Link to home
Start Free TrialLog in
Avatar of rite_eh
rite_eh

asked on

Domain & VPN problems

Hello,

I am having a problem with my domain network and accessing it across a VPN. My VPN is done using 2 Nortel routers and it is a branch office VPN. Here is my config:

[client PCs]----------[windows 2000 AS - 192.168.1.5]----------[VPN router - 192.168.1.1]=====TUNNEL=====[VPN router - 192.168.3.1]----------[remote PCs]

The router is running DHCP (not the 2000 server). The 2000 server is running WINS and all client PCs are using DHCP with a WINS server added manually (192.168.1.5). All client PCs therefore use 192.168.1.1 as their DNS server (not the windows 2000 server). The remote PCs have been members of the domain before they were moved to the remote location. They list the domain in the list before logon still. They can ping 192.168.1.5 but the name 'server' will not resolve to 192.168.1.5 as it does on the local client PCs. The remote PCs also have the same WINS entry (192.168.1.5). If I try and access a resource on the Windows 2000 server from a remote PC I am incorrectly prompted for a username / password. If I change the DNS server on the remote PC from 192.168.3.1 to 192.168.1.5 this allows the remote PCs to log onto the domain. However, I do not want to network them this way as it will complicate my setup and increase traffic in the VPN tunnel. I was hoping that by using WINS I could log onto the domain from the VPN as I can with the local client PCs. My VPN doesn't block ANY traffic/ports, and every 192.168.1.x resource can access any 192.168.3.x resource (and vise versa).

Any suggestions?
Avatar of rite_eh
rite_eh

ASKER

Another thing I just noticed:  remote PC A can ping remote PC B and vise versa by name (it resolves correctly to the IP), though neither one can ping 'server' (192.168.1.5).
SOLUTION
Avatar of Fatal_Exception
Fatal_Exception
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rite_eh

ASKER

That is exactly what I am doing. Is this not possible? I have it working at the '192.168.1' location. All PCs there are setup for DHCP and the router assigns IP addresses. The Win2000 server has a static of 192.168.1.5 and does not have the DHCP services installed/running. On any of these local PCs I can ping any member on the domain by name and it will resolve. Also all these PCs can access server resources and properly log on to / interact with the domain.

These local PCs are configured as follows:
- Dynamic IP addresses (acquired from 192.168.1.1 - hardware VPN router)
      ipconfig /all shows gateway and DNS servers of 192.168.1.1
- Members of the 'EXAMPLE' domain
-  WINS server manually added (192.168.1.5)

The remote PCs (192.168.3.x) can access domain resources by typing in the IP \\192.168.1.5\c and then manually logging in (evident they are not on the domain I presume).
The remote PCs that cannot ping domain members are configured as follows:
- Dynamic IP addresses (acquired from 192.168.3.1 - hardware VPN router)
      ipconfig /all shows gateway and DNS servers of 192.168.3.1
- Members of the 'EXAMPLE' domain
-  WINS server manually added (192.168.1.5)

I cannot have the Windows 2000 server looking after DHCP because of remote VPN sessions, etc. I cold change the internal local PCs (192.168.1.x addresses) to use the server (192.168.1.5) for DNS, but this configuration will not work for the remote users as I do not want their DNS server to be 192.168.1.5.

I was hoping the WINS server would allow the remote PCs to log into / access the domain, and resolve domain members while still using their local DNS server (192.168.3.1) but perhaps I am confused or not understanding the requirements of running a domain network.

Thanks for the suggestion thus far...
Avatar of rite_eh

ASKER

Sorry, technologyworks
I submitted my reply before refreshing. I'll take a read through it right now. Thanks.
Avatar of rite_eh

ASKER

Hi technologyworks,

Thanks for the reply. My reasons for not wanting to use DNS 1.5 for the remote PCs is traffic related, but also because of network issues. If the VPN link is down or the server is off a second DNS server would be necessary. I suppose I could add 192.168.3.1 into the remote PCs to accomodate this. However I also have two laptop users which roam between other locations as well (192.168.2,4,5,6.*) so they would have to have DNS servers of 192.168.1.5, 2.1, 3.1, 4.1, 5.1, 6.1 configured (which isn't a big deal). Does using 192.168.1.5 as the DNS server result in every LAN & WAN DNS request being processed by 1.5 or does the OS (2000 Pro / XP) cache some of these based on TTL?

I could also add an additional Windows 2000 server (as I have access to one) at 3.1 if that would buy me anything.

Thanks for the comments.
Avatar of rite_eh

ASKER

Hello again,

I just changed my primary DNS server on a 3.x PC to 192.168.1.5 and restarted it. Upon doing so an popup in the systray noted that network drives could not be connected. When I tried to access a network drive I was prompted for my username / password. Once I provided it I could access the drive. I then logged off and back on and when trying to access the same drive it gave me an error: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

I'm tempted to go back to running a standard workgroup network. I don't ever remember having these sort of issues with one.
Probably should have mentioned that this is a Workgroup and not a Domain, as you originally stated in the first sentence of your question....  with a Workgroup, you can use a router for DNS, but not in a Domain environment..  you do understand the difference, right?  :)
Or, did you just switch over to a Domain?  guess I am getting a litte confused here...  :)  When you install a DC, you have to install DNS, and it should be located on a server and not a router...  Especially if you want Active Directory Integration...  
Avatar of rite_eh

ASKER

No this is a domain network.

In the past (years ago) I ran a workgroup network. Is there any advantage to using a domain over a workgroup? I am not interested in active directory or the security a domain brings. If I can block certain PCs from accessing resources over a workgroup that is good enough for me... I want to do is be able to access printers, drives, etc. from any PC on my network without having to have all DNS revert to 192.168.1.5. (not to mention changing the VPN PCs to use 192.168.1.5 for DNS didn't work: prompted for passwords when accessing drives, etc.) Im I wasting my time with a domain?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rite_eh

ASKER

FYI I got this to work by installing WINS on my server and I've chosen to use DNS servers of the server as primary and the local router as a secondary.
Very good!  and thanks..

FE