Solved

Domain & VPN problems

Posted on 2006-10-24
13
370 Views
Last Modified: 2010-03-18
Hello,

I am having a problem with my domain network and accessing it across a VPN. My VPN is done using 2 Nortel routers and it is a branch office VPN. Here is my config:

[client PCs]----------[windows 2000 AS - 192.168.1.5]----------[VPN router - 192.168.1.1]=====TUNNEL=====[VPN router - 192.168.3.1]----------[remote PCs]

The router is running DHCP (not the 2000 server). The 2000 server is running WINS and all client PCs are using DHCP with a WINS server added manually (192.168.1.5). All client PCs therefore use 192.168.1.1 as their DNS server (not the windows 2000 server). The remote PCs have been members of the domain before they were moved to the remote location. They list the domain in the list before logon still. They can ping 192.168.1.5 but the name 'server' will not resolve to 192.168.1.5 as it does on the local client PCs. The remote PCs also have the same WINS entry (192.168.1.5). If I try and access a resource on the Windows 2000 server from a remote PC I am incorrectly prompted for a username / password. If I change the DNS server on the remote PC from 192.168.3.1 to 192.168.1.5 this allows the remote PCs to log onto the domain. However, I do not want to network them this way as it will complicate my setup and increase traffic in the VPN tunnel. I was hoping that by using WINS I could log onto the domain from the VPN as I can with the local client PCs. My VPN doesn't block ANY traffic/ports, and every 192.168.1.x resource can access any 192.168.3.x resource (and vise versa).

Any suggestions?
0
Comment
Question by:rite_eh
  • 7
  • 5
13 Comments
 
LVL 1

Author Comment

by:rite_eh
ID: 17799689
Another thing I just noticed:  remote PC A can ping remote PC B and vise versa by name (it resolves correctly to the IP), though neither one can ping 'server' (192.168.1.5).
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 150 total points
ID: 17800352
Are you saying you are running a Domain and using a router to handle DNS for you?  If so, I would consider this the main problem...
0
 
LVL 3

Accepted Solution

by:
technologyworks earned 350 total points
ID: 17800807
Active directory relies SO heavily on DNS that you need to re-think your layout. Either configure the remote PCs (.3.x) to use 192.168.1.5 as their primary DNS server (which should not create _that_ much extra traffic), or install a secondary DNS server at the remote site (and use the Win2000 server as the primary).  Windows 2000 and higher use WINS primarily for backward compatibility. I would not rely on that as your main source of name resolution.
Another option (if resolving "server" is your only problem) is to just add a line to the HOSTS file of those remote PCs. That will fix the simple problem of resolving "server", but probably will not fix the username prompt.
0
 
LVL 1

Author Comment

by:rite_eh
ID: 17800832
That is exactly what I am doing. Is this not possible? I have it working at the '192.168.1' location. All PCs there are setup for DHCP and the router assigns IP addresses. The Win2000 server has a static of 192.168.1.5 and does not have the DHCP services installed/running. On any of these local PCs I can ping any member on the domain by name and it will resolve. Also all these PCs can access server resources and properly log on to / interact with the domain.

These local PCs are configured as follows:
- Dynamic IP addresses (acquired from 192.168.1.1 - hardware VPN router)
      ipconfig /all shows gateway and DNS servers of 192.168.1.1
- Members of the 'EXAMPLE' domain
-  WINS server manually added (192.168.1.5)

The remote PCs (192.168.3.x) can access domain resources by typing in the IP \\192.168.1.5\c and then manually logging in (evident they are not on the domain I presume).
The remote PCs that cannot ping domain members are configured as follows:
- Dynamic IP addresses (acquired from 192.168.3.1 - hardware VPN router)
      ipconfig /all shows gateway and DNS servers of 192.168.3.1
- Members of the 'EXAMPLE' domain
-  WINS server manually added (192.168.1.5)

I cannot have the Windows 2000 server looking after DHCP because of remote VPN sessions, etc. I cold change the internal local PCs (192.168.1.x addresses) to use the server (192.168.1.5) for DNS, but this configuration will not work for the remote users as I do not want their DNS server to be 192.168.1.5.

I was hoping the WINS server would allow the remote PCs to log into / access the domain, and resolve domain members while still using their local DNS server (192.168.3.1) but perhaps I am confused or not understanding the requirements of running a domain network.

Thanks for the suggestion thus far...
0
 
LVL 1

Author Comment

by:rite_eh
ID: 17800834
Sorry, technologyworks
I submitted my reply before refreshing. I'll take a read through it right now. Thanks.
0
 
LVL 1

Author Comment

by:rite_eh
ID: 17800862
Hi technologyworks,

Thanks for the reply. My reasons for not wanting to use DNS 1.5 for the remote PCs is traffic related, but also because of network issues. If the VPN link is down or the server is off a second DNS server would be necessary. I suppose I could add 192.168.3.1 into the remote PCs to accomodate this. However I also have two laptop users which roam between other locations as well (192.168.2,4,5,6.*) so they would have to have DNS servers of 192.168.1.5, 2.1, 3.1, 4.1, 5.1, 6.1 configured (which isn't a big deal). Does using 192.168.1.5 as the DNS server result in every LAN & WAN DNS request being processed by 1.5 or does the OS (2000 Pro / XP) cache some of these based on TTL?

I could also add an additional Windows 2000 server (as I have access to one) at 3.1 if that would buy me anything.

Thanks for the comments.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:rite_eh
ID: 17800917
Hello again,

I just changed my primary DNS server on a 3.x PC to 192.168.1.5 and restarted it. Upon doing so an popup in the systray noted that network drives could not be connected. When I tried to access a network drive I was prompted for my username / password. Once I provided it I could access the drive. I then logged off and back on and when trying to access the same drive it gave me an error: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

I'm tempted to go back to running a standard workgroup network. I don't ever remember having these sort of issues with one.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17808298
Probably should have mentioned that this is a Workgroup and not a Domain, as you originally stated in the first sentence of your question....  with a Workgroup, you can use a router for DNS, but not in a Domain environment..  you do understand the difference, right?  :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17808316
Or, did you just switch over to a Domain?  guess I am getting a litte confused here...  :)  When you install a DC, you have to install DNS, and it should be located on a server and not a router...  Especially if you want Active Directory Integration...  
0
 
LVL 1

Author Comment

by:rite_eh
ID: 17815027
No this is a domain network.

In the past (years ago) I ran a workgroup network. Is there any advantage to using a domain over a workgroup? I am not interested in active directory or the security a domain brings. If I can block certain PCs from accessing resources over a workgroup that is good enough for me... I want to do is be able to access printers, drives, etc. from any PC on my network without having to have all DNS revert to 192.168.1.5. (not to mention changing the VPN PCs to use 192.168.1.5 for DNS didn't work: prompted for passwords when accessing drives, etc.) Im I wasting my time with a domain?
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 150 total points
ID: 17816122
Well, I really believe in Domain environments, but if all you want to do is share files, a workgroup will do..  The biggest advantange to a Domain is centralized management.. meaning users, permissions, security, etc...  and if you want to continue with this Domain, you really need to install DNS on the server and use Active Directory Integrated DNS...
0
 
LVL 1

Author Comment

by:rite_eh
ID: 17982817
FYI I got this to work by installing WINS on my server and I've chosen to use DNS servers of the server as primary and the local router as a secondary.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 17984198
Very good!  and thanks..

FE
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now