Solved

PIX 501site to site VPN - DNS question

Posted on 2007-04-06
3
237 Views
Last Modified: 2010-04-09
I have a few questions before I configure a site to site VPN...There are 3 locations, HQ, remote1, and remote2. HQ is the only location with a server (2003 Server). Both remote sites have XP machines in a workgroup using the ISP's DNS. I need to configure the network so all PC's are a member of the HQ domain and can access domain resources. My question centers around the proper DNS setup at the remote sites...


I was planning on configuring DHCP on the remote PIX's to distribute addresses. I am a bit confused about what to enter for the DNS information...I know that I need for the client PC's to look at the server for Active Directory DNS...in a typical Windows domain, all client PC's point to the domain controller (or other DNS server) only.  What is confusing me is how I handle Internet dns requests at the remote sites. In other words, if I have all remote machines pointing to the HQ domain controller for DNS, then they will also look to this server to handle Internet DNS requests.  I obviously don't want a machine at remote1 to have to query the HQ DC over a WAN link to get to google.com, for example. What is the proper way to configure DNS for this scenario?  
0
Comment
Question by:FIFBA
  • 2
3 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
Comment Utility
Actually having the remote PC use only your HQ DNS server is correct. Adding the local ISP's DNS will cause slow logons, and name resolutions. From a performance point of view it will still actually work quite well. I doubt the users will notice the difference. The problem with this scenario is if the VPN link or remote server gores down they have no Internet access. As a rule loosing the server is the bigger issue, as there is no access to resources or even the ability to authenticate to the domain.
The way to resolve, when possible, is to add a local server running active directory which will automatically replicate user account and DNS information..
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
Comment Utility
Agree with Rob. You have no choice except to point the users to your AD DNS server at HQ and let it resolve everything for them. You can always add a local ISP DNS as secondary so that if the vpn fails or DNS server fails for some reason, they can still get to Google. Trouble is that if they are in a domain, they won't be able to log in except with cached credentials if the VPN is down.
It does work just fine over VPN. Just be sure that the AD DNS is setup properly and end hosts are set to register themselves in DNS. You  might find it necessary to enable WINS on your HQ network and add the WINS IP's to the DHCP configuration so that the end hosts actually find the domain controller when they first join the domain. You should not have to, but it often solves problems with name resolution over a WAN link and a VPN is just another WAN link.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks FIFBA.
Cheers !
--Rob
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Learn about cloud computing and its benefits for small business owners.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now