Solved

DNS configuration with a Site-to-Site VPN

Posted on 2012-03-21
21
659 Views
Last Modified: 2012-03-21
I need help with DNS I have successfully established a site to site VPN connection
between two offices. I am able to ping between each of the networks
across the VPN tunnel. My only issue now is how should the DNS be
configured to allow name resolution and the ability to setup a two way trust.
0
Comment
Question by:GD_GRAY
  • 8
  • 8
  • 3
  • +1
21 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 200 total points
ID: 37747815
A few ways to do this, so are these different domains/forests.   You can use conditional forwarders, stub zones or secondary zones.  I like conditional forwarders, some steps here

http://pointclickrepeat.info/2011/04/12/creating-a-two-way-transitive-trust/

Thanks

Mike
0
 
LVL 10

Expert Comment

by:Michael Ian Claridge
ID: 37747857
Also to build on the above, if you are using a Firewall Appliance for your Site 2 Site, you will need to ensure that the additional sites are allowed to query DNS through your firewalls. (Otherwise look forward to lots of dropped traffic on port 53).

I hope this helps.

MC
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37747868
More on the firewall, make sure to have the ports opened in the below KB

http://support.microsoft.com/kb/179442

Thanks

Mike
0
 

Author Comment

by:GD_GRAY
ID: 37747903
Yes two different domains and forests connected via a Cisco 1811 router and a Cisco 1841 router.
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37747910
ensure that the additional sites are allowed to query DNS through your firewalls

Actually, since the traffic is running across a site-to-site VPN, the site firewalls won't play into this.  Unless, of course, they sit *behind* the VPN endpoints (which would be a little strange).

You will, however, need to ensure that your servers are willing to except DNS traffic from the private network at the other end of the VPN tunnel.  For example - if these are Win2k8 servers, the default firewall policy restricts DNS queries to the local subnet only.

The link provided by mkline71 looks like it covers your likely next questions as well...
0
 
LVL 10

Expert Comment

by:Michael Ian Claridge
ID: 37747956
@netjgrnaut

?

If you have to 2 Firewall Appliances configured to use Site2Site, the internal services such as DNS Servers will sit behind the firewall.....whats the point in having a firewall if your clients are going to be on the wrong side of it?
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37748063
Typically, VPN tunnels are not subject to the firewall rules applied to the external interface.  In most firewall implementations, the VPN endpoint is a separate logical interface.

Granted, I'm reading into your original statement that you're talking about inbound firewall rules applied to the outside (untrusted) interface.  If you're talking about outbound firewall rules applied to the inside (trusted) interface, then I respectfully withdraw my previous comment...
0
 

Author Comment

by:GD_GRAY
ID: 37748274
Went with the link mklink71 posted, but Im still not able to ping a host name. Do you think the fact that on each end the FQDN names are in the same format (my.server.local ) would keep it from resolving ? On my servers it seems to be different when setting up the Conditional Forwarder, I went to the DNS management tool than to properties/forwarders and setup a new domain and IP. Would that be the same thing ?
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37748350
So both sites are running under the same DNS domain? Do they also have the same AD forest/domain names?

You're facing bigger problems than DNS resolution in your bigger plan to establish cross-forest trust.

Please provide the following so I can better understand where we're starting...

Site 1 - private subnet, DC name, domain name, DNS svr IP
Site 2 - private subnet, DC name, domain name, DNS svr IP
0
 

Author Comment

by:GD_GRAY
ID: 37748466
site1 - 10.1.1.0,  DC1,   camron,   10.1.1.5,  ( FQDN )  dc1.camron.local

site 2 - 10.1.10.0,  DC2, camron2,  10.1.10.5  ( FQDN )  dc2.camron2.local
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37748642
OK - assuming that you're using a /24 subnet mask at both sites (255.255.255.0), you're good to go.  

You comment about...
on each end the FQDN names are in the same format
...had me concerned.  You shouldn't have any problems getting this working.

If you're running server 2008, then Server Properties -> Forwarders is *not* the same thing - that will set global forwarders for all non-local domains.  Not what you want.  You need conditional forwarders.  

If you're running server 2003, then Server Properties -> Forwarders will get you there.

What version of Windows server?

Site 1, add a forwarder for camron2.local with IP 10.1.10.5
Site 2, configure the server firewall to allow DNS requests from 10.1.10.0/24

You should be able to ping by name.  If not, please do
nslookup dc2.camron2.local

Open in new window

from the console of dc1 and post the results here.
0
 

Author Comment

by:GD_GRAY
ID: 37748759
they (site 1 and 2 ) are 2003 r servers

Default Server:  dc1.camron.local
Address:  10.1.1.5

> camron2
Server:  dc1.camron.local
Address:  10.1.1.5

*** dc1.camron.local can't find camron2: Non-existent domain
>
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37749025
Invalid query. Camron2 is The domain name, not a valid host name.

NSLOOKUP dc2.camron2.local

The FQDN of the site 2 DC.

Or am I missing something?
0
 

Author Comment

by:GD_GRAY
ID: 37749070
Sorry my bad, your right, but I got the same return with dc2. This time from the server..

C:\Documents and Settings\Administrator>nslookup dc2
Server:  localhost
Address:  127.0.0.1

*** localhost can't find dc2: Non-existent domain

C:\Documents and Settings\Administrator>
0
 

Author Comment

by:GD_GRAY
ID: 37749089
Well it will see it if I use the full name...  dc2.camron2.local
but not just dc2 ?
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37749092
Okay - we're getting warmer...

dc2 without a FQDN will try to resolve to dc2.camron.local, which will (and should) fail.

Please try the FQDN.

NSLOOKUP dc2.camron2.local

If you've configured the conditional forwarder on DC1 for camron2.local to point to the IP of dc2.camron2.local as described previously, it should work.

If you want to be able to do host-only name resolution, there's more work to be done.

Let's validate that our setup is working before we get fancy, eh? ;-)
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 300 total points
ID: 37749122
Sorry - looks like we cross-posted.

Looks like things are working as expected.  Repeat the config in reverse on DC2 (conditional for camron.local pointing to the IP of DC1; DC1 firewall configured to accept DNS queries from 10.1.1.0/24) and you're all set.

As for host-only name resolution, there are a couple of things you need to do:
1. Ensure that there is no hostname duplication between the two sites.
2. Add camron2.local to the domain search list for DC1 and it's DHCP clients.
3. Add camron.local to the domain search list for DC2 and it's DHCP clients.

If you're really trying to get NetBIOS name resolution working across the VPN, that's another topic.
0
 

Author Comment

by:GD_GRAY
ID: 37749168
Cool, it works from each location. What I need to do is setup a two way trust for the domains and have never done it before but knew the DNS would have to work first. Do you know if the way its working now I can set up the trust or should I setup the domain search list as well ?
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37749187
What you've got now should be sufficient.  Refer back to the link originally posted by mkline71.

http://pointclickrepeat.info/2011/04/12/creating-a-two-way-transitive-trust/

Glad I could help!
0
 

Author Closing Comment

by:GD_GRAY
ID: 37749243
Thank you for the link mkline71, and for all your help netjgrnaut. I could not have done it with out you !
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37749281
nice work setting up the trust!!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now