Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Problem with DNS for VPN users
Problem with DNS for VPN users [message #156577] Fri, 19 June 2009 13:14 Go to next message
plutoz  is currently offline plutoz  United States
Messages: 4
Registered: July 2009
Junior Member
I've got an Active Directory domain for our department, it was set up
before I got here. Everything works just fine and dandy for LAN PCs
which are domain members using my AD DC/DNS servers for resolution.

The problem comes when users are accessing the network via the
Corporate VPN (which I have no control over), they are forced by the VPN
software to use the Corporate (unix based) DNS servers. The folks that
run our Corporate DNS *refuse* to add any entries for my AD domain name
(I'm not even sure it would help if they did?)

When a laptop that is joined to the domain (user signed in under a
domain user) is connected to the VPN they cannot connect to shares on
any domain member server (error in event viewer is 'no logon servers
available to service the logon request')

Is there any way I can use the system's hosts/lmhosts files to get
around this issue? I've tried a bunch of things but nothing seems to
work.


--
plutoz
------------------------------------------------------------ ------------
plutoz's Profile: http://forums.techarena.in/members/51744.htm
View this thread: http://forums.techarena.in/active-directory/1200447.htm

http://forums.techarena.in
Re: Problem with DNS for VPN users [message #156584 is a reply to message #156577] Fri, 19 June 2009 17:05 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"plutoz" <plutoz.3u1lfb@DoNotSpam.com> wrote in message
news:plutoz.3u1lfb@DoNotSpam.com...
>
> I've got an Active Directory domain for our department, it was set up
> before I got here. Everything works just fine and dandy for LAN PCs
> which are domain members using my AD DC/DNS servers for resolution.
>
> The problem comes when users are accessing the network via the
> Corporate VPN (which I have no control over), they are forced by the VPN
> software to use the Corporate (unix based) DNS servers. The folks that
> run our Corporate DNS *refuse* to add any entries for my AD domain name
> (I'm not even sure it would help if they did?)
>
> When a laptop that is joined to the domain (user signed in under a
> domain user) is connected to the VPN they cannot connect to shares on
> any domain member server (error in event viewer is 'no logon servers
> available to service the logon request')
>
> Is there any way I can use the system's hosts/lmhosts files to get
> around this issue? I've tried a bunch of things but nothing seems to
> work.
>

Rule of thumb is the VPN users need to use the same DNS servers as if they
were connected to the internal AD network. If the 'corp' VPN uses some other
DNS servers that do not host the AD zone, or that do not have reference to
AD's DNS server (whether using conditional forwarding, forwarding, secondary
zones or stubs), then they will continue to have problems.

Hosts files do not support SRV records, which is what the clients are
looking for.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Re: Problem with DNS for VPN users [message #156589 is a reply to message #156584] Fri, 19 June 2009 17:33 Go to previous messageGo to next message
Garry Starck-MCITP En  is currently offline Garry Starck-MCITP En
Messages: 69
Registered: July 2009
Member
Hi All

Ace is right: Maybe they do not know the commands to run, EG:


+++++++++++++++++++++++++
Hello,

I'm a noob when it comes to DNS and BIND9, so forgive me if my description
seems pedantic:

I connect to my workplace's network using VPN, which sets me up with the
workplace DNS servers. Those servers manage the an internal namespace
(visible only to users inside the VPN), with a specific domain name -- lets
call it internal.net. Those servers also resolve queries to external
addresses (e.g. Google) by forwarding them to some external DNS masters.

Without connecting to the VPN, my DNS lookups are performed via the router
(192.168.0.1) which forwards to the ISP DNS server. What I would like to do
is do is:

all lookups that don't belong to internal.net should be performed on my
ISP's DNS server
all lookups belonging to internal.net are done on the VPN DNS servers

I was able to do this in the past with simply having the /etc/resolv.conf
look like:


Code:
nameserver 192.168.0.1
search internal.net
nameserver 10.0.0.1 <== the addr of the VPN DNSBut the problem is that my
ISP recently introduced the annoying DNS redirection "service" where they
redirect all unresolved DNS queries to an ad-laden search page, so if I do a
lookup on somehost.internal.net, my ISP's DNS will resolve it to their own
search page, preventing the use of nameserver 10.0.0.1.

