Solved

Do I need a different Domain name for two domains over VPN to be able to share files from Server and Client machines or can they be the same name?

Posted on 2010-11-29
15
318 Views
Last Modified: 2012-05-10
I am connecting two domains over VPN. The VPN connection is connected but I am unable to map drives, share files over the vpn. Is this because the two domains have the same name and dns is not able to work correctly between domains? I am able to ping the client machines from either side of the vpn.
0
Comment
Question by:WorleyBird
15 Comments
 
LVL 9

Expert Comment

by:IntegrityOffice
ID: 34235556
You can map drives by IP.
You could possibly use remote desktop to get a work round.
0
 

Author Comment

by:WorleyBird
ID: 34235599
I will try that and see if it works.
0
 
LVL 76

Expert Comment

by:arnold
ID: 34236235
You need to establish a trust between the two domains.  Such that resources from one domain will allow access to users from the other domain.

http://support.microsoft.com/kb/246133

If you have two location where you have unaffiliated setup such that each side is using the same internal AD domain name.
i.e. site a has DC_site_a with the AD name somesite.local
site b has DC_site_b with the AD name somesite.local

They both were setup as a stand alone AD with each being the only DC in the AD.

You would have to go through a process of either changing the AD domain name if possible in one site and then establishing a trust (make sure to export the user accounts, etc.)
Or you can combine the two locations to on the same domain which will require that you export the list of users from one and import it into the other.  You would then need to join each workstation to the remote DC and then make the local DC a DC of the other Domain.

0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34236932
As long as the domains are named the same, you will have a lot of issues. Internally NT is working with SIDs, which are GUIDs representing unique Domain, Computer and User objects. If the domain name is the same, all users are tried to get resolved locally, and that SID then applied to e.g. drive mapping. Many parts of the OS will get confused by the mismatch.
So, as already told, the best is to rename one site and building a mutual trust. Further each DNS server should have forward rules for the other domain (I'm not certain whether that is done automatically when building trusts).

If the IP workaround works for you, you can create static DNS entries for important machines on the other domain, and then you should be able to use the name instead of IP. But user mapping will still be an issue.
0
 

Author Comment

by:WorleyBird
ID: 34474756
Sorry for the delay between question post and now. My dsl account was disconnected and finally reestablished last week.
As suggested by Qlemo, I have reinstalled the Server 2003 standard with a different domain name then the one that I am trying to create a connection to. The VNC is up and I am able to ping the remote server. I attempted to setup a trust between the two domains but then receive an error: "the opertion is not supported by computer running windows 2003 server."
I have attempted to several different setup configuration - realm and trust with a windows domain.
I have attempted to us the dns name as well as the IP address.
however, when I use the ip address as the domain name i receive a different error message - the new trust wizard cannot continue because the specified domain cannot be contacted.
Any suggestions?
0
 
LVL 76

Expert Comment

by:arnold
ID: 34476169
Is the VPN present when you try to establish the trust relationship?
Did you add stub/forwarders for the remote domain each DNS
http://technet.microsoft.com/en-us/library/cc775656%28WS.10%29.aspx
Or setup forwarding rule for the other domain to the other DC's DNS IP
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html


0
 

Author Comment

by:WorleyBird
ID: 34477611
I did a little research and found that you can't establish trusts between windows 2008 server for small businesses. So it appears that it is not a configuration issue but a limitation that microsoft put on their small business servers. Is there a work around other then adding another standard server to the small business server site?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 76

Expert Comment

by:arnold
ID: 34482331
If the VPN connection is Hardware based or you can configure the two windows servers to establish a VPN to one another, you could join the remote server into the domain of the SBS.
Make sure to enable GC on both and this way the local and remote will be on the same domain and will have access to all resources.  You could then depending on the 2003 version setup a DFS where shares will be replicated and the 2003 will serve the local systems while the 2008 will serve the main and each will replicate the data back and forth minimizing bandwidth while maximizing access to data.
0
 

Author Comment

by:WorleyBird
ID: 34482431
Is there a specific process to do this? Remote server - does it have to be the same domain name as the main sbs server and same ip  settings?
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 34482752
The remote servers starts as a standalone. Once the VPN is established to the location where the SBS server is and configure the DNS settings for the windows 2003 server to point to the IP of the SBS.
Then you run dcpromo and join this windows 2003 server to the remote SBS's domain.
Make sure you have DNS services installed on the 2003 server.
You could then use OUs to make it easier to know which user is at which location for management purposes.

Then you could setup an ipsec policy that will tie the remote windows 2003 to the windows 2008 server such that replication will continue even when the VPN between the two locations drops for some reason other than one location looses access to the net..
0
 

Author Comment

by:WorleyBird
ID: 34519362
Arnold: Thank you for the information. I have a question about what you mean with regards to the DNS settings to point to the IP of the SBS. I am assuming that you mean list the DNS server for the SBS as the DNS server for the windows 2003 server, right. Currently I have the DNS IP for the 2003 as 192.168.57.203 with DNS running on that server. I would change this to 192.168.56.201, which is the DNS of the SBS via the VPN that I have establish with SonicWall appliance.
If i do this wouldn't all the DNS for the remote location have to be resolved thru the VPN by the SBS server? i am concerned about the traffic over the VPN for all the client machines for internet connections. Am I missing something here? Obviously, I want the servers to connect, via DNS, to each other so they can share files over the VPN. But what happens when the clients attempt to go out on the web? Is this an issue? I am planning on trying this configuration today. Any important info before I begin will be greatly appreciated...

0
 
LVL 76

Expert Comment

by:arnold
ID: 34585393
The other workstations in the location will use the DNS service on the windows 2003.
This is needed to get the windows 2003 to join the AD.  When you run dcpromo it tries to resolve within DNS information on which server has the roles/information about the domain you specify.
Once the domain is joined, the windows 2003 can once again be changed to reference to itself and will have the information in its own DNS record since the domain zone distributed via AD and is authoritative on this system.
0
 

Author Comment

by:WorleyBird
ID: 34605911
So I can remove all reference to the DNS in AD for the 2008 machine since it has joined that domain. All workstations will point to the local 2003 machine. This will reduce VPN Traffic for dns resolves too right.
Let me make sure that i understand you on this.
DNS settings were necessary so that it could establish communication and setup AD on each machine to communicate and join the same domain.
Now that AD is setup there is no need to continue to have DNS on the other site handle DNS queries.
By removing this reference the traffic on the VPN will be reduces as well.
New question but relevant.
Since both machines have AD working and therefore have the share login information if one server fails but VPN is still up will the client machines be able to login if I remove DNS references. Or would it be good to have that remain for the client machine to find the remote server?

Thanks for the heads up on this.
Doug
0
 
LVL 76

Expert Comment

by:arnold
ID: 34612770
If you notice the local DNS server is showing that the dns server has the AD domain as  authoritative.
The Issue with the failure of the server requires the inclusion of the remote DNS server in the DHCP packet that provides the IP to the workstation and the local DNS server.

The issue with this is while the DNS server records appear as primary/secondary they really are not. The client Will distribute the requests such that while the local server will be up, some DNS queries will be sent through the VPN.  
Presumably at this time you do not have plans to add a second DC at the remote location to handle such an event, you could make sure that should the only local DC/DNS/DHCP server fails you enable the DHCP server on your router and push to the clients the IP of the AD/DNS server on the other side of the VPN.
 
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now