Solved

create a Host/Pointer record for a server on another VLAN

Posted on 2009-06-29
21
384 Views
Last Modified: 2012-05-07
We have 18 locations and at each location are being installed new Windows 2008 Enterprise Edition servers. On our main VLAN I would like to have some sort of pointer so when you ping one of the new servers (on another VLAN) it replies with the correct IP addresss. An example would be if I am on VLAN 192.168.27.X and I want to ping the server, by name, on 192.168.13.X how would I go about setting that up. I can already ping by IP and remote in, just need to resolve the name thserv to the correct IP.
0
Comment
Question by:philtukey
  • 9
  • 6
  • 6
21 Comments
 
LVL 14

Expert Comment

by:mds-cos
ID: 24740642
First, please clarify for me if you really are talking about VLANs (as in virtual LAN's used to segment broadcast traffic within a single location), or are you talking about locations connected via VPN tunnels?  I assume the latter since you discuss locations, but the way you asked the question I could be assuming wrong.

If you are talking about multiple locations connected via a secure tunnel, such as IPSEC VPN extending your LAN to a "VLAN", all you need to do is point workstations to an AD integrated DNS server, or a DNS server that is slaving off an AD DNS server.  All of the 2008 servers register themselves in DNS.

If you are talking about VLAN in the traditional sense, do you have the servers set up with multiple IP addresses and belonging to multiple VLAN segments, or with a single IP and belonging to a single VLAN segment?  The former could present problems for TCP/IP since the server would be required to register all of it's IP addresses in DNS and DNS would need to respond properly based on which VLAN is querying for the IP (NetBIOS won't care as it is broadcast based).  I am not personally aware of this capability within Microsoft DNS server.  If the latter, proceed as directed above -- all workstations pointing to AD DNS (of course workstations will then route traffic between VLAN segments to communicate with the server).

Strictly speaking from a design perspective, I would give the server a single IP address and run inter-VLAN routing for workstations utilizing that server resource.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24740674
DNS would be the way to go with Name resolution in any network. Now if you don't have DNS servers internally then you can install host files on all of your clients which is not the way to go. You can also setup WINS to have name resolution but DNS is the best way to go and it can be setup pretty easy.
0
 
LVL 1

Author Comment

by:philtukey
ID: 24740714
They are all VLANs connected via VPN Tunnels
0
 
LVL 1

Author Comment

by:philtukey
ID: 24740722
Each one of our branch servers handle their own DNS. Not sure if that helps.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24740818
If the clients are pointing to internal DNS servers only and the internal DNS server are replicating with the each other then you should not have any issues but they must be replicating the zones to each other.
0
 
LVL 1

Author Comment

by:philtukey
ID: 24740834
I can ping to the server by name from inside the all the PC on that subnet. However I cannot ping by name to that server from another subnet. I made sure that on the main DNS server the forwarders are setup correctly.
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24740857
OK.

First, let me step back from one of my assumptions and specifically state that all servers should be part of the same AD forest.  Exact design of your AD tree will depend on your organization, but don't go down the path of having 18 independent servers each as the root of 18 independent forests.

Servers should belong to a single VLAN at the site where it is located, and routing properly configured.  Workstations need to point to an AD integrated DNS server.  Since you have 18 sites and 18 servers, you will probably want each sever to be a DC and a DNS server for the location (I say probably because in a few environments this would not be the right design).  First DC (which will be the forest DC if you have multiple domains in your forest) should be at corporate -- or whatever you refer to as the "main" location.  All domain A records should be visible from this DNS server.
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24740877
Here is some useful info on replication in Microsoft DNS that you may need, depending on how you design your AD.

http://technet.microsoft.com/en-us/library/cc772101.aspx
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24740879
The forwarders are not the issue. If the other DNS server's are part of your same domain then you need to have zones created for each DNS zone on your network on your local DNS server and setup replication between them. This will allow the replication of DNS records between the subnets
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24740893
Forwarders?  Sounds like you are not running a single forest, or you don't have your replication scope broad enough.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:philtukey
ID: 24741029
forgive me I am new at all this. Currently we have a domain X that all of our staff are running on, we also serve the public which are not domain X. Each location has their own server and subnet so that the public PC's can get IP addresses and print. That is all they are for, for now.

Our main VLAN on our network is VLAN 3903, with a subnet of 192.168.27.X. All of our main servers including AD, File Servers, Exchange and several others, are located.

The one server we just upgraded from Linux to windows is called THserv, which is on VLAN 3905 with a subnet of 192.168.13.X. We are going to be upgrading 17 more locations, all with the same VLAN but subnets ranging from 192.168.2.X to 192.168.19.X.

I am trying to ping thserv from my PC which is on 192.168.27.X and on VLAN 3903. I can ping by IP but not by name.
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24741777
Thank you for the further description.

