One domain two cities.

Posted on 2011-05-04
Last Modified: 2012-05-11
Hi there, I have a domain controller (win 2003) in another city.  I have them connected via two sonicwall TZ210 routers via a VPN.  One is on, the other (the main office where the primary domain controller is) is  I can ping the server, but the DNS only seems to be working with a FQDN i.e. nslookup works but nslookup server doesn't.  I can't join the domain from a computer on the domain either.

I have the DNS servers pointing to (which is the PDC).  I am not sure where I go from here?  Should they both be on the same subnet for this to work?
Question by:kesea
    LVL 13

    Expert Comment

    VPNs don't always open allow all the ports needed for more complex needs like AD replication. Check out this Microsoft articel:

    LVL 3

    Accepted Solution

    It sounds like you have 2 DNS servers.  Correct me if I'm wrong.  Are they both MS windows AD integrated DNS servers?  

    To remove complexity for the time being I would have site two use site 1's DNS servers.  If is your main site's primary DNS server have all devices from site 2 point to that DNS server (DNS requests will go across the VPN).  You can have the other DNS server listed as an option in your second site's DNS servers, but make sure the primary site's DNS server is the top of the order.

    It sounds like you are also saying you can't ping servername, but you can ping servername.domain.local (FQDN).  This just means that NetBIOS isn't setup to traverse the VPN.  You can fix this by going into your VPN policies on both sonicwalls.  Under the advanced tab there should be a checkbox to enable NetBIOS across the VPN.  If you primary site is not a sonicwall you need to look at doing a IP-helper on that device for NetBIOS traffic and forward across the VPN connection.

    Another thing to consider with domain authentication/replication across the VPN is that it is more sensitive than most things to packet fragmentation.  I would recommend trying the following settings.

    under your VPN policies enable the keep alive on your remote site and not on your primary site.
    I would also use IP addresses vs. FQDN for the remote gateways.
    If you have sonicwalls on both sides of the VPN I would also recommend using the sonicwall identifiers as the IKE local and peer IDs.  Unique identifier is located at the top of the VPN -> settings page on each sonicwall.

    Under the VPN advanced options I would recommend these things:
    - Enable IKE dead peer detection, interval = 60, trigger level = 3
    - Enable Fragmented Packet Handling
    - Enable Ignore DF bit
    - Enable NAT traversal
    - Enable Preserve IKE port for pass through connections

    VPN encryption also has some packet size overhead so I would recommend lowering the WAN MTU down to compensate.  Under the Network -> Interfaces -> WAN Config -> Advanced tab I would recommend these settings:

    Interface MTU: 1444 (if you are using DSL) or 1460 (if you are using cable, T1s, etc)
    Enable fragment non-VPN outbound packets larger than MTU
    Disable Ignore DF bit
    Disable Do Not send ICMP fragmentation needed for otubound packets over interface MTU

    See if these things help.  This should keep you busy for a while :-)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
    There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now