Re: feeling dizzy about setting up a small remote office.

Hello Alan,

Good to know everything works on your site.

At this moment, I'd like to appreciate your detailed description for your
situation. And I am also glad to hear our suggestions and information can
help you for your issues.

If you have any other questions, please feel free to post in our newsgroup.

Thanks for using our newsgroup!

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
4662


--------------------
| Reply-To: "Alan Drown" <adrown@xxxxxxxxxxxxxx>
| From: "Alan Drown" <adrown@xxxxxxxxxxxxxx>
| References: <#F0gVUFqFHA.1156@xxxxxxxxxxxxxxxxxxxx>
<XXQ3gQJqFHA.472@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: feeling dizzy about setting up a small remote office.
| Date: Thu, 25 Aug 2005 13:49:34 -0700
| Lines: 282
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| Message-ID: <ephzBabqFHA.3768@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.active_directory
| NNTP-Posting-Host: adsl-71-133-9-141.dsl.pltn13.pacbell.net 71.133.9.141
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.active_directory:35883
| X-Tomcat-NG: microsoft.public.windows.server.active_directory
|
| Thanks for the detailed response Ken, Very much appreciated.
|
| Sorry I didnt get back sooner.
|
| Iv'e been busy trying to recover from the mess I created!
|
| Turns out something I did the other night crippled the member exchange
| server and I'm
| uncertain why.
|
| The system attendant stopped running and couldnt be restarted. I've spent
| most of the morning online with MS getting things running again.
| It was complaining about topology discover failing.
| I was getting event ID 2114 MSExchangeDSAccess loading up my event log
| Process INETINFO.EXE (PID=1428). Topology Discovery failed, error
| 0x8007077f.
|
| Things I did prior to Exchange 2003 going off to LaLa land :
| dcpromo a new server
| - installed dns, killed the dns wizard
| - create a new site in sites and services (planned to populate it once
the
| newserver is ready and I've replicated everything)
|
| When I killed the wizard it was fine with that and populated dns with all
| DNS info from AD.I've been running active directory integrated DNS on the
| existing servers.
| The forward lookup zone it said it was the SOA while the forward lookup
zone
| on the existing DNS servers said THEY were the SOA.
| MS support said the SOA info being different on the new server vs. the old
| was not a problem. The SOA was is determined by the primary DNS settings
on
| in TCP/IP settings for the interface.
|
| Either case, I'm uncertain what eventually fixed the problem.
| There were two things done at roughly the same time.
| I removed the empty site I created in Sites and Services and also ran
| dsadiag 2.
| after doing both of these the system attendant was able to start up
| successfully.
|
| I went thru the same steps of installing DNS , creating an empty site and
| Exchange didnt bomb this time...
|
| So , now I have a working setup.
| I configured the site link and reconfigured and moved this server over to
| the remote end of the vpn tunnel.
| All is working.
|
| I didnt create any additional Forward lookup zones. according to MS , you
| dont need to and actually since I'm not creating a child domain
(Microsoft
| Domain) , I"m not supposed to.
| I didnt quite understand that. I thought I could easily create anothe
zone
| file to organize the remote site in but what do I know.
|
| I did have to create separate reverse lookup zones for the other subnet,
or
| at least i did and then all seems to work.prior to that nslookup couldnt
| find itself on the remote ADC/DNS server.
| All hosts on the remote end are configured to look at the remote ADC for
DNS
| and everything seems to work.
|
|
| anyway, sorry, I wasnt very clear on my setup. I already have a site to
site
| tunnel established between 2 sonicwall vpns. Everthing between the
corporate
| site and remote site is encrypted.
|
| thanks again for your reply.
| :)
| alan
|
|
|
|
| "Ken Zhao [MSFT]" <v-kzhao@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:XXQ3gQJqFHA.472@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hello Alan,
| >
| > Thank you for using newsgroup!
| >
| > First, I think your plan should be correct. Based on your situation, I'd
| > like to make some explanations first as below:
| >
| > In some organizations, like your situations, our customers might want
| > users
| > to be able to access other services, such as file shares, on the
answering
| > VPN router. For this type of configuration, if you specify the DNS name
| > rather than the IP address in the demand-dial interface, and the name
| > resolves to the public IP address of the answering router, traffic sent
to
| > the services running on the router is sent in clear text (unencrypted)
| > across the Internet. It is not encapsulated, encrypted, and sent using
the
| > VPN connection, which can compromise security.
| >
| > A related problem is that if you configure packet filters on the
answering
| > router to allow only traffic over a VPN connection, all other traffic is
| > discarded. Attempts to connect to services running on the answering
router
| > fail in this situation, because traffic attempting to connect to those
| > services is not sent over the site-to-site VPN connection.
| >
| > If the site DNS and WINS servers do not contain a record mapping the
name
| > of the VPN router to its public IP address, traffic to services running
on
| > the VPN router is always sent across the VPN connection. To ensure that
| > the
| > name of the VPN router is always resolved to the private or site IP
| > address
| > of the VPN router, disable DNS dynamic update and NetBIOS over TCP/IP
| > (NetBT) on the Internet-connected interface (or interfaces) of the VPN
| > router from the properties of the Internet connection in Network
| > Connections as follows:
| >
| > Prevent DNS name resolution.