Since you have established that you can ping by IP address, we know that all of your VLAN trunking and routing is working properly.  You cannot ping by name, which leads us to DNS.

As you serve the public and internal, you obviously have to deal with DNS security related to public zones and internal zones.  No problem.

You still most likely want your severs to all be part of the same AD forest.  Like you said, the servers are for DHCP and print sharing "for now".  I have to assume you have future plans since deploying a server just for these would be serious overkill.  If the site servers are intended for public use, it makes sense (based on the very limited information I have about your network) that all VLAN 3905 servers would be one domain, and all VLAN 3903 servers on another domain (all part of the same forest).  If designing from scratch you would likely not have much in the root domain, but given where you are at right now you might decide to leave all "internal" systems in the root domain and put all "public" systems in the new domain.

By setting DNS scope correctly, you can have your 3903 systems aware of the full extent of DNS (allowing you to ping THserv by name).  For security, your 3905 systems would be limited in DNS scope to the current domain only -- don't want public folks poking around with internal addresses.


IF you do not want to go this route, another solution would be to manually set up a new DNS domain on your servers in VLAN 3903, then manually create host (A) records for the new servers you are deploying.  I don't advocate this as a good engineering solution though.
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24741903
I think I might have just circled you back around to your original question (hope not).  You would create a new DNS domain and a new host record via DNS manager in Windows -- assuming you are using Windows as your DNS servers.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24755339
Do a ipconfig /all for your computer and a computer in a different subnet and post results please.
0
 
LVL 1

Author Comment

by:philtukey
ID: 24767798
Results from my PC

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

J:\>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : IT
        Primary Dns Suffix  . . . . . . . : poldom
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : poldom

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card
        Physical Address. . . . . . . . . : 00-22-5F-60-44-FB

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Con
nection
        Physical Address. . . . . . . . . : 00-21-70-D5-24-AF
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.27.172
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.27.1
        DNS Servers . . . . . . . . . . . : 192.168.27.20
                                            192.168.27.10

J:\>

Results from a PC on another subnet

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\admin>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : Public
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : HHnet

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : HHnet
        Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethern
et
        Physical Address. . . . . . . . . : 00-23-AE-78-75-84
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.4.247
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.4.1
        DHCP Server . . . . . . . . . . . : 192.168.4.2
        DNS Servers . . . . . . . . . . . : 192.168.4.2
                                            192.168.27.10
        Lease Obtained. . . . . . . . . . : Thursday, July 02, 2009 12:13:46 PM
        Lease Expires . . . . . . . . . . : Wednesday, July 08, 2009 12:13:46 PM


C:\Documents and Settings\admin>
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24787069
Have you set up the AD and DNS scopes as above, or manually configured a new A record in the DNS servers for the "public" VLAN?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24787741
They both use two different DNS Suffixes which is a problem when you try to ping a name called computer because it will apply the DNS suffix to computer to make it computer.domain.com
0
 
LVL 14

Accepted Solution

by:
mds-cos earned 500 total points
ID: 24789410
It is only a problem assuming a person is not using FQDN (the proper way to ping a host in a different domain ;-)

However, systems can be configured to search alternate domains in addition the the primary suffix.  That way a system can be addresses with the hostname portion only.

Or, one could create a host (A) record in the "wrong" domain for this situation.  After all, we are only dealing with name resolution for ping and such, so having the host entry in the poldom domain would be find.   (For the engineers who are cringing saying "that is not the right way to set up DNS" I agree!  But for the specific requirements as stated in the question it will work fine.)


philtukey, at this point the ball is in your court -- what do you want to do:

1)  Reconfigure AD to bring your disparate domains into the same forest, thus integrating DNS, and set scopes appropriately per instructions already provided in link.

2)  Keep disparate domains and set up DNS server in main VLAN "properly" -- meaning create a slave zone or configure forwarders.  Then address public servers by FQDN or set alternate DNS suffix in the search.

3)  Keep disparate domains and manually configure a host record for each public server in your DNS for the main domain (strictly speaking, this is not the proper way to do DNS, and would be unacceptable in many environments).

4)  Finally...as I totally cringe and suggest you not go this route unless you are dealing with only one or two "admin" computers.....set up the local host files with entries for all public servers or with an include section.  (Yes, I am going to go wash my mouth out with soap now!).
0
 
LVL 1

Author Comment

by:philtukey
ID: 24795111
On our main DNS server I have created forwarders to each of the new servers, and still cannot ping by name.
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24795273
Are you pinging by fully qualified domain name (FQDN)?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24796629
The forwarders will not work when you have multiple domains use the FQDN like mds-cos said. If you are running on different domains then you need to setup a secondary DNS zone the servers.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now