Link to home
Start Free TrialLog in
Avatar of WorleyBird
WorleyBird

asked on

Do I need a different Domain name for two domains over VPN to be able to share files from Server and Client machines or can they be the same name?

I am connecting two domains over VPN. The VPN connection is connected but I am unable to map drives, share files over the vpn. Is this because the two domains have the same name and dns is not able to work correctly between domains? I am able to ping the client machines from either side of the vpn.
Avatar of IntegrityOffice
IntegrityOffice

You can map drives by IP.
You could possibly use remote desktop to get a work round.
Avatar of WorleyBird

ASKER

I will try that and see if it works.
Avatar of arnold
You need to establish a trust between the two domains.  Such that resources from one domain will allow access to users from the other domain.

http://support.microsoft.com/kb/246133

If you have two location where you have unaffiliated setup such that each side is using the same internal AD domain name.
i.e. site a has DC_site_a with the AD name somesite.local
site b has DC_site_b with the AD name somesite.local

They both were setup as a stand alone AD with each being the only DC in the AD.

You would have to go through a process of either changing the AD domain name if possible in one site and then establishing a trust (make sure to export the user accounts, etc.)
Or you can combine the two locations to on the same domain which will require that you export the list of users from one and import it into the other.  You would then need to join each workstation to the remote DC and then make the local DC a DC of the other Domain.

As long as the domains are named the same, you will have a lot of issues. Internally NT is working with SIDs, which are GUIDs representing unique Domain, Computer and User objects. If the domain name is the same, all users are tried to get resolved locally, and that SID then applied to e.g. drive mapping. Many parts of the OS will get confused by the mismatch.
So, as already told, the best is to rename one site and building a mutual trust. Further each DNS server should have forward rules for the other domain (I'm not certain whether that is done automatically when building trusts).

If the IP workaround works for you, you can create static DNS entries for important machines on the other domain, and then you should be able to use the name instead of IP. But user mapping will still be an issue.
Sorry for the delay between question post and now. My dsl account was disconnected and finally reestablished last week.
As suggested by Qlemo, I have reinstalled the Server 2003 standard with a different domain name then the one that I am trying to create a connection to. The VNC is up and I am able to ping the remote server. I attempted to setup a trust between the two domains but then receive an error: "the opertion is not supported by computer running windows 2003 server."
I have attempted to several different setup configuration - realm and trust with a windows domain.
I have attempted to us the dns name as well as the IP address.
however, when I use the ip address as the domain name i receive a different error message - the new trust wizard cannot continue because the specified domain cannot be contacted.
Any suggestions?
Is the VPN present when you try to establish the trust relationship?
Did you add stub/forwarders for the remote domain each DNS
http://technet.microsoft.com/en-us/library/cc775656%28WS.10%29.aspx
Or setup forwarding rule for the other domain to the other DC's DNS IP
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html


I did a little research and found that you can't establish trusts between windows 2008 server for small businesses. So it appears that it is not a configuration issue but a limitation that microsoft put on their small business servers. Is there a work around other then adding another standard server to the small business server site?
If the VPN connection is Hardware based or you can configure the two windows servers to establish a VPN to one another, you could join the remote server into the domain of the SBS.
Make sure to enable GC on both and this way the local and remote will be on the same domain and will have access to all resources.  You could then depending on the 2003 version setup a DFS where shares will be replicated and the 2003 will serve the local systems while the 2008 will serve the main and each will replicate the data back and forth minimizing bandwidth while maximizing access to data.
Is there a specific process to do this? Remote server - does it have to be the same domain name as the main sbs server and same ip  settings?
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Arnold: Thank you for the information. I have a question about what you mean with regards to the DNS settings to point to the IP of the SBS. I am assuming that you mean list the DNS server for the SBS as the DNS server for the windows 2003 server, right. Currently I have the DNS IP for the 2003 as 192.168.57.203 with DNS running on that server. I would change this to 192.168.56.201, which is the DNS of the SBS via the VPN that I have establish with SonicWall appliance.
If i do this wouldn't all the DNS for the remote location have to be resolved thru the VPN by the SBS server? i am concerned about the traffic over the VPN for all the client machines for internet connections. Am I missing something here? Obviously, I want the servers to connect, via DNS, to each other so they can share files over the VPN. But what happens when the clients attempt to go out on the web? Is this an issue? I am planning on trying this configuration today. Any important info before I begin will be greatly appreciated...

The other workstations in the location will use the DNS service on the windows 2003.
This is needed to get the windows 2003 to join the AD.  When you run dcpromo it tries to resolve within DNS information on which server has the roles/information about the domain you specify.
Once the domain is joined, the windows 2003 can once again be changed to reference to itself and will have the information in its own DNS record since the domain zone distributed via AD and is authoritative on this system.
So I can remove all reference to the DNS in AD for the 2008 machine since it has joined that domain. All workstations will point to the local 2003 machine. This will reduce VPN Traffic for dns resolves too right.
Let me make sure that i understand you on this.
DNS settings were necessary so that it could establish communication and setup AD on each machine to communicate and join the same domain.
Now that AD is setup there is no need to continue to have DNS on the other site handle DNS queries.
By removing this reference the traffic on the VPN will be reduces as well.
New question but relevant.
Since both machines have AD working and therefore have the share login information if one server fails but VPN is still up will the client machines be able to login if I remove DNS references. Or would it be good to have that remain for the client machine to find the remote server?

Thanks for the heads up on this.
Doug
If you notice the local DNS server is showing that the dns server has the AD domain as  authoritative.
The Issue with the failure of the server requires the inclusion of the remote DNS server in the DHCP packet that provides the IP to the workstation and the local DNS server.

The issue with this is while the DNS server records appear as primary/secondary they really are not. The client Will distribute the requests such that while the local server will be up, some DNS queries will be sent through the VPN.  
Presumably at this time you do not have plans to add a second DC at the remote location to handle such an event, you could make sure that should the only local DC/DNS/DHCP server fails you enable the DHCP server on your router and push to the clients the IP of the AD/DNS server on the other side of the VPN.