Solved

Domain Authentication possible over Cisco VPN connection?

Posted on 2004-07-30
16
625 Views
Last Modified: 2008-01-09
Hopefully this will be an easy question...

My company has a VPN connection from here to a remote location. On this end (corporate headquarters) we have a Cisco 1720 series router. On the other end we have a Cisco PIX 501. Right now it just handles print jobs between the two offices. Currently our remote users access our network via a Windows 2000 Terminal Server. What I would like to know is if it is possible with these two routers to have my clients be authenticated as if they were within my LAN. Just for "kicks" I had one of my users attempt to join the domain, but without success because the computer couldn't find the DC. So, with these two routers, would it be possible for my remote users to login to our Windows 2000 domain as if they were on a computer here in the building? Or would a better approach be to setup a VPN connection on each remote client PC? We currently have about 5 users at our remote location.
0
Comment
Question by:mckeough
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
16 Comments
 

Author Comment

by:mckeough
ID: 11680229
If anyone needs more specific information to answer the question please let me know.
0
 
LVL 5

Assisted Solution

by:dgroscost
dgroscost earned 150 total points
ID: 11680831
However you set it up, as long as you have DNS resolution, a route, and that you allow domain traffic you should be able to authenticate in the domain at other sites without a problem.
0
 

Author Comment

by:mckeough
ID: 11680885
OK. I must not have DNS resolution then because my users can ping the domain controller by IP but not by name. What do I need to do do fix this? I'm increasing the points to 350.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:dgroscost
ID: 11680909
Do you have a DNS server in the remote office?
0
 

Author Comment

by:mckeough
ID: 11680950
No. Just a Cisco Pix 501 router connected to a DSL Modem. Are you saying there is no way to resolve DNS without a DNS server on the other end?
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11680988
Oh, sure, you can resolve without DNS by using LMHOSTS or HOSTS files.  However, you need certain types of DNS records in order for domain authentication/traffic to work.

You need SRV records for example, which handle _kpasswd, _kerberos, _gc, _ldap, etc, etc.
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11681006
You might be able to get away with setting up a DNS server (secondary zone) that pulls a copy of the primary AD integrated zone from one of your DCs and have it provide DNS in your remote off.  
0
 

Author Comment

by:mckeough
ID: 11681036
OK. Thanks. I haven't done this before, so how about I give you the points for this post, and post another 500 pointer so you can walk me through this? Or if you would rather point out an excellant link to a web page telling me how to do this, I'll just increase the point value of this one to 500 and say THANKS!
0
 

Author Comment

by:mckeough
ID: 11681082
Oh, I see you posted another comment while I was typing my last comment. Let me create the secondary DNS server and zone to see if that works. I'm pretty comfortable with that. If it doesn't work you want to go ahead with what I mentioned in my last post?

I'm probably going to do this some time Monday. For now I have to go have fun because it's the weekend!
0
 
LVL 5

Accepted Solution

by:
mrpez1 earned 350 total points
ID: 11681109
You don't actually need a DNS server for the remote office. Just tell the hosts there to use the DC's IP address as their primary DNS server and the local ISPs DNS as the secondary. That way as long as the VPN is up you get all the DC's DNS info and if it goes down, your local ISP takes over for internet browsing.
0
 

Author Comment

by:mckeough
ID: 11681197
Oh. OK! If I leave the setting to "Obtain IP Address Automatically" then fill in the IP of my primary DNS server, will that essentially accomplish the same thing? In other words, if my DNS server goes down, will the "Obtain IP Address Automatically" setting go looking for my ISP's server? To put it another way, does it first look to the primary DNS, then if it can't find it, it will look elsewhere? Lol. Do I need to explain that a fourth way? I think you understand what I'm trying to ask.
0
 

Author Comment

by:mckeough
ID: 11681207
ACK! In other words I don't have an IP address for a secondary DNS server, but if I set it to "Obtain IP Address Automatically" will it look for another one automatically if the DNS server goes down. *sigh... It's one of those days.
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11681211
If you use DHCP, you'll need to enter the secondary DNS server address in the DHCP scope options.

Or, you could use DHCP and enter your DNS servers in manually (on each of the 5 machines.)   This will probably be your best option.  I don't know what I was thinking by not telling you this in the first place.  Ah, it's Friday.
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11681227
In order words:

On the NIC properties of each of the 5 PCs:

Leave IP address at DHCP.
For DNS settings, enter the DNS server from your Corp HQ as the primary DNS server.  For the secondary DNS server, enter the internet DNS server which you can get from the DSL router status screen.
0
 

Author Comment

by:mckeough
ID: 11681288
Friday - you said it! OK. I'll do this Monday, and let you guys know how things went. Thanks!
0
 

Author Comment

by:mckeough
ID: 11698097
Things went well. We're authenticating just fine. The only problem is that working with files (such as an excel spreadsheet) is extremely slow. It's much faster to open them when logged onto our terminal server. Is there a way around this bandwidth bottleneck? A 30kb file opens just fine, but a 8mb file takes a long time. Obviously 30kb is much faster to download and open than an 8mb file, or a 50 mb database. Oh well. My main objective was accomplished. Thanks guys!
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP and Internet Access Issue Cisco 4331 Router 9 72
BGP Code 12 65
How to restrict all websites and allow only citrix website 5 95
Ping in Fortigate 2 54
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question