DNS configuration with a Site-to-Site VPN

I need help with DNS I have successfully established a site to site VPN connection
between two offices. I am able to ping between each of the networks
across the VPN tunnel. My only issue now is how should the DNS be
configured to allow name resolution and the ability to setup a two way trust.
GD_GRAYAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
A few ways to do this, so are these different domains/forests.   You can use conditional forwarders, stub zones or secondary zones.  I like conditional forwarders, some steps here

http://pointclickrepeat.info/2011/04/12/creating-a-two-way-transitive-trust/

Thanks

Mike
0
Michael Ian ClaridgeActing Service Delivery ManagerCommented:
Also to build on the above, if you are using a Firewall Appliance for your Site 2 Site, you will need to ensure that the additional sites are allowed to query DNS through your firewalls. (Otherwise look forward to lots of dropped traffic on port 53).

I hope this helps.

MC
0
Mike KlineCommented:
More on the firewall, make sure to have the ports opened in the below KB

http://support.microsoft.com/kb/179442

Thanks

Mike
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

GD_GRAYAuthor Commented:
Yes two different domains and forests connected via a Cisco 1811 router and a Cisco 1841 router.
0
netjgrnautCommented:
ensure that the additional sites are allowed to query DNS through your firewalls

Actually, since the traffic is running across a site-to-site VPN, the site firewalls won't play into this.  Unless, of course, they sit *behind* the VPN endpoints (which would be a little strange).

You will, however, need to ensure that your servers are willing to except DNS traffic from the private network at the other end of the VPN tunnel.  For example - if these are Win2k8 servers, the default firewall policy restricts DNS queries to the local subnet only.

The link provided by mkline71 looks like it covers your likely next questions as well...
0
Michael Ian ClaridgeActing Service Delivery ManagerCommented:
@netjgrnaut

?

If you have to 2 Firewall Appliances configured to use Site2Site, the internal services such as DNS Servers will sit behind the firewall.....whats the point in having a firewall if your clients are going to be on the wrong side of it?
0
netjgrnautCommented:
Typically, VPN tunnels are not subject to the firewall rules applied to the external interface.  In most firewall implementations, the VPN endpoint is a separate logical interface.

Granted, I'm reading into your original statement that you're talking about inbound firewall rules applied to the outside (untrusted) interface.  If you're talking about outbound firewall rules applied to the inside (trusted) interface, then I respectfully withdraw my previous comment...
0
GD_GRAYAuthor Commented:
Went with the link mklink71 posted, but Im still not able to ping a host name. Do you think the fact that on each end the FQDN names are in the same format (my.server.local ) would keep it from resolving ? On my servers it seems to be different when setting up the Conditional Forwarder, I went to the DNS management tool than to properties/forwarders and setup a new domain and IP. Would that be the same thing ?
0
netjgrnautCommented:
So both sites are running under the same DNS domain? Do they also have the same AD forest/domain names?

You're facing bigger problems than DNS resolution in your bigger plan to establish cross-forest trust.

Please provide the following so I can better understand where we're starting...

Site 1 - private subnet, DC name, domain name, DNS svr IP
Site 2 - private subnet, DC name, domain name, DNS svr IP
0
GD_GRAYAuthor Commented:
site1 - 10.1.1.0,  DC1,   camron,   10.1.1.5,  ( FQDN )  dc1.camron.local

site 2 - 10.1.10.0,  DC2, camron2,  10.1.10.5  ( FQDN )  dc2.camron2.local
0
netjgrnautCommented:
OK - assuming that you're using a /24 subnet mask at both sites (255.255.255.0), you're good to go.  

You comment about...
on each end the FQDN names are in the same format
...had me concerned.  You shouldn't have any problems getting this working.

If you're running server 2008, then Server Properties -> Forwarders is *not* the same thing - that will set global forwarders for all non-local domains.  Not what you want.  You need conditional forwarders.  

If you're running server 2003, then Server Properties -> Forwarders will get you there.

What version of Windows server?

Site 1, add a forwarder for camron2.local with IP 10.1.10.5
Site 2, configure the server firewall to allow DNS requests from 10.1.10.0/24

You should be able to ping by name.  If not, please do
nslookup dc2.camron2.local

Open in new window

from the console of dc1 and post the results here.
0
GD_GRAYAuthor Commented:
they (site 1 and 2 ) are 2003 r servers

Default Server:  dc1.camron.local
Address:  10.1.1.5

> camron2
Server:  dc1.camron.local
Address:  10.1.1.5

*** dc1.camron.local can't find camron2: Non-existent domain
>
0
netjgrnautCommented:
Invalid query. Camron2 is The domain name, not a valid host name.

NSLOOKUP dc2.camron2.local

The FQDN of the site 2 DC.

Or am I missing something?
0
GD_GRAYAuthor Commented:
Sorry my bad, your right, but I got the same return with dc2. This time from the server..

C:\Documents and Settings\Administrator>nslookup dc2
Server:  localhost
Address:  127.0.0.1

*** localhost can't find dc2: Non-existent domain

C:\Documents and Settings\Administrator>
0
GD_GRAYAuthor Commented:
Well it will see it if I use the full name...  dc2.camron2.local
but not just dc2 ?
0
netjgrnautCommented:
Okay - we're getting warmer...

dc2 without a FQDN will try to resolve to dc2.camron.local, which will (and should) fail.

Please try the FQDN.

NSLOOKUP dc2.camron2.local

If you've configured the conditional forwarder on DC1 for camron2.local to point to the IP of dc2.camron2.local as described previously, it should work.

If you want to be able to do host-only name resolution, there's more work to be done.

Let's validate that our setup is working before we get fancy, eh? ;-)
0
netjgrnautCommented:
Sorry - looks like we cross-posted.

Looks like things are working as expected.  Repeat the config in reverse on DC2 (conditional for camron.local pointing to the IP of DC1; DC1 firewall configured to accept DNS queries from 10.1.1.0/24) and you're all set.

As for host-only name resolution, there are a couple of things you need to do:
1. Ensure that there is no hostname duplication between the two sites.
2. Add camron2.local to the domain search list for DC1 and it's DHCP clients.
3. Add camron.local to the domain search list for DC2 and it's DHCP clients.

If you're really trying to get NetBIOS name resolution working across the VPN, that's another topic.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GD_GRAYAuthor Commented:
Cool, it works from each location. What I need to do is setup a two way trust for the domains and have never done it before but knew the DNS would have to work first. Do you know if the way its working now I can set up the trust or should I setup the domain search list as well ?
0
netjgrnautCommented:
What you've got now should be sufficient.  Refer back to the link originally posted by mkline71.

http://pointclickrepeat.info/2011/04/12/creating-a-two-way-transitive-trust/

Glad I could help!
0
GD_GRAYAuthor Commented:
Thank you for the link mkline71, and for all your help netjgrnaut. I could not have done it with out you !
0
Mike KlineCommented:
nice work setting up the trust!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.