So I figured I could solve this problem by having a local BIND9 instance on
my machine that does conditional forwarding based on domain name. The problem
is BIND9 configuration seems intimidating and my trials with it have been
unsuccessful. Can someone suggest to me a simple BIND9 configuration that
achieves my goals?'

Thanks!
+++++++++++++++++++++++
--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "plutoz" <plutoz.3u1lfb@DoNotSpam.com> wrote in message
> news:plutoz.3u1lfb@DoNotSpam.com...
> >
> > I've got an Active Directory domain for our department, it was set up
> > before I got here. Everything works just fine and dandy for LAN PCs
> > which are domain members using my AD DC/DNS servers for resolution.
> >
> > The problem comes when users are accessing the network via the
> > Corporate VPN (which I have no control over), they are forced by the VPN
> > software to use the Corporate (unix based) DNS servers. The folks that
> > run our Corporate DNS *refuse* to add any entries for my AD domain name
> > (I'm not even sure it would help if they did?)
> >
> > When a laptop that is joined to the domain (user signed in under a
> > domain user) is connected to the VPN they cannot connect to shares on
> > any domain member server (error in event viewer is 'no logon servers
> > available to service the logon request')
> >
> > Is there any way I can use the system's hosts/lmhosts files to get
> > around this issue? I've tried a bunch of things but nothing seems to
> > work.
> >
>
> Rule of thumb is the VPN users need to use the same DNS servers as if they
> were connected to the internal AD network. If the 'corp' VPN uses some other
> DNS servers that do not host the AD zone, or that do not have reference to
> AD's DNS server (whether using conditional forwarding, forwarding, secondary
> zones or stubs), then they will continue to have problems.
>
> Hosts files do not support SRV records, which is what the clients are
> looking for.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration among
> responding engineers.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>
Re: Problem with DNS for VPN users [message #156590 is a reply to message #156584] Fri, 19 June 2009 17:31 Go to previous messageGo to next message
Garry Starck-MCITP En  is currently offline Garry Starck-MCITP En
Messages: 69
Registered: July 2009
Member
Hi Plutoz/Ace

Ace is correct. Maybe develop a gui for them, maybe they don't know how to
added conditional forwarders on your UNIX BIND9 authoriative DNS servers to
send request to the internal namespace IP's

Here's an example that I've used before:

Hello,

I'm a noob when it comes to DNS and BIND9, so forgive me if my description
seems pedantic:

I connect to my workplace's network using VPN, which sets me up with the
workplace DNS servers. Those servers manage the an internal namespace
(visible only to users inside the VPN), with a specific domain name -- lets
call it internal.net. Those servers also resolve queries to external
addresses (e.g. Google) by forwarding them to some external DNS masters.

Without connecting to the VPN, my DNS lookups are performed via the router
(192.168.0.1) which forwards to the ISP DNS server. What I would like to do
is do is:

all lookups that don't belong to internal.net should be performed on my
ISP's DNS server
all lookups belonging to internal.net are done on the VPN DNS servers

I was able to do this in the past with simply having the /etc/resolv.conf
look like:


Code:
nameserver 192.168.0.1
search internal.net
nameserver 10.0.0.1 <== the addr of the VPN DNSBut the problem is that my
ISP recently introduced the annoying DNS redirection "service" where they
redirect all unresolved DNS queries to an ad-laden search page, so if I do a
lookup on somehost.internal.net, my ISP's DNS will resolve it to their own
search page, preventing the use of nameserver 10.0.0.1.

So I figured I could solve this problem by having a local BIND9 instance on
my machine that does conditional forwarding based on domain name. The problem
is BIND9 configuration seems intimidating and my trials with it have been
unsuccessful. Can someone suggest to me a simple BIND9 configuration that
achieves my goals?'

