Learn how to a build a cloud-first strategyRegister Now


One domain two cities.

Posted on 2011-05-04
Medium Priority
Last Modified: 2012-05-11
Hi there, I have a domain controller (win 2003) in another city.  I have them connected via two sonicwall TZ210 routers via a VPN.  One is on, the other (the main office where the primary domain controller is) is  I can ping the server, but the DNS only seems to be working with a FQDN i.e. nslookup server.abc works but nslookup server doesn't.  I can't join the domain from a computer on the domain either.

I have the DNS servers pointing to (which is the PDC).  I am not sure where I go from here?  Should they both be on the same subnet for this to work?
Question by:kesea
LVL 13

Expert Comment

ID: 35695386
VPNs don't always open allow all the ports needed for more complex needs like AD replication. Check out this Microsoft articel: http://technet.microsoft.com/en-us/library/bb727063.asp.


Accepted Solution

gilm0079 earned 2000 total points
ID: 35698794
It sounds like you have 2 DNS servers.  Correct me if I'm wrong.  Are they both MS windows AD integrated DNS servers?  

To remove complexity for the time being I would have site two use site 1's DNS servers.  If is your main site's primary DNS server have all devices from site 2 point to that DNS server (DNS requests will go across the VPN).  You can have the other DNS server listed as an option in your second site's DNS servers, but make sure the primary site's DNS server is the top of the order.

It sounds like you are also saying you can't ping servername, but you can ping servername.domain.local (FQDN).  This just means that NetBIOS isn't setup to traverse the VPN.  You can fix this by going into your VPN policies on both sonicwalls.  Under the advanced tab there should be a checkbox to enable NetBIOS across the VPN.  If you primary site is not a sonicwall you need to look at doing a IP-helper on that device for NetBIOS traffic and forward across the VPN connection.

Another thing to consider with domain authentication/replication across the VPN is that it is more sensitive than most things to packet fragmentation.  I would recommend trying the following settings.

under your VPN policies enable the keep alive on your remote site and not on your primary site.
I would also use IP addresses vs. FQDN for the remote gateways.
If you have sonicwalls on both sides of the VPN I would also recommend using the sonicwall identifiers as the IKE local and peer IDs.  Unique identifier is located at the top of the VPN -> settings page on each sonicwall.

Under the VPN advanced options I would recommend these things:
- Enable IKE dead peer detection, interval = 60, trigger level = 3
- Enable Fragmented Packet Handling
- Enable Ignore DF bit
- Enable NAT traversal
- Enable Preserve IKE port for pass through connections

VPN encryption also has some packet size overhead so I would recommend lowering the WAN MTU down to compensate.  Under the Network -> Interfaces -> WAN Config -> Advanced tab I would recommend these settings:

Interface MTU: 1444 (if you are using DSL) or 1460 (if you are using cable, T1s, etc)
Enable fragment non-VPN outbound packets larger than MTU
Disable Ignore DF bit
Disable Do Not send ICMP fragmentation needed for otubound packets over interface MTU

See if these things help.  This should keep you busy for a while :-)

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question