RE: feeling dizzy about setting up a small remote office.

Hello Alan,

Thank you for using newsgroup!

First, I think your plan should be correct. Based on your situation, I'd
like to make some explanations first as below:

In some organizations, like your situations, our customers might want users
to be able to access other services, such as file shares, on the answering
VPN router. For this type of configuration, if you specify the DNS name
rather than the IP address in the demand-dial interface, and the name
resolves to the public IP address of the answering router, traffic sent to
the services running on the router is sent in clear text (unencrypted)
across the Internet. It is not encapsulated, encrypted, and sent using the
VPN connection, which can compromise security.

A related problem is that if you configure packet filters on the answering
router to allow only traffic over a VPN connection, all other traffic is
discarded. Attempts to connect to services running on the answering router
fail in this situation, because traffic attempting to connect to those
services is not sent over the site-to-site VPN connection.

If the site DNS and WINS servers do not contain a record mapping the name
of the VPN router to its public IP address, traffic to services running on
the VPN router is always sent across the VPN connection. To ensure that the
name of the VPN router is always resolved to the private or site IP address
of the VPN router, disable DNS dynamic update and NetBIOS over TCP/IP
(NetBT) on the Internet-connected interface (or interfaces) of the VPN
router from the properties of the Internet connection in Network
Connections as follows:

Prevent DNS name resolution.
To prevent a VPN router from dynamically registering the public IP address
of its Internet interface on the site DNS servers, on the Internet
interface of the router, configure the properties of Internet Protocol
(TCP/IP) by clicking the Advanced button, selecting the DNS tab, and then
clearing the Register this connection's addresses in DNS check box.

Prevent WINS name resolution.
To prevent a VPN router from dynamically registering the public IP address
of its Internet interface on the site WINS servers, on the Internet
interface of the router, configure the properties of Internet Protocol
(TCP/IP) by clicking the Advanced button, selecting the WINS tab, and then
selecting the option Disable NetBIOS over TCP/IP.

Note:
By default, the Routing and Remote Access Wizard clears Register this
connection's addresses in DNS and selects Disable NetBIOS over TCP/IP. Be
sure not to change these defaults if you want users to be able to access
services such as file shares on the answering VPN router.

Regarding your concerns "Do I need to or should I be running DNS on the DC
destined for the remote site?", if you want to configure the Windows Server
2003 as a VPN server, the IP addresses assigned to VPN clients are obtained
through DHCP by default. You can also configure a static IP address pool.
The VPN server must also be configured with name resolution servers,
typically DNS and WINS server addresses, to assign to the VPN client during
IPCP negotiation.

For more information about how to configure DNS server and VPN server in
Windows Server 2003, please refer to the following links:

Configuring Name Resolution on a VPN Server
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/ac45ccb3-5353-448d-8c96-bfdc265e4cfc.mspx>

Remote access/VPN server role: Configuring a remote access/VPN server
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/00c498a8-95e7-4780-942e-c4594b01f615.mspx>

DNS server role: Configuring a DNS server
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspx>

Configure a DNS server for use with Active Directory
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/097b8aeb-9397-4eb7-94cf-089fd3fc3a0a.mspx>

More related knowledge articles:
========================
323441: How To Install and Configure a Virtual Private Network Server in
Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323441

292822: Name resolution and connectivity issues on a Routing and Remote
Access Server that also runs DNS or WINS
http://support.microsoft.com/default.aspx?scid=kb;en-us;292822

I hope the information helps!

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
4662


--------------------
| Reply-To: "Alan Drown" <adrown@xxxxxxxxxxxxxx>
| From: "Alan Drown" <adrown@xxxxxxxxxxxxxx>
| Subject: feeling dizzy about setting up a small remote office.
| Date: Tue, 23 Aug 2005 19:39:35 -0700
| Lines: 51
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| Message-ID: <#F0gVUFqFHA.1156@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.active_directory
| NNTP-Posting-Host: edgedynamics.com 209.172.110.69
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.active_directory:35647
| X-Tomcat-NG: microsoft.public.windows.server.active_directory
|
| Hi all,
|
| I'm setting up a new remote office that will probably have 10 users tops.
| My plan is to setup the firewall/vpn and server here and then ship it.
| all DC's are 2003 servers.
|
|
| Initially, I was going to have clients simply authenticate thru the vpn
| tunnel back to the corp office.
| I have a backup DSL that I used to test the vpn tunnel with and simulate
a
| client connecting thru the vpn tunnel.
| logging in took upwards of 3-5 minutes.....
|
| So it sounds like it would be best to configure an AD server for the
remote
| site.
|
|
| My plan was to:
| Dcpromo my new server at the corporate office.
| install and configure DNS
| create new site,subnets and links for the new office
| move the new server over to the new site.
| configure dhcp server (whether I use the sonicwall or the new server) to
| point to the local DNS server at the remote site.
|
| I'm confused on how to setup DNS on this server correctly to support
this..
| Do I need to or should I be running DNS on the DC destined for the
remote
| site?
| If so, should I configure a separate zone for the remote site?
|
| I want this as simple as possible and I'm getting confused on how to
setup
| DNS so it supports local domain logins and lookups properly.
|
| Any help would be greatly appreciated.
|
|
| Alan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|

.

Loading