| > To prevent a VPN router from dynamically registering the public IP
address
| > of its Internet interface on the site DNS servers, on the Internet
| > interface of the router, configure the properties of Internet Protocol
| > (TCP/IP) by clicking the Advanced button, selecting the DNS tab, and
then
| > clearing the Register this connection's addresses in DNS check box.
| >
| > Prevent WINS name resolution.
| > To prevent a VPN router from dynamically registering the public IP
address
| > of its Internet interface on the site WINS servers, on the Internet
| > interface of the router, configure the properties of Internet Protocol
| > (TCP/IP) by clicking the Advanced button, selecting the WINS tab, and
then
| > selecting the option Disable NetBIOS over TCP/IP.
| >
| > Note:
| > By default, the Routing and Remote Access Wizard clears Register this
| > connection's addresses in DNS and selects Disable NetBIOS over TCP/IP.
Be
| > sure not to change these defaults if you want users to be able to access
| > services such as file shares on the answering VPN router.
| >
| > Regarding your concerns "Do I need to or should I be running DNS on the
DC
| > destined for the remote site?", if you want to configure the Windows
| > Server
| > 2003 as a VPN server, the IP addresses assigned to VPN clients are
| > obtained
| > through DHCP by default. You can also configure a static IP address
pool.
| > The VPN server must also be configured with name resolution servers,
| > typically DNS and WINS server addresses, to assign to the VPN client
| > during
| > IPCP negotiation.
| >
| > For more information about how to configure DNS server and VPN server in
| > Windows Server 2003, please refer to the following links:
| >
| > Configuring Name Resolution on a VPN Server
| >
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
| > it/ac45ccb3-5353-448d-8c96-bfdc265e4cfc.mspx>
| >
| > Remote access/VPN server role: Configuring a remote access/VPN server
| >
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
| > erHelp/00c498a8-95e7-4780-942e-c4594b01f615.mspx>
| >
| > DNS server role: Configuring a DNS server
| >
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
| > erHelp/4e1c7b17-16ab-4e7d-a333-15befb15c82e.mspx>
| >
| > Configure a DNS server for use with Active Directory
| >
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
| > erHelp/097b8aeb-9397-4eb7-94cf-089fd3fc3a0a.mspx>
| >
| > More related knowledge articles:
| > ========================
| > 323441: How To Install and Configure a Virtual Private Network Server in
| > Windows Server 2003
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;323441
| >
| > 292822: Name resolution and connectivity issues on a Routing and Remote
| > Access Server that also runs DNS or WINS
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;292822
| >
| > I hope the information helps!
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > Newsgroup Web Interface Upgrade
| > Please complete a one-time registration process on your first visit to
the
| > Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
| > secure
| > code mspp2005 when prompted. This secure code will be valid for 6 months
| > after which you will need to update your registration by entering the
new
| > secure code. We will post announcements in the newsgroups prior to
| > expiration. Once you have entered the secure code mspp2005 , you will be
| > able to update your profile and access the the partner newsgroups.
Please
| > update your Favorites link to the newsgroups web page, your current link
| > will redirect until November 1, 2005.
| > Please post any comment, questions or concerns to the
| > microsoft.private.directaccess.partnerfeedback newsgroup. For more
| > information, please go to:
| >
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
| > 4662
| >
| >
| > --------------------
| > | Reply-To: "Alan Drown" <adrown@xxxxxxxxxxxxxx>
| > | From: "Alan Drown" <adrown@xxxxxxxxxxxxxx>
| > | Subject: feeling dizzy about setting up a small remote office.
| > | Date: Tue, 23 Aug 2005 19:39:35 -0700
| > | Lines: 51
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <#F0gVUFqFHA.1156@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.active_directory
| > | NNTP-Posting-Host: edgedynamics.com 209.172.110.69
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.active_directory:35647
| > | X-Tomcat-NG: microsoft.public.windows.server.active_directory
| > |
| > | Hi all,
| > |
| > | I'm setting up a new remote office that will probably have 10 users
| > tops.
| > | My plan is to setup the firewall/vpn and server here and then ship it.
| > | all DC's are 2003 servers.
| > |
| > |
| > | Initially, I was going to have clients simply authenticate thru the
vpn
| > | tunnel back to the corp office.
| > | I have a backup DSL that I used to test the vpn tunnel with and
simulate
| > a
| > | client connecting thru the vpn tunnel.
| > | logging in took upwards of 3-5 minutes.....
| > |
| > | So it sounds like it would be best to configure an AD server for the
| > remote
| > | site.
| > |
| > |
| > | My plan was to:
| > | Dcpromo my new server at the corporate office.
| > | install and configure DNS
| > | create new site,subnets and links for the new office
| > | move the new server over to the new site.
| > | configure dhcp server (whether I use the sonicwall or the new server)
to
| > | point to the local DNS server at the remote site.
| > |
| > | I'm confused on how to setup DNS on this server correctly to support
| > this..
| > | Do I need to or should I be running DNS on the DC destined for the
| > remote
| > | site?
| > | If so, should I configure a separate zone for the remote site?
| > |
| > | I want this as simple as possible and I'm getting confused on how to
| > setup
| > | DNS so it supports local domain logins and lookups properly.
| > |
| > | Any help would be greatly appreciated.
| > |
| > |
| > | Alan
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| >
|
|
|
|

.