Solved

Site to site VPN DNS Issue

Posted on 2010-08-31
11
440 Views
Last Modified: 2012-08-13
Hello All

I have created a site to site VPN between our main and branch office. It uses the L2TP IPSec protocol between 2 ISA boxes using a pre shared key.

What I Can do:

Ping any machine from our Main to Branch and Vice Versa (IP address only)
Remote desktop to any machine from Main to Branch and Vice Versa (IP address only)
Browse network drives from Main to Branch and Vice Versa (IP address only)

What I can't do:

Ping machines by computer/machine name
Remote desktop to machines by computer/machine name
Join Branch office computers to Main Office Domain (domain controller cannot be located)

Join Branch office computers to Exchange Via Outlook

Scenario for Outlook
User is logged into Branch Domain, start Outlook and Add Exchange account, enter the IP address of the Main Office Exchange server, this then resolves to ourexchange.our-domain.co.uk and underlines user name, wizard completes successfully. Start Outlook, message.

"Unable to open default e-mail folders. you must connect your Miscrosoft Exchange server computer with the current profile before you can syncronize you folders"

I'm pretty certain that it's a DNS problem, as with the other issues I mentioned, I have attached a network configuration diagram, can anyone see what I'm doing wrong?

Thanks in advance all.              
Drawing2.pdf
0
Comment
Question by:brynstar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 6

Expert Comment

by:up_grayed_out
ID: 33567683
use nslookup to see if you can resolve the names/ips at the main site. If you can, then it's not dns. Might be an issue with netbios or with ports blocked on ISA.
0
 

Author Comment

by:brynstar
ID: 33568517
Thanks for the reply, this is what happens with nslookup

nslookup remotecomputername

maindomaincontroller cannot find remotecomputername: Non-existant domain
0
 
LVL 6

Expert Comment

by:up_grayed_out
ID: 33568556
hmm, clients not appending dns suffix?
What happens if you query by fqdn?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:brynstar
ID: 33568628
the FQDN for our remote site ends in .local if I nslookup or ping anything using the FQDN it replies from local.co.uk - not our domain. thanks again for your reply.
0
 
LVL 6

Assisted Solution

by:up_grayed_out
up_grayed_out earned 500 total points
ID: 33568750
strange, do the clients have co.uk in their dns search suffix list?
Different domains at main and branch? If so, you might want to configure all clients with a dns search suffix list containing both domains, then make sure the zone is replicated to the branch dns server, so lookups don't go over the vpn.
You also want to make sure that all clients are only configured to use interrnal dns. Only the dns server should be able to query external dns.
0
 

Author Comment

by:brynstar
ID: 33574863
Yes the clients at main do have .co.uk in thier dns search sufix list.

To test I have been working on one workstation manually putting the DNS into the LAN adapter so..

dns servers
10.0.0.2 (main Domain controller)
10.3.0.2 (branch Domain-controller)

dns search suffix
ourdomain.co.uk
branch.local

Still has no luck pinging branch by FQDN, only ip. thanks once again for your replies.
0
 

Author Comment

by:brynstar
ID: 33574989
have managed to get the netbios name to ping so ping remotedomaincontroller replies but I added the remote domain controller IP to the WINS server addresses in the local LAN config (and removed above mentioned DNS settings)
0
 

Author Comment

by:brynstar
ID: 33576914
Sorry, disregard the two above posts.

At the main office, I have setup the DNS search suffix within group policy to list our-domain.co.uk and branchoffice.local

Client's at main office now list this within ipconfig/all

only 1 DNS server is configured for clients in main (main office DC) 10.0.0.2

what do I need to do within the DNS management of our Main DC? Is it a new forward lookup zone to the branch DC?

Also, when you say replicate the zone to the Branch DNS server, do you mean add new DNS search suffix's at the branch end?

Apologies if I sound way off, your help is most appreciated.

thanks again....
0
 
LVL 6

Expert Comment

by:up_grayed_out
ID: 33577585
No worries. DNS can get confusing. Your setup sounds similar to my environment. I've got an issue I need to take care of this morning, but I will get back to you today on this.
0
 
LVL 6

Accepted Solution

by:
up_grayed_out earned 500 total points
ID: 33580748
Sounds like you're on the right track.
So at each site, the clients will have a dns search suffix list with both domains. With their local domain first in the list.
The DNS server at main should have a forward lookup zone for branchoffice.local (secondary zone).
The DNS server at branchoffice will have a secondary zone for yourdomain.co.uk (secondary zone)
This way, DNS servers at both sites will be able to resolve records for either domain.

You still might run into some strange issues down the road though. For instance, if yourdomain.co.uk is registered to another company, or is your company's web site, then vpn clients with split tunneling might resolve to the wrong IP. Also, the DNS client strips subdomains as it searches for a valid record. So, a client searches for hostname.branchoffice.local.co.uk, and doesn't get a valid result, eventually it'll look for local.co.uk. As you know that's an actual website, so you might have an issue there too.

Microsoft recommends using a subdomain of a valid, registered domain for windows domains. Something like,
internal.yourcompany.co.uk
internal.branchoffice.co.uk

.local is used by some vendors for upnp, so this could create some issues there too.

If it's a good fit for your organization, then the best solution would be to get both sites on the same domain, or at least in the same forest. Again, using subdomains of a valid, registered domain.
0
 

Author Comment

by:brynstar
ID: 33585564
thanks so much, that's done it. Added two secondary zones each side and can now ping/browse by netbios, ip or FQDN.

I can't thank you enough for your help!

Superb! A************

Best Regards
0

Featured Post

Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question