Domain Authentication possible over Cisco VPN connection?

Hopefully this will be an easy question...

My company has a VPN connection from here to a remote location. On this end (corporate headquarters) we have a Cisco 1720 series router. On the other end we have a Cisco PIX 501. Right now it just handles print jobs between the two offices. Currently our remote users access our network via a Windows 2000 Terminal Server. What I would like to know is if it is possible with these two routers to have my clients be authenticated as if they were within my LAN. Just for "kicks" I had one of my users attempt to join the domain, but without success because the computer couldn't find the DC. So, with these two routers, would it be possible for my remote users to login to our Windows 2000 domain as if they were on a computer here in the building? Or would a better approach be to setup a VPN connection on each remote client PC? We currently have about 5 users at our remote location.
mckeoughAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
mrpez1Connect With a Mentor Commented:
You don't actually need a DNS server for the remote office. Just tell the hosts there to use the DC's IP address as their primary DNS server and the local ISPs DNS as the secondary. That way as long as the VPN is up you get all the DC's DNS info and if it goes down, your local ISP takes over for internet browsing.
0
 
mckeoughAuthor Commented:
If anyone needs more specific information to answer the question please let me know.
0
 
dgroscostConnect With a Mentor Commented:
However you set it up, as long as you have DNS resolution, a route, and that you allow domain traffic you should be able to authenticate in the domain at other sites without a problem.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
mckeoughAuthor Commented:
OK. I must not have DNS resolution then because my users can ping the domain controller by IP but not by name. What do I need to do do fix this? I'm increasing the points to 350.
0
 
dgroscostCommented:
Do you have a DNS server in the remote office?
0
 
mckeoughAuthor Commented:
No. Just a Cisco Pix 501 router connected to a DSL Modem. Are you saying there is no way to resolve DNS without a DNS server on the other end?
0
 
dgroscostCommented:
Oh, sure, you can resolve without DNS by using LMHOSTS or HOSTS files.  However, you need certain types of DNS records in order for domain authentication/traffic to work.

You need SRV records for example, which handle _kpasswd, _kerberos, _gc, _ldap, etc, etc.
0
 
dgroscostCommented:
You might be able to get away with setting up a DNS server (secondary zone) that pulls a copy of the primary AD integrated zone from one of your DCs and have it provide DNS in your remote off.  
0
 
mckeoughAuthor Commented:
OK. Thanks. I haven't done this before, so how about I give you the points for this post, and post another 500 pointer so you can walk me through this? Or if you would rather point out an excellant link to a web page telling me how to do this, I'll just increase the point value of this one to 500 and say THANKS!
0
 
mckeoughAuthor Commented:
Oh, I see you posted another comment while I was typing my last comment. Let me create the secondary DNS server and zone to see if that works. I'm pretty comfortable with that. If it doesn't work you want to go ahead with what I mentioned in my last post?

I'm probably going to do this some time Monday. For now I have to go have fun because it's the weekend!
0
 
mckeoughAuthor Commented:
Oh. OK! If I leave the setting to "Obtain IP Address Automatically" then fill in the IP of my primary DNS server, will that essentially accomplish the same thing? In other words, if my DNS server goes down, will the "Obtain IP Address Automatically" setting go looking for my ISP's server? To put it another way, does it first look to the primary DNS, then if it can't find it, it will look elsewhere? Lol. Do I need to explain that a fourth way? I think you understand what I'm trying to ask.
0
 
mckeoughAuthor Commented:
ACK! In other words I don't have an IP address for a secondary DNS server, but if I set it to "Obtain IP Address Automatically" will it look for another one automatically if the DNS server goes down. *sigh... It's one of those days.
0
 
dgroscostCommented:
If you use DHCP, you'll need to enter the secondary DNS server address in the DHCP scope options.

Or, you could use DHCP and enter your DNS servers in manually (on each of the 5 machines.)   This will probably be your best option.  I don't know what I was thinking by not telling you this in the first place.  Ah, it's Friday.
0
 
dgroscostCommented:
In order words:

On the NIC properties of each of the 5 PCs:

Leave IP address at DHCP.
For DNS settings, enter the DNS server from your Corp HQ as the primary DNS server.  For the secondary DNS server, enter the internet DNS server which you can get from the DSL router status screen.
0
 
mckeoughAuthor Commented:
Friday - you said it! OK. I'll do this Monday, and let you guys know how things went. Thanks!
0
 
mckeoughAuthor Commented:
Things went well. We're authenticating just fine. The only problem is that working with files (such as an excel spreadsheet) is extremely slow. It's much faster to open them when logged onto our terminal server. Is there a way around this bandwidth bottleneck? A 30kb file opens just fine, but a 8mb file takes a long time. Obviously 30kb is much faster to download and open than an 8mb file, or a 50 mb database. Oh well. My main objective was accomplished. Thanks guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.