Domain & VPN problems

Hello,

I am having a problem with my domain network and accessing it across a VPN. My VPN is done using 2 Nortel routers and it is a branch office VPN. Here is my config:

[client PCs]----------[windows 2000 AS - 192.168.1.5]----------[VPN router - 192.168.1.1]=====TUNNEL=====[VPN router - 192.168.3.1]----------[remote PCs]

The router is running DHCP (not the 2000 server). The 2000 server is running WINS and all client PCs are using DHCP with a WINS server added manually (192.168.1.5). All client PCs therefore use 192.168.1.1 as their DNS server (not the windows 2000 server). The remote PCs have been members of the domain before they were moved to the remote location. They list the domain in the list before logon still. They can ping 192.168.1.5 but the name 'server' will not resolve to 192.168.1.5 as it does on the local client PCs. The remote PCs also have the same WINS entry (192.168.1.5). If I try and access a resource on the Windows 2000 server from a remote PC I am incorrectly prompted for a username / password. If I change the DNS server on the remote PC from 192.168.3.1 to 192.168.1.5 this allows the remote PCs to log onto the domain. However, I do not want to network them this way as it will complicate my setup and increase traffic in the VPN tunnel. I was hoping that by using WINS I could log onto the domain from the VPN as I can with the local client PCs. My VPN doesn't block ANY traffic/ports, and every 192.168.1.x resource can access any 192.168.3.x resource (and vise versa).

Any suggestions?
LVL 1
rite_ehAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rite_ehAuthor Commented:
Another thing I just noticed:  remote PC A can ping remote PC B and vise versa by name (it resolves correctly to the IP), though neither one can ping 'server' (192.168.1.5).
0
Fatal_ExceptionSystems EngineerCommented:
Are you saying you are running a Domain and using a router to handle DNS for you?  If so, I would consider this the main problem...
0
technologyworksCommented:
Active directory relies SO heavily on DNS that you need to re-think your layout. Either configure the remote PCs (.3.x) to use 192.168.1.5 as their primary DNS server (which should not create _that_ much extra traffic), or install a secondary DNS server at the remote site (and use the Win2000 server as the primary).  Windows 2000 and higher use WINS primarily for backward compatibility. I would not rely on that as your main source of name resolution.
Another option (if resolving "server" is your only problem) is to just add a line to the HOSTS file of those remote PCs. That will fix the simple problem of resolving "server", but probably will not fix the username prompt.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

rite_ehAuthor Commented:
That is exactly what I am doing. Is this not possible? I have it working at the '192.168.1' location. All PCs there are setup for DHCP and the router assigns IP addresses. The Win2000 server has a static of 192.168.1.5 and does not have the DHCP services installed/running. On any of these local PCs I can ping any member on the domain by name and it will resolve. Also all these PCs can access server resources and properly log on to / interact with the domain.

These local PCs are configured as follows:
- Dynamic IP addresses (acquired from 192.168.1.1 - hardware VPN router)
      ipconfig /all shows gateway and DNS servers of 192.168.1.1
- Members of the 'EXAMPLE' domain
-  WINS server manually added (192.168.1.5)

The remote PCs (192.168.3.x) can access domain resources by typing in the IP \\192.168.1.5\c and then manually logging in (evident they are not on the domain I presume).
The remote PCs that cannot ping domain members are configured as follows:
- Dynamic IP addresses (acquired from 192.168.3.1 - hardware VPN router)
      ipconfig /all shows gateway and DNS servers of 192.168.3.1
- Members of the 'EXAMPLE' domain
-  WINS server manually added (192.168.1.5)

I cannot have the Windows 2000 server looking after DHCP because of remote VPN sessions, etc. I cold change the internal local PCs (192.168.1.x addresses) to use the server (192.168.1.5) for DNS, but this configuration will not work for the remote users as I do not want their DNS server to be 192.168.1.5.

I was hoping the WINS server would allow the remote PCs to log into / access the domain, and resolve domain members while still using their local DNS server (192.168.3.1) but perhaps I am confused or not understanding the requirements of running a domain network.

Thanks for the suggestion thus far...
0
rite_ehAuthor Commented:
Sorry, technologyworks
I submitted my reply before refreshing. I'll take a read through it right now. Thanks.
0
rite_ehAuthor Commented:
Hi technologyworks,

Thanks for the reply. My reasons for not wanting to use DNS 1.5 for the remote PCs is traffic related, but also because of network issues. If the VPN link is down or the server is off a second DNS server would be necessary. I suppose I could add 192.168.3.1 into the remote PCs to accomodate this. However I also have two laptop users which roam between other locations as well (192.168.2,4,5,6.*) so they would have to have DNS servers of 192.168.1.5, 2.1, 3.1, 4.1, 5.1, 6.1 configured (which isn't a big deal). Does using 192.168.1.5 as the DNS server result in every LAN & WAN DNS request being processed by 1.5 or does the OS (2000 Pro / XP) cache some of these based on TTL?

I could also add an additional Windows 2000 server (as I have access to one) at 3.1 if that would buy me anything.

Thanks for the comments.
0
rite_ehAuthor Commented:
Hello again,

I just changed my primary DNS server on a 3.x PC to 192.168.1.5 and restarted it. Upon doing so an popup in the systray noted that network drives could not be connected. When I tried to access a network drive I was prompted for my username / password. Once I provided it I could access the drive. I then logged off and back on and when trying to access the same drive it gave me an error: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

I'm tempted to go back to running a standard workgroup network. I don't ever remember having these sort of issues with one.
0
Fatal_ExceptionSystems EngineerCommented:
Probably should have mentioned that this is a Workgroup and not a Domain, as you originally stated in the first sentence of your question....  with a Workgroup, you can use a router for DNS, but not in a Domain environment..  you do understand the difference, right?  :)
0
Fatal_ExceptionSystems EngineerCommented:
Or, did you just switch over to a Domain?  guess I am getting a litte confused here...  :)  When you install a DC, you have to install DNS, and it should be located on a server and not a router...  Especially if you want Active Directory Integration...  
0
rite_ehAuthor Commented:
No this is a domain network.

In the past (years ago) I ran a workgroup network. Is there any advantage to using a domain over a workgroup? I am not interested in active directory or the security a domain brings. If I can block certain PCs from accessing resources over a workgroup that is good enough for me... I want to do is be able to access printers, drives, etc. from any PC on my network without having to have all DNS revert to 192.168.1.5. (not to mention changing the VPN PCs to use 192.168.1.5 for DNS didn't work: prompted for passwords when accessing drives, etc.) Im I wasting my time with a domain?
0
Fatal_ExceptionSystems EngineerCommented:
Well, I really believe in Domain environments, but if all you want to do is share files, a workgroup will do..  The biggest advantange to a Domain is centralized management.. meaning users, permissions, security, etc...  and if you want to continue with this Domain, you really need to install DNS on the server and use Active Directory Integrated DNS...
0
rite_ehAuthor Commented:
FYI I got this to work by installing WINS on my server and I've chosen to use DNS servers of the server as primary and the local router as a secondary.
0
Fatal_ExceptionSystems EngineerCommented:
Very good!  and thanks..

FE
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.