PIX 501site to site VPN - DNS question

I have a few questions before I configure a site to site VPN...There are 3 locations, HQ, remote1, and remote2. HQ is the only location with a server (2003 Server). Both remote sites have XP machines in a workgroup using the ISP's DNS. I need to configure the network so all PC's are a member of the HQ domain and can access domain resources. My question centers around the proper DNS setup at the remote sites...


I was planning on configuring DHCP on the remote PIX's to distribute addresses. I am a bit confused about what to enter for the DNS information...I know that I need for the client PC's to look at the server for Active Directory DNS...in a typical Windows domain, all client PC's point to the domain controller (or other DNS server) only.  What is confusing me is how I handle Internet dns requests at the remote sites. In other words, if I have all remote machines pointing to the HQ domain controller for DNS, then they will also look to this server to handle Internet DNS requests.  I obviously don't want a machine at remote1 to have to query the HQ DC over a WAN link to get to google.com, for example. What is the proper way to configure DNS for this scenario?  
FIFBAAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
Actually having the remote PC use only your HQ DNS server is correct. Adding the local ISP's DNS will cause slow logons, and name resolutions. From a performance point of view it will still actually work quite well. I doubt the users will notice the difference. The problem with this scenario is if the VPN link or remote server gores down they have no Internet access. As a rule loosing the server is the bigger issue, as there is no access to resources or even the ability to authenticate to the domain.
The way to resolve, when possible, is to add a local server running active directory which will automatically replicate user account and DNS information..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Agree with Rob. You have no choice except to point the users to your AD DNS server at HQ and let it resolve everything for them. You can always add a local ISP DNS as secondary so that if the vpn fails or DNS server fails for some reason, they can still get to Google. Trouble is that if they are in a domain, they won't be able to log in except with cached credentials if the VPN is down.
It does work just fine over VPN. Just be sure that the AD DNS is setup properly and end hosts are set to register themselves in DNS. You  might find it necessary to enable WINS on your HQ network and add the WINS IP's to the DHCP configuration so that the end hosts actually find the domain controller when they first join the domain. You should not have to, but it often solves problems with name resolution over a WAN link and a VPN is just another WAN link.
0
Rob WilliamsCommented:
Thanks FIFBA.
Cheers !
--Rob
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.