Solved

Problems authenticating to domain over the WAN via VPN

Posted on 2008-06-17
3
349 Views
Last Modified: 2010-04-12
Here's the setup.

We have 2 physical locations, approximately 20 blocks apart, connected via a gateway to gateway VPN tunnel. VPN tunnel is connected and stable, and has been for months.

At Site A, I have a Sonicwall TZ170 router at 192.168.1.254. The internal LAN is 192.168.1.x. Windows Server 2003 domain controller is at Site A at 192.168.1.50. DC is also the DNS, and DHCP server, though all clients except those connecting wirelessly are using static IP's.
At Site B, I have a Linksys RV082 router at 192.168.10.1. The internal LAN is 192.168.10.x. Clients on this site are using static IP's. For their DNS information I have 192.168.1.50 and 192.168.10.1, in that order.

All computers at both locations are members of the domain. All users have a logon script, logon.bat, which deletes, then re-maps a couple of network drives, and maps 2 printers. In the last few days, I am having a number of issues.

1. Users at Site B sometimes get "domain is not available" when trying to log on. Will usually let them on after several tries or a reboot.
2. Users at Site B are sometimes not able to access the network drives. They receive "the system detected a possible attempt to compromise security make sure you can contact the server that authenticated you"
3. Intermittently not able to ping the DNS server by name. Pinging by IP works.
4. Intermittently not able to  browse network folders by name.
5. Intermittently not able to authenticate to network folders, get "domain controller could not be contacted" message.
6. Intermittently get "An error occured while connecting to... the local device name is already in use. The connection has not been restored"

So, this all points to a DNS issue, obviously. What I'm wondering is how I should have my clients configured so I can eliminate these domain logon and shared folder issues. Also, should I set up the Linksys router at Site B to use the DNS from Site A? Currently it is using  the ISP DNS. If I do this, will it affect the users internet access at Site B?

Thanks
0
Comment
Question by:Ivrnet
  • 2
3 Comments
 
LVL 11

Accepted Solution

by:
rowansmith earned 500 total points
Comment Utility
Unless your Active Directory DNS is publicy available via the Internet then you should completely remove the 192.168.10.1 entry from the DNS configuration on each client at Site B.

Clients need to be able to resolve addresses that are in the active directory namespace at all times, if they can not for any reason then services will fail as you are describing.  If your ISP DNS Server can not see your AD internal DNS (which I suspect very much that it can not) then you should remove it completely.

I would recommend running a slave DNS Server at your remote site, ideally another domain controller would be the best bet, but if not just a DNS Server that replicates all the AD specific entries to the other site using standard secondary transfers.

-Rowan
0
 

Author Comment

by:Ivrnet
Comment Utility
Okay, I did as you suggested. I also added a WINS entry on each client at Site B for 192.168.1.50. Issue seems to be resolved for now. They are moving from that location to an office witiin the same building, so it's not feasible to put a 2nd DC there right now. Hopefully this will work until the move happens. Thanks.
0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
I will keep this question monitored for the next month or so.  If you have any other problems let me know.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now