Solved

DNS configuration with a Site-to-Site VPN

Posted on 2012-03-21
21
658 Views
Last Modified: 2012-03-21
I need help with DNS I have successfully established a site to site VPN connection
between two offices. I am able to ping between each of the networks
across the VPN tunnel. My only issue now is how should the DNS be
configured to allow name resolution and the ability to setup a two way trust.
0
Comment
Question by:GD_GRAY
  • 8
  • 8
  • 3
  • +1
21 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 200 total points
Comment Utility
A few ways to do this, so are these different domains/forests.   You can use conditional forwarders, stub zones or secondary zones.  I like conditional forwarders, some steps here

http://pointclickrepeat.info/2011/04/12/creating-a-two-way-transitive-trust/

Thanks

Mike
0
 
LVL 10

Expert Comment

by:Michael Ian Claridge
Comment Utility
Also to build on the above, if you are using a Firewall Appliance for your Site 2 Site, you will need to ensure that the additional sites are allowed to query DNS through your firewalls. (Otherwise look forward to lots of dropped traffic on port 53).

I hope this helps.

MC
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
More on the firewall, make sure to have the ports opened in the below KB

http://support.microsoft.com/kb/179442

Thanks

Mike
0
 

Author Comment

by:GD_GRAY
Comment Utility
Yes two different domains and forests connected via a Cisco 1811 router and a Cisco 1841 router.
0
 
LVL 6

Expert Comment

by:netjgrnaut
Comment Utility
ensure that the additional sites are allowed to query DNS through your firewalls

Actually, since the traffic is running across a site-to-site VPN, the site firewalls won't play into this.  Unless, of course, they sit *behind* the VPN endpoints (which would be a little strange).

You will, however, need to ensure that your servers are willing to except DNS traffic from the private network at the other end of the VPN tunnel.  For example - if these are Win2k8 servers, the default firewall policy restricts DNS queries to the local subnet only.

The link provided by mkline71 looks like it covers your likely next questions as well...
0
 
LVL 10

Expert Comment

by:Michael Ian Claridge
Comment Utility
@netjgrnaut

?

If you have to 2 Firewall Appliances configured to use Site2Site, the internal services such as DNS Servers will sit behind the firewall.....whats the point in having a firewall if your clients are going to be on the wrong side of it?
0
 
LVL 6

Expert Comment

by:netjgrnaut
Comment Utility
Typically, VPN tunnels are not subject to the firewall rules applied to the external interface.  In most firewall implementations, the VPN endpoint is a separate logical interface.

Granted, I'm reading into your original statement that you're talking about inbound firewall rules applied to the outside (untrusted) interface.  If you're talking about outbound firewall rules applied to the inside (trusted) interface, then I respectfully withdraw my previous comment...
0
 

Author Comment

by:GD_GRAY
Comment Utility
Went with the link mklink71 posted, but Im still not able to ping a host name. Do you think the fact that on each end the FQDN names are in the same format (my.server.local ) would keep it from resolving ? On my servers it seems to be different when setting up the Conditional Forwarder, I went to the DNS management tool than to properties/forwarders and setup a new domain and IP. Would that be the same thing ?
0
 
LVL 6

Expert Comment

by:netjgrnaut
Comment Utility
So both sites are running under the same DNS domain? Do they also have the same AD forest/domain names?

You're facing bigger problems than DNS resolution in your bigger plan to establish cross-forest trust.

Please provide the following so I can better understand where we're starting...

Site 1 - private subnet, DC name, domain name, DNS svr IP
Site 2 - private subnet, DC name, domain name, DNS svr IP
0
 

Author Comment

by:GD_GRAY
Comment Utility
site1 - 10.1.1.0,  DC1,   camron,   10.1.1.5,  ( FQDN )  dc1.camron.local

site 2 - 10.1.10.0,  DC2, camron2,  10.1.10.5  ( FQDN )  dc2.camron2.local
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 6

Expert Comment

by:netjgrnaut
Comment Utility
OK - assuming that you're using a /24 subnet mask at both sites (255.255.255.0), you're good to go.  

You comment about...
on each end the FQDN names are in the same format
...had me concerned.  You shouldn't have any problems getting this working.

If you're running server 2008, then Server Properties -> Forwarders is *not* the same thing - that will set global forwarders for all non-local domains.  Not what you want.  You need conditional forwarders.  

If you're running server 2003, then Server Properties -> Forwarders will get you there.

What version of Windows server?

Site 1, add a forwarder for camron2.local with IP 10.1.10.5
Site 2, configure the server firewall to allow DNS requests from 10.1.10.0/24

You should be able to ping by name.  If not, please do
nslookup dc2.camron2.local

Open in new window

from the console of dc1 and post the results here.
0
 

Author Comment

by:GD_GRAY
Comment Utility
they (site 1 and 2 ) are 2003 r servers

Default Server:  dc1.camron.local
Address:  10.1.1.5

> camron2
Server:  dc1.camron.local
Address:  10.1.1.5

*** dc1.camron.local can't find camron2: Non-existent domain
>
0
 
LVL 6

Expert Comment

by:netjgrnaut
Comment Utility
Invalid query. Camron2 is The domain name, not a valid host name.

NSLOOKUP dc2.camron2.local

The FQDN of the site 2 DC.

Or am I missing something?
0
 

Author Comment

by:GD_GRAY
Comment Utility
Sorry my bad, your right, but I got the same return with dc2. This time from the server..

C:\Documents and Settings\Administrator>nslookup dc2
Server:  localhost
Address:  127.0.0.1

*** localhost can't find dc2: Non-existent domain

C:\Documents and Settings\Administrator>
0
 

Author Comment

by:GD_GRAY
Comment Utility
Well it will see it if I use the full name...  dc2.camron2.local
but not just dc2 ?
0
 
LVL 6

Expert Comment

by:netjgrnaut
Comment Utility
Okay - we're getting warmer...

dc2 without a FQDN will try to resolve to dc2.camron.local, which will (and should) fail.

Please try the FQDN.

NSLOOKUP dc2.camron2.local

If you've configured the conditional forwarder on DC1 for camron2.local to point to the IP of dc2.camron2.local as described previously, it should work.

If you want to be able to do host-only name resolution, there's more work to be done.

Let's validate that our setup is working before we get fancy, eh? ;-)
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 300 total points
Comment Utility
Sorry - looks like we cross-posted.

Looks like things are working as expected.  Repeat the config in reverse on DC2 (conditional for camron.local pointing to the IP of DC1; DC1 firewall configured to accept DNS queries from 10.1.1.0/24) and you're all set.

As for host-only name resolution, there are a couple of things you need to do:
1. Ensure that there is no hostname duplication between the two sites.
2. Add camron2.local to the domain search list for DC1 and it's DHCP clients.
3. Add camron.local to the domain search list for DC2 and it's DHCP clients.

If you're really trying to get NetBIOS name resolution working across the VPN, that's another topic.
0
 

Author Comment

by:GD_GRAY
Comment Utility
Cool, it works from each location. What I need to do is setup a two way trust for the domains and have never done it before but knew the DNS would have to work first. Do you know if the way its working now I can set up the trust or should I setup the domain search list as well ?
0
 
LVL 6

Expert Comment

by:netjgrnaut
Comment Utility
What you've got now should be sufficient.  Refer back to the link originally posted by mkline71.

http://pointclickrepeat.info/2011/04/12/creating-a-two-way-transitive-trust/

Glad I could help!
0
 

Author Closing Comment

by:GD_GRAY
Comment Utility
Thank you for the link mkline71, and for all your help netjgrnaut. I could not have done it with out you !
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
nice work setting up the trust!!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now