Problem with DNS(?) using dual MPLS and IPSec tunnel links to remote site

Please consider this issue with what appears to be DNS issues.  We have HQ, that had a single connection to site A, via a carrier's MPLS network.  A contractor was previously hired to install a second router at site A, connected via ADSL to the public internet.  An IPSec tunnel was set up between the ADSL router and the Cisco PIX at HQ. The plan was to use route-maps at each end, redirecting key traffic for the Exchange server and MS ISA server (both at HQ) to pass through the IPsec tunnel.  However, due to a fault with original router at Site A, the route-map never redirected traffic.  Instead, at Site A, DHCP was changed to make the ADSL router the default gateway for clients.  At HQ, a route-map was applied at the core L3 switch to redirect the server traffic to the PIX.

All seemed to be working well, and a tracert confirmed that traffic is going over the correct routes.  However, some clients also use wireless at Site A, and get an additional address when using it.  I suspect that this is causing problems with the email client and IE (IE connecting to an ISA Server at HQ).  Sometimes Outlook and IE both fail to connect to the servers at HQ, although ping tests and the Citrix client are not affected.  DNS at HQ now shows 2 addresses for one of the clients.

It looks like a DNS issue with the replication of the zone back to HQ, but I am not sure why this would not also be an issue previous to the ADSL router install.  Not all subnets from HQ are route-mapped down the IPSec tunnel, but the server subnet is.  

What would you advise for the next step?

Thank you in advance!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

> get an additional address when using it

Additional DNS addresses?

> DNS at HQ now shows 2 addresses for one of the clients

How are dynamic updates performed?

I would imagine you have an MS DHCP server in there somewhere? And I would imagine that's performing updates for your clients.

If that is the case, if DHCP registers a record for a client, the client will not have rights to update it directly. That's fine as long as they only chat to the MS DHCP server, but a real pain if they go and talk to the ADSL router. When they do that they will attempt to create a record themselves. Without permission to update the existing record they will create a new one.

If all that is the case, you can avoid it by preventing DHCP from updating DNS. All clients running Windows 2000 or higher are able to update directly. If you opt for that solution it is important to look into your Scavenging settings otherwise it will simply magnify the current duplication issue.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
support_ferretAuthor Commented:
thank you for your quick reply!

Yes, for example one of the clients switches to wireless from a wired connection, or sometimes both may be running in tandem?(!)  Perhaps it is down to the clients in the end.  It wouldn't be a problem but the DNS server closest to the proxy and email server will always be updated a little later than the DNS server at site A.  

I believe you are right with the DHCP updating settings - I will have to tweak them as you say.  I had a look at the settings before leaving for the day, but I forget what they were.  I think I changed it to allow clients to dynamically update DNS.

I don't think there is a perfect solution for clients that keep switching from wired to wireless so quickly - but I think you have described the solution.  Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.