Domain login across a vpn

We have a remote network (192.168.254.0) that is linked with our domain (192.168.255.0) across a vpn link set up through a pix firewall at each end.

Although we have connectivity, the users cannot validate logon with the domain controller.

I have looked around the net for a solution and have found several references to WINS settings but these seem to be in
relation to NT4 whereas we use 2000 servers and XP workstations.

We dont have WINS set up on our servers, so do we need to use it and set up some kind of pointers or is there another way to get the remote machines to validate with the DC?

For some reason, WINS is something I never got around to learning.

Thanks

 

Questions:

Can you ping the DC from the remote site by address and by name? If by address and not name, then you have a name resolution issue that WINS might resolve.

How many PCs at the remote site?

Are you using Active Directory? Then DNS should be resolving your names.

Could your firewall be blocking?

DRD

 

Thanks for your reply.

The dc can be pinged by ip address, but not by name.

I can view a workstation remotely by a programme called VNC, it works at IP level.

What I find strange is that if a user tries to log on to the workstation for the first time, they will fail because the machine cannot see the DC, but if I try with a Domain Admin account, that works, although it is given a temporary profile.

There are 5 pc's at the site all using AD, i also suspect firewall config issues, but I did not set up the pix's so I need to try everything else before i call in the guy that set those up.

 

Where are the remote PC's looking for DNS?
If they are pointed to the NET I don't think they will find the DC.

Since you can't ping by name I think you found the culprit.
If they are talking over VPN the firewall shouldnt be a problem.

Good luck!

 

running ipconfig on a remote machine (192.168.254.17) gives DNS settings of 217.xxx etc (pipex's dns server) and 192.168.255.14 (our own dns server here). These settings and other ip info is supplied by a limited dhcp on the firewall.

As the vpn is already established, i assumed that the remote 254.xxx machines would automatically find the dc.

Should i be looking at extra dhcp settings? or something on our dns server?
Maybe give the dc a second ip in the 254.xxx range?

dns and dc are both the same server.

Any help gratefully received

Thanks

 

Your own DNS server has to be the first entry.
DNS will only go to the second IP if the first one fails so basically that box will never find it's domain controller unless the internet DNS server fails and that aint happinin!

It is possible that when you enter your DC's IP first you will be able to logon fine but cant surf. That would tell me DNS on the DC is not configured properly but we will cross that bridge when we come to it and move this to the server forum.

 

OK, I have had some measure of success. I have changed one remote workstation to a fixed ip, pointing to our DNS server an no mention of the ISP's dns.

Logon's are now validated ok, but the profile is not copied over. A new profile is created locally from the default user instead, this is not necessarily a problem, just an observation, i don't know if i would want large profiles being copied over anyway.

It also seems to be selective about Group Policy, only applying certain items - specifically not applying one policy that redirects "My Documents" to a network location. The machine can see that location because it successfully maps a drive to a parent folder using a logon script run from another policy.

IE still works on the remote machine , but I wondered about network traffic. When it requests an external website, it will have to route its requests through our dns server and then onto our own ISP's servers. Will all html traffic flow back through our network, across the vpn (possibly clogging the bandwidth), or will the remote machine then pull directly from the net once it has the dns information?

 

This is not a problem. Your internal DNS server will make the queries directly onto the Internet on behalf of your network. This is the way the technology is designed to work. You could have the ISPs DNS server listed second if you like, but only having the one will work just fine.

Once the name is resolved, the requesting PC makes direct contact with the web site.

Does your remote LAN have a direct connection to the Internet separate from the VPN? Is traffic allowed to flow that way? If so, then only the DNS query will flow through your VPN. All other "outside" traffic can go directly to the Internet.

It might be easier to only allow VPN traffic in and out of the remote LAN and then have all firewall configuration for the public Internet in one place.

However, the same bandwidth is being used by the remote LAN either way. Allowing the remote LAN direct access to the Internet will reduce the amount of bandwidth consumed on the main LANs Internet connection.

DRD

 

Thanks for all your replies. I have changed the dhcp on the pix to list our own DNS server first and all logons work as expected.

There is still the issue of some parts of Group Policy not applying, even some of the user config ones - i expected the computer config policies not to work.

This may be a problem as I would like to use group policy to map drives specifically for the remote users to see a file and print server they have there.

 

A quick question. Is the VPN connection being made before the logon request? It sounds like it is, but I thought I would mention it.

You might have to use local policies instead of domain policies for this remote site. Or is there a way of having the group policies stored locally? Short of adding a DC at the remote site I don't think so. Just thought I would bring it up.

DRD