[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 494
  • Last Modified:

W2k3 child domain over VPN - problem when VPN down

Hi folks,

The situation is as follows:

Parent domain: parent.net
DCs: SERVER1 and SERVER2 (both are configured as Global Catalog)
OS: Windows 2003 Server Enterprise (both servers)
Subnet 10.1.0.0/24

Child domain: child.parent.net
DC: CHILDSERVER (also set as Global Catalog)
OS: Windows 2003 Server Standard
Subnet 10.20.0.0/24

Both segments have a firewall which establishes an IPsec VPN tunnel. All TCP and UDP ports are open between the servers in both locations.

Now the problem is that everything works fine when as long as the VPN tunnel is up. As soon as it's down, the users can't logon to their Windows PC anymore or even when the screen is locked they cannot unlock it with their correct password. The users are created under child.parent.net.

What can we do to solve this issue? I thought it would be okay when the child domain DC is set as Global Catalog as well...

Thanks!
Smudo




0
SmudoCH
Asked:
SmudoCH
  • 7
  • 7
1 Solution
 
Toni UranjekConsultant/TrainerCommented:
Hi!

You should have at least one GC on every site. But the question is, how is your DNS configured?

Toni
0
 
SmudoCHAuthor Commented:
Hi Toni,

At the parent domain, the DNS for parent.net is AD integrated. We created an additional zone (Secondary) for the domain child.parent.net.

At the remote subnet it's the same. child.parent.net is AD integrated and parent.net is a Secondary zone.

Smudo
0
 
Toni UranjekConsultant/TrainerCommented:
I'm not sure I understand. Who has problems loging on? Clients from subnet 10.20.0.0/24 can't log on to child domain if VPN link is down? How is DNS configured on clients with this problem?
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
SmudoCHAuthor Commented:
Yes, clients in the child domain can't logon when the VPN is down. The client PC are configured with the DNS server of child.parent.net (CHILDSERVER). They don't query any DNS server from parent.net directly.
0
 
Toni UranjekConsultant/TrainerCommented:
Strange. What happens when VPN is down and you try to "nslookup domain.com" (substitute domain.com with your child domain FQDN) on one of your clients?
0
 
SmudoCHAuthor Commented:
The clients are able to resolve any DNS name even when the VPN is down. But I get a strange message when entering nslookup:

*** Can't find server name for address 10.20.0.3: Non-existent domain
Default Server:  UnKnown
Address:  10.20.0.3

10.20.0.3 is the DC from child.parent.net and is configured as DNS server... Strange. As an additional information, the client in the child domain is still able to lookup hostnames in the parent domain when the VPN is down. The name entries from the parent domain are transferred to 10.20.0.3 because we configured a parent.net Secondary zone.

0
 
Toni UranjekConsultant/TrainerCommented:
I believe you are missing PTR records in reverse lookup zone, this error is unrelated to your problem.

Check existance of SRV records on your DNS: http://support.microsoft.com/kb/816587
0
 
SmudoCHAuthor Commented:
Hmm, die SRV records are present. I have two entries there one for _kerberos and one for _ldap.
0
 
Toni UranjekConsultant/TrainerCommented:
Hi! Two entries are not enough. Please check  text file containing the appropriate DNS resource records. The file called Netlogon.dns is created in the %systemroot%\System32\config folder and contains all the records needed to register the resource records of the domain controller.
Compare contents of netlogon.dns with _msdcs.domain.com.
0
 
SmudoCHAuthor Commented:
Oh, really? When I open the netlogon.dns on the child.parent.net DC I see around 40 entries!

Maybe it's necessary to expand the setup a bit.

We're having also other child domains added to parent.net. Let's call them child2.parent.net and child3.parent.net. These sites are configured in Sites and Services to only replicate from the site containing the parent-domain (parent.net). The checkbox to bridge all links is checked.

On the child.parent.net DC I see in netlogon.dns many entries from the other child-domains as well. Is there a way I can fix this issue with a DNS GUI option or do I have to add the entries manually in the end?
0
 
Toni UranjekConsultant/TrainerCommented:
The number of entries depends on number of DC, sites, glovbal catalogs, etc.
Restarting netlogon service should re-register all SRV records, but you have to restart this service on all of your DCs in child domain.
Use "nltest /dsgetdc:domainname" command on clients to verify that a domain controller can be located for a your domain.
0
 
SmudoCHAuthor Commented:
There's only one DC in that child domain. I restartet the NetLogon service. The clients are able to locate that DC without any problem.

But still I see only two entries in DNS\Forward Lookup Zones\child.parent.net\_msdcs\dc\_tcp

The two entries are:

_kerberos   Service Location (SRV)   [0][100][88] CHILDSERVER.child.parent.net
_ldap           Service Location (SRV)   [0][100][389] CHILDSERVER.child.parent.net

0
 
Toni UranjekConsultant/TrainerCommented:
These two are fine, but do you have any other subfolder under _msdcs?
I understand that clients can connect  to DC when VPN link is working, what happens with "nltest /dsgetdc:domainname" command when VPN link is down?
0
 
SmudoCHAuthor Commented:
Very strange. I just did some tests on a client PC when the VPN is shutdown. I could logon now without any problems. Also when the computer was locked I could authenticate the child domain user and unlock the desktop.

I have no idea what setting this actually caused to work again. But thanks for your help toniur.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now