Re: feeling dizzy about setting up a small remote office.

Thanks for the detailed response Ken, Very much appreciated.

Sorry I didnt get back sooner.

Iv'e been busy trying to recover from the mess I created!

Turns out something I did the other night crippled the member exchange
server and I'm
uncertain why.

The system attendant stopped running and couldnt be restarted. I've spent
most of the morning online with MS getting things running again.
It was complaining about topology discover failing.
I was getting event ID 2114 MSExchangeDSAccess loading up my event log
Process INETINFO.EXE (PID=1428). Topology Discovery failed, error
0x8007077f.

Things I did prior to Exchange 2003 going off to LaLa land :
dcpromo a new server
- installed dns, killed the dns wizard
- create a new site in sites and services (planned to populate it once the
newserver is ready and I've replicated everything)

When I killed the wizard it was fine with that and populated dns with all
DNS info from AD.I've been running active directory integrated DNS on the
existing servers.
The forward lookup zone it said it was the SOA while the forward lookup zone
on the existing DNS servers said THEY were the SOA.
MS support said the SOA info being different on the new server vs. the old
was not a problem. The SOA was is determined by the primary DNS settings on
in TCP/IP settings for the interface.

Either case, I'm uncertain what eventually fixed the problem.
There were two things done at roughly the same time.
I removed the empty site I created in Sites and Services and also ran
dsadiag 2.
after doing both of these the system attendant was able to start up
successfully.

I went thru the same steps of installing DNS , creating an empty site and
Exchange didnt bomb this time...

So , now I have a working setup.
I configured the site link and reconfigured and moved this server over to
the remote end of the vpn tunnel.
All is working.

I didnt create any additional Forward lookup zones. according to MS , you
dont need to and actually since I'm not creating a child domain (Microsoft
Domain) , I"m not supposed to.
I didnt quite understand that. I thought I could easily create anothe zone
file to organize the remote site in but what do I know.

I did have to create separate reverse lookup zones for the other subnet, or
at least i did and then all seems to work.prior to that nslookup couldnt
find itself on the remote ADC/DNS server.
All hosts on the remote end are configured to look at the remote ADC for DNS
and everything seems to work.


anyway, sorry, I wasnt very clear on my setup. I already have a site to site
tunnel established between 2 sonicwall vpns. Everthing between the corporate
site and remote site is encrypted.

