Whats the right way to set up a VPN and laptops at remote locations to allow access to the domain controller and shares

This is likely networking 101, but.... I'm stuck.

SBS 2011 server at location A (192.168.1.0 subnet)
Location B is connected to location A with VPN, subnet 192.168.2.0.  The router at location B currently gives out public DNS IP addresses

What's the right way to set things up for domain added laptops running win 10 pro at location B to be able to access shares on the server like \\serer\files?  The server is the domain controller.  There's only that 1 server.

Use a Hosts file?  It has that now with entries:

server  192.168.1.3
server.domainname.local  192.168.1.3 (is this needed?)

When they click on a mapped drive, a windows security box pops up asking for credentials, and even though we check 'remember my credentials', it asks again after a reboot.  This window ALSO says 'the system cannot contact a doimain controller to service the authentication request.  Please try again later.

You click OK after adding credentials, get to the files and all is fine.  till a reboot.

What do I need to do so it can get to the domain controller across the VPN?

Why doesn't it save the credentials after a reboot?

Why does it even ask for the credentials - the user and password entered when logging in are the credentials.

THANKS!
BeGentleWithMe-INeedHelpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
As I said in your other (autodiscover) question, if you want AD to function properly, and that *includes* things like AD SSO/Kerberos, then you need to only use internal DNS servers.  You can set one up at the remote site or you can send DNS requests from clients over the VPN (though that becomes an issue if the VPN tunnel is ever down for any reason.)

Of you can deal with the hassles of not having AD functionality.  Hosts files are *no* replacement.  A look at any AD-aware DNS server will show you a ton of records that are not reasonable to manage via hosts.
1
masnrockCommented:
I think what would be fair to ask is what is your current network setup? What types of routers are you using and how exactly are they configured? How are users at the second location getting DHCP information? It's hard to give you a good answer without knowing what you're working with here. And looking at Cliff's comment, it may very well be the cause of that issue.
1
BeGentleWithMe-INeedHelpAuthor Commented:
Thanks guys.  

location 1 has SBS 2011 standard w/ ip of 192.168.1.3. It's the DNS and DHCP server for that location.  DHCP gives out 192.168.1.3 as the DNS server and ...1.1 as the gateway
There's a watchguard firewal (192.168.1.1)l configured for people to access the web and 1 end of a VPN

Location 2 has a watchguard firewall. It's the DHCP server for the couple devices at that end of the VPN  It's IP is 192.168.2.1 and gives out IPs in that subnet.  It also (currently) gives out the Verizon FiOS DNS server's IP addresses.

So would you both agree - as a first step, change location 2's DHCP settings to give out 192.168.1.3 as DNS server?
Any other changes?

Assuming you say yes, that's the right way to do it, as Cliff says, the drawback is that if location 1 goes down - internet, server, etc. , that takes down location 2 pretty much completely even though they still have internet, etc.?  But that's a rare case vs. leaving things as is and most of the time (all the time) things not working right?! : )

Or set up the watchguard as DNS server? Being that someone else set up the Watchguards / i have very little knowledge of them, I'm much more comfortable going into the watchguard at location 2 and changing the DNS server setting in DHCP.
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

masnrockCommented:
Location 2 has a watchguard firewall. It's the DHCP server for the couple devices at that end of the VPN  It's IP is 192.168.2.1 and gives out IPs in that subnet.  It also (currently) gives out the Verizon FiOS DNS server's IP addresses.
The DNS servers being passed in DHCP is an issue. You should only be using internal DNS servers if you want things set up right. And most ideally, you would have a domain controller at the second site. However, as long as you have that SBS server, it must keep the FSMO roles.


So would you both agree - as a first step, change location 2's DHCP settings to give out 192.168.1.3 as DNS server?
That's would put you in a much better place than you are in now internally. Would at least get location 2 users going with using internal resources, but there would be no sort of fault tolerance (like if the server went down or if the VPN link was down for any reason)

Assuming you say yes, that's the right way to do it, as Cliff says, the drawback is that if location 1 goes down - internet, server, etc. , that takes down location 2 pretty much completely even though they still have internet, etc.?  But that's a rare case vs. leaving things as is and most of the time (all the time) things not working right?! : ) 
Ehhh. If you make the DNS change you cited and the VPN link went down for any reason (including a loss of internet at location 1), then location 2 would be screwed also unless you manually change their DNS settings. (Before you ask why, imagine if you were trying to make a phone call to someone with no access to what the phone number might be.) Probability of it happening should be low, but smarter to be prepared for such a situation. Lots of reasons a link can go down. Don't get caught unprepared.

Any other changes?
See the first part of my response.

Or set up the watchguard as DNS server? Being that someone else set up the Watchguards / i have very little knowledge of them, I'm much more comfortable going into the watchguard at location 2 and changing the DNS server setting in DHCP.
While this would be an improvement over the current layout at location 2, you would still be missing out on some of the features of active directory. Such as autodiscovery and even authentication. Get a Windows server and create a DC at location 2, even if you have to hire outside help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BeGentleWithMe-INeedHelpAuthor Commented:
Get a Windows server and create a DC at location 2, even if you have to hire outside help.

Uh, not enough money available for that

Re the link going down / location 2 being out of luck...

Don't get caught unprepared.

What things are you thinking of  (other than another controller)?
0
BeGentleWithMe-INeedHelpAuthor Commented:
I changed the DNS server at location 2 to point to the domain controller at location 1.  Accessing shares seems to work good now.
0
masnrockCommented:
What things are you thinking of  (other than another controller)?
The domain controller is what I am thinking. No other way to keep active directory services available in the event of an outage.

I assume email is hosted in house. Eventually you may want to reevaluate that. Maybe when it's time to upgrade the server, move the email to the cloud. But that is separate of the original question posed.

I changed the DNS server at location 2 to point to the domain controller at location 1.  Accessing shares seems to work good now.
Yes, but remember what we have warned about what would happen if the link to location 1 is down for some reason. If you had DHCP give the watchguard as a secondary DNS server (assuming its capable), that would be a lesser evil than having no backup for DNS at all.

Uh, not enough money available for that
The right way of doing something isn't necessarily the least expensive.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.