Thanks!
..
--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "plutoz" <plutoz.3u1lfb@DoNotSpam.com> wrote in message
> news:plutoz.3u1lfb@DoNotSpam.com...
> >
> > I've got an Active Directory domain for our department, it was set up
> > before I got here. Everything works just fine and dandy for LAN PCs
> > which are domain members using my AD DC/DNS servers for resolution.
> >
> > The problem comes when users are accessing the network via the
> > Corporate VPN (which I have no control over), they are forced by the VPN
> > software to use the Corporate (unix based) DNS servers. The folks that
> > run our Corporate DNS *refuse* to add any entries for my AD domain name
> > (I'm not even sure it would help if they did?)
> >
> > When a laptop that is joined to the domain (user signed in under a
> > domain user) is connected to the VPN they cannot connect to shares on
> > any domain member server (error in event viewer is 'no logon servers
> > available to service the logon request')
> >
> > Is there any way I can use the system's hosts/lmhosts files to get
> > around this issue? I've tried a bunch of things but nothing seems to
> > work.
> >
>
> Rule of thumb is the VPN users need to use the same DNS servers as if they
> were connected to the internal AD network. If the 'corp' VPN uses some other
> DNS servers that do not host the AD zone, or that do not have reference to
> AD's DNS server (whether using conditional forwarding, forwarding, secondary
> zones or stubs), then they will continue to have problems.
>
> Hosts files do not support SRV records, which is what the clients are
> looking for.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration among
> responding engineers.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>
Re: Problem with DNS for VPN users [message #156593 is a reply to message #156589] Fri, 19 June 2009 19:37 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Garry Starck - MCITP" <vjsparx@REMOVE_CAPS_INVALIDhotmail.com> wrote in
message news:1A9A20E0-F848-4669-B591-278F2AEBF86D@microsoft.com...
> Hi All
>
> Ace is right: Maybe they do not know the commands to run, EG:
>

Or maybe it's simply the BIND group do not want to perform these tasks for a
number of other reasons, such as 'security' reasons, political reasons, or
job security. However, it does sound like there may be a lack of
understanding by the BIND group on how AD works.

So it could be a number of reasons. The best way to find out is for the
poster to simply ask the group why they are reluctant to support their AD
infrastructure.

Ace
Re: Problem with DNS for VPN users [message #156599 is a reply to message #156593] Sat, 20 June 2009 07:10 Go to previous messageGo to next message
plutoz  is currently offline plutoz  United States
Messages: 4
Registered: July 2009
Junior Member
'Ace Fekay [Microsoft Certified Trainer Wrote:
> ;4473337']Or maybe it's simply the BIND group do not want to perform
> these tasks for a
> number of other reasons, such as 'security' reasons, *political*
> reasons, or
> job security. However, it does sound like there may be a lack of
> understanding by the BIND group on how AD works.
>
> So it could be a number of reasons. The best way to find out is for
> the
> poster to simply ask the group why they are reluctant to support their
> AD
> infrastructure.

You've hit the nail right on the head there I'm afraid. They seem to
think Windows Admins are lesser than them and they shouldn't need to
make any changes to accommodate AD, or anything else for that matter. It
doesn't help that most of them have been with the organization for
decades...

Sounds like I don't have any alternative without going to them though,
time to turn up the heat :/

Thanks for the tips on exactly what I need to ask for.


--
plutoz
------------------------------------------------------------ ------------
plutoz's Profile: http://forums.techarena.in/members/51744.htm
View this thread: http://forums.techarena.in/active-directory/1200447.htm

http://forums.techarena.in
Re: Problem with DNS for VPN users [message #156600 is a reply to message #156599] Sat, 20 June 2009 08:07 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"plutoz" <plutoz.3u2zfb@DoNotSpam.com> wrote in message
news:plutoz.3u2zfb@DoNotSpam.com...
>
> You've hit the nail right on the head there I'm afraid. They seem to
> think Windows Admins are lesser than them and they shouldn't need to
> make any changes to accommodate AD, or anything else for that matter. It
> doesn't help that most of them have been with the organization for
> decades...
>
> Sounds like I don't have any alternative without going to them though,
> time to turn up the heat :/
>
> Thanks for the tips on exactly what I need to ask for.
>

You are welcome. You can quote this thread when you ask them, or even go
over their heads to your superior or to the IT Director.

And if they've been there for decades and haven't kept up with new
technology, that is another reason for the lack of understanding AD.

Ace
Previous Topic:List of users logon to AD
Next Topic:Mlatestlaptop.blogspot.com
Goto Forum:
  


Current Time: Thu Jan 18 20:49:34 MST 2018

Total time taken to generate the page: 0.04228 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software