Solved

PIX 501site to site VPN - DNS question

Posted on 2007-04-06
3
240 Views
Last Modified: 2010-04-09
I have a few questions before I configure a site to site VPN...There are 3 locations, HQ, remote1, and remote2. HQ is the only location with a server (2003 Server). Both remote sites have XP machines in a workgroup using the ISP's DNS. I need to configure the network so all PC's are a member of the HQ domain and can access domain resources. My question centers around the proper DNS setup at the remote sites...


I was planning on configuring DHCP on the remote PIX's to distribute addresses. I am a bit confused about what to enter for the DNS information...I know that I need for the client PC's to look at the server for Active Directory DNS...in a typical Windows domain, all client PC's point to the domain controller (or other DNS server) only.  What is confusing me is how I handle Internet dns requests at the remote sites. In other words, if I have all remote machines pointing to the HQ domain controller for DNS, then they will also look to this server to handle Internet DNS requests.  I obviously don't want a machine at remote1 to have to query the HQ DC over a WAN link to get to google.com, for example. What is the proper way to configure DNS for this scenario?  
0
Comment
Question by:FIFBA
  • 2
3 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 18867640
Actually having the remote PC use only your HQ DNS server is correct. Adding the local ISP's DNS will cause slow logons, and name resolutions. From a performance point of view it will still actually work quite well. I doubt the users will notice the difference. The problem with this scenario is if the VPN link or remote server gores down they have no Internet access. As a rule loosing the server is the bigger issue, as there is no access to resources or even the ability to authenticate to the domain.
The way to resolve, when possible, is to add a local server running active directory which will automatically replicate user account and DNS information..
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 18867786
Agree with Rob. You have no choice except to point the users to your AD DNS server at HQ and let it resolve everything for them. You can always add a local ISP DNS as secondary so that if the vpn fails or DNS server fails for some reason, they can still get to Google. Trouble is that if they are in a domain, they won't be able to log in except with cached credentials if the VPN is down.
It does work just fine over VPN. Just be sure that the AD DNS is setup properly and end hosts are set to register themselves in DNS. You  might find it necessary to enable WINS on your HQ network and add the WINS IP's to the DHCP configuration so that the end hosts actually find the domain controller when they first join the domain. You should not have to, but it often solves problems with name resolution over a WAN link and a VPN is just another WAN link.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18868028
Thanks FIFBA.
Cheers !
--Rob
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question