thanks again for your reply.
:)
alan




"Ken Zhao [MSFT]" <v-kzhao@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:XXQ3gQJqFHA.472@xxxxxxxxxxxxxxxxxxxxxxxx
> Hello Alan,
>
> Thank you for using newsgroup!
>
> First, I think your plan should be correct. Based on your situation, I'd
> like to make some explanations first as below:
>
> In some organizations, like your situations, our customers might want
> users
> to be able to access other services, such as file shares, on the answering
> VPN router. For this type of configuration, if you specify the DNS name
> rather than the IP address in the demand-dial interface, and the name
> resolves to the public IP address of the answering router, traffic sent to
> the services running on the router is sent in clear text (unencrypted)
> across the Internet. It is not encapsulated, encrypted, and sent using the
> VPN connection, which can compromise security.
>
> A related problem is that if you configure packet filters on the answering
> router to allow only traffic over a VPN connection, all other traffic is
> discarded. Attempts to connect to services running on the answering router
> fail in this situation, because traffic attempting to connect to those
> services is not sent over the site-to-site VPN connection.
>
> If the site DNS and WINS servers do not contain a record mapping the name
> of the VPN router to its public IP address, traffic to services running on
> the VPN router is always sent across the VPN connection. To ensure that
> the
> name of the VPN router is always resolved to the private or site IP
> address
> of the VPN router, disable DNS dynamic update and NetBIOS over TCP/IP
> (NetBT) on the Internet-connected interface (or interfaces) of the VPN
> router from the properties of the Internet connection in Network
> Connections as follows:
>
> Prevent DNS name resolution.
> To prevent a VPN router from dynamically registering the public IP address
> of its Internet interface on the site DNS servers, on the Internet
> interface of the router, configure the properties of Internet Protocol
> (TCP/IP) by clicking the Advanced button, selecting the DNS tab, and then
> clearing the Register this connection's addresses in DNS check box.
>
> Prevent WINS name resolution.
> To prevent a VPN router from dynamically registering the public IP address
> of its Internet interface on the site WINS servers, on the Internet
> interface of the router, configure the properties of Internet Protocol
> (TCP/IP) by clicking the Advanced button, selecting the WINS tab, and then
> selecting the option Disable NetBIOS over TCP/IP.
>
> Note:
> By default, the Routing and Remote Access Wizard clears Register this
> connection's addresses in DNS and selects Disable NetBIOS over TCP/IP. Be
> sure not to change these defaults if you want users to be able to access
> services such as file shares on the answering VPN router.
>
> Regarding your concerns "Do I need to or should I be running DNS on the DC
> destined for the remote site?", if you want to configure the Windows
> Server
> 2003 as a VPN server, the IP addresses assigned to VPN clients are
> obtained
> through DHCP by default. You can also configure a static IP address pool.
> The VPN server must also be configured with name resolution servers,
> typically DNS and WINS server addresses, to assign to the VPN client
> during
> IPCP negotiation.
>
> For more information about how to configure DNS server and VPN server in
> Windows Server 2003, please refer to the following links:
>
> Configuring Name Resolution on a VPN Server
> <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
> it/ac45ccb3-5353-448d-8c96-bfdc265e4cfc.mspx>
>
> Remote access/VPN server role: Configuring a remote access/VPN server
> <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
> erHelp/00c498a8-95e7-4780-942e-c4594b01f615.mspx>
>
> DNS server role: Configuring a DNS server
> <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
> erHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspx>
>
> Configure a DNS server for use with Active Directory
> <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
> erHelp/097b8aeb-9397-4eb7-94cf-089fd3fc3a0a.mspx>
>
> More related knowledge articles:
> ========================
> 323441: How To Install and Configure a Virtual Private Network Server in
> Windows Server 2003
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323441
>
> 292822: Name resolution and connectivity issues on a Routing and Remote
> Access Server that also runs DNS or WINS
> http://support.microsoft.com/default.aspx?scid=kb;en-us;292822
>
> I hope the information helps!
>
> Thanks & Regards,
>
> Ken Zhao
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> Newsgroup Web Interface Upgrade
> Please complete a one-time registration process on your first visit to the
> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
> secure
> code mspp2005 when prompted. This secure code will be valid for 6 months
> after which you will need to update your registration by entering the new
> secure code. We will post announcements in the newsgroups prior to
> expiration. Once you have entered the secure code mspp2005 , you will be
> able to update your profile and access the the partner newsgroups. Please
> update your Favorites link to the newsgroups web page, your current link
> will redirect until November 1, 2005.
> Please post any comment, questions or concerns to the
> microsoft.private.directaccess.partnerfeedback newsgroup. For more
> information, please go to:
> https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
> 4662
>
>
> --------------------
> | Reply-To: "Alan Drown" <adrown@xxxxxxxxxxxxxx>
> | From: "Alan Drown" <adrown@xxxxxxxxxxxxxx>
> | Subject: feeling dizzy about setting up a small remote office.
> | Date: Tue, 23 Aug 2005 19:39:35 -0700
> | Lines: 51
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <#F0gVUFqFHA.1156@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.active_directory
> | NNTP-Posting-Host: edgedynamics.com 209.172.110.69
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.active_directory:35647
> | X-Tomcat-NG: microsoft.public.windows.server.active_directory
> |
> | Hi all,
> |
> | I'm setting up a new remote office that will probably have 10 users
> tops.
> | My plan is to setup the firewall/vpn and server here and then ship it.
> | all DC's are 2003 servers.
> |
> |
> | Initially, I was going to have clients simply authenticate thru the vpn
> | tunnel back to the corp office.
> | I have a backup DSL that I used to test the vpn tunnel with and simulate
> a
> | client connecting thru the vpn tunnel.
> | logging in took upwards of 3-5 minutes.....
> |
> | So it sounds like it would be best to configure an AD server for the
> remote
> | site.
> |
> |
> | My plan was to:
> | Dcpromo my new server at the corporate office.
> | install and configure DNS
> | create new site,subnets and links for the new office
> | move the new server over to the new site.
> | configure dhcp server (whether I use the sonicwall or the new server) to
> | point to the local DNS server at the remote site.
> |
> | I'm confused on how to setup DNS on this server correctly to support
> this..
> | Do I need to or should I be running DNS on the DC destined for the
> remote
> | site?
> | If so, should I configure a separate zone for the remote site?
> |
> | I want this as simple as possible and I'm getting confused on how to
> setup
> | DNS so it supports local domain logins and lookups properly.
> |
> | Any help would be greatly appreciated.
> |
> |
> | Alan
> |
> |
> |
> |
> |
> |
> |
> |
> |
> |
> |
> |
> |
> |
> |
>



.