fine, but a 8mb file takes a long time. Obviously 30kb is much faster to download and open than an 8mb file, or a 50 mb database. Oh well. My main objective was accomplished. Thanks guys!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now