Solved

Hosts file on domain PDC

Posted on 2015-02-07
15
40 Views
Last Modified: 2016-03-02
I have a windows 2003 PDC running Exchange and some other apps. We have a new peice of software that we need installed on each workstation on the networks domain and it runs through a VPN.

The software consultant wants us to install an edited hosts file on each workstation mapping some of the servers on the remote portion of the VPN. THey are not in our domain.

My question, is: Cant I add this to the DNS server and be done with it? What if one of those IP's changes? I would have to edit all of the workstations again. Im not into that.

What would be the simple way to fix this ?
0
Comment
Question by:techindahaus
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 40596389
You do have to map to the remote system. You could set up scripts in the normal way that map to the IP address at the remote end. This means not changing the hosts files on many machines but means changing the central scripts if the IP address changes.
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40596395
Thats how i would do it.
0
 

Author Comment

by:techindahaus
ID: 40596397
What about just connecting to their DNS server under reverse lookup?
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40596403
for example. say if the vendor server is named server1.vendordomain.com you could create a forward authoritative domain for vendordomain.com on your dns server with the records they need and then in your domain create a cname to that record. So your record would like server1.mydomain maps to server1.vendordomain.com. this way your clients can resolve the names without needing a dns suffix entry on each client.
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40596404
if your clients are looking up the fully qualified domain name then you wouldnt need the cname records in your domain.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40596915
Mapping via scripts and mapped drive may not be possible if the software is written to connect to a file share such as \\Server1\Share1.  Though I would use DNS (you have to create a new zone for the remote site), depending on the VPN configuration, it may block access to local resources such as DNS, which may be why they recommend using the hosts file.  You can script updating the host file form the server upon logon.  The user needs to be an admin, to run it.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:techindahaus
ID: 40596932
Maybe I didnt explain this very well.

1. Im not looking for a scripting solution.
2. Im not looking to manually edit Cnames each time the application server changes its public IP address.

What Im looking for is a way to map the host names of the remote servers and their IP addresses WITHOUT creating a separate host file on every workstation in my domain.

Now, I think I know the best course of action. Add their DNS server to mine in the reverse lookup area so that my DNS server can query theirs and if an IP changes, my records should be updated as all of my workstations are using my domains PDC for DNS.

What Im unsure about is if this is the best place to impliment this solution. Im not a DNS expert, but can certainly find my way around a server.
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40596949
I dont think you mean Reverse Lookup. A reverse lookup is an ip to a name. You are referring to a forwarder. When you create a forwarder you would create it for their domain, as an in the previous example vendordomain.com. So when a client looks up server1.vendordomain.com they would hit that forward which would direct them to the name server you provided in the forwarder configuration. The issue with that is the only way the client would be directed out the forwarder is if they are trying to resolve the fully qualified domain. If a client was trying to resolve server1 it would only append your dns suffix which would be your domain.com. All clients would then need to have a dns suffix for that domain. This gets ugly because then all lookups would try to append to that.

If clients are looking up the fully qualified domain name then you would be okay with the forwarder.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 40596954
You would add a zone for the remote server domain name such as RemoteSite.local to the forward look up zone of your DNS server and to that add Host (A) records for the remote servers.  If the IP changes, it "should" update the host record, but being part of another domain, it probably will not. This is why domain trusts are usually set up in this case.  However, as mentioned, many VPN solutions are configured with "split tunneling" disabled for security reasons to protect the remote network.  If this is the case local resources, such as DNS are blocked and unusable.  

If a host file is the only solution, I was suggesting a script pushed out through group policy that would automatically edit the Host file of every PC.  If the IP's change, you simply update the script on the server.   Having said that I am doubtful a vendor would provide a VPN solution, a service, and servers, and start changing IP's.

Normally if you have multiple computers connecting to a remote server you set up a VPN tunnel between two VPN routers, this eliminates the need for split tunneling, looks after routing and DNS.  Another issue is most routers have limits as to how many software VPN tunnels they will support.  I don't know if you are talking about 2 or 3 or 10 or more.
0
 

Author Comment

by:techindahaus
ID: 40596982
Unheardof: Actually, I am referring to a reverse lookup. Similar to a HOST file, it will allow you to lookup up a name from an IP. I believe that is the premise. But I just didnt know if that would be the "best" way to accomplish this. My assumption here was that if I added it and I had their DNS servers IP, it would poll the DNS server for any changes.

Rob: yea, I agree. I have also looked into pushing out the HOST file replacement in our login script. It just seems so archaic to be dealing with these HOST files anymore. As of right now I dont have an answer to whether we can even get their DNS IP. This whole process has been a "rush" job and this is just another kink in the process.

I may try a few of your suggestions based on what information I get this week from the vendor. Hopefully, we can come to a simple solution. Ill update this thread when I get that.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 500 total points
ID: 40596986
You don't need the IP of their DNS server, you are adding the record to your DNS server.  Pointing to the remote DNS server, if not a member of your domain, will actually "mess up" local DNS .  DNS is the best solution if it will be available while the VPN is connected, and if it will update, but I don't see it updating. You could manually change it in DNS if it ever changes.

You want a forward lookup record, not reverse, as it is the IP that may change, not the name.

I suspect the vendor recommends a host record as it works consistently.
0
 
LVL 2

Expert Comment

by:UnHeardOf
ID: 40597218
Rob,
How would a conditional forwarder for a domain ( which requires an ip of the vendors name server to forward the queries to ) hurt local Dns. Queries would only be sent to the forwarder that have the same domain suffix. Since the clients wouldnt have the suffix in their configuration, the only way the forwarder would be used would be by a client that is trying to resolve the Fully Qualified Domain Name.

I'm not saying that this may be the best fit for this scenario but until we hear back these are just suggestions.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 500 total points
ID: 40597263
If split tunneling is enabled on the VPN connection, i.e. local and remote subnets are accessible simultaneously, a conditional forwarder is a good Idea.  The issue to which I was referring was adding the remote site's DNS server's IP to the DNS configuration of the NIC's on each PC. The DNS server will need to be set to use forwarders rather than root hints but should work.  
A Note regarding forwarders; "Due to a code defect in Windows Server® 2008, the checkbox next to Use root hints if no forwarders are available actually configures the opposite behavior"  from: https://technet.microsoft.com/en-us/library/ff807391(v=ws.10)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now