Re: Intra-site DNS problems

From: Herb Martin (news_at_LearnQuick.com)
Date: 01/25/05 

Date: Tue, 25 Jan 2005 12:32:39 -0600

> > Ace is right. Build a VPN between the two
> > routers, and setup the routing so that everything
> > for the private address goes out (from the other
> > site) through the VPN, and vice versa by routing
> > the PUBLIC addresses specific to the partner
> > site through the VPN.
> >
> > This assumes you have have a full service router/NAT/
> > VPN.
> >
> > The VPN doesn't get NAT'ed -- it gets treated as a
> > separate interface from the underlying NIC.
>
> I'm working on this problem as well and am not totally clear. I would
> appreciate it if someone could humor me and fill in the blanks. I'm
> basically a UNIX admin working with the original poster.

Much of the details will depend on what you are using for
Routers. Some "appliance" routers won't have the VPN
capabilities or the ability to perform the routing correctly.

Mixing Unix and MS as the routers can work, but may
complicate the options or the authentication choices/methods.

This is very straight forward when using Windows 2000+
RRAS as the routers on both ends. (And quite doable with
Linux on both, or even a mix on the two ends, e.g., MS/Linux.)

> We have two sites that we want to join with AD, File Replication, and
> DFS. Two identical machines are placed at either end of a T1 to
> accomplish this.

Create a VPN from Server-A <-> Server-B.

Test that in general.

> On side A, we have a fully routable class C. On the
> other end, we have a Linux firewall that is translating one routable IP
> (x.x.x.116) address directly to the Win2k3 server. The Win2k3 server
> thinks of itself with a non-routable ip address (10.10.0.55),

Remember this "non-routable" is short hand for
"NON-Routable ON THE Internet". Those addresses
are perfectly routable if the following is true:

        1) The routers involved support them (yours can)
        2) You hide the address inside of the VPN so they
                are not seen by intermediate routers, but only
            ` by the VPN end-points (which you control.)

> but we
> know that it can respond (via ping and remote desktop) to traffic
> directed at the NAT address (x.x.x.116).

You need to be able to perform the ping* from servers INTERNAL
to both network.

(Technically you don't need Ping/ICMP but I am assuming you are
not going to filter the VPN at all and thus ping makes the best test.
Were you to filter then we might use netcat, telnet, or another test
tool, but the principle remains.)

> If I understand the responses correctly, our problems are currently just
> DNS related, but if we proceed with a hack to fix DNS, we will run into
> RPC and KRB problems.

RPCs are not going to translate (easily) through the NAT, but can
flow down the VPN (like water hidden in a pipe) just fine.

> What I don't understand is at what point in the
> transmission will these problems arise. Can RPC and KRB actually tell
> that they are being shoved uncerimoniously through the NAT?

Not exactly for RPC, but trying to map that stuff is tricky
at best.

Also note that once you have the VPN (and encrypt it) then
ALL of your traffic between the two sites will be protected.

> Thanks in advance.
> -alex

Setup a tunnel type VPN between the two routers. Treat those
tunnel "interfaces" just like real NICs, and set your manual
routers to replect them, something equivalent to:

On Router-A
route add SITEB-ADDRESSES mask 255.255.255.0 A->B-VPN-Interface

On Router-B
route add SITEB-ADDRESSES mask 255.255.255.0 B->A-VPN-Interface

(On Microsoft machines the above is best done with the
RRAS GUI, or the NetSh.exe command and NOT by using
the actual "route add" command.) 

-- 
Herb Martin
"Alex Lovell-Troy" <alovell@as.arizona.edu> wrote in message
news:O5xKJ8uAFHA.3016@tk2msftngp13.phx.gbl...
> Herb Martin wrote:
> > "trehkopf" <trehkopf@email.arizona.edu> wrote in message
> > news:eDpbY0mAFHA.3016@tk2msftngp13.phx.gbl...
> >
> >>I've been trying to setup Active Directory between two sites and I've
run
> >>into some trouble getting DNS to update correctly. One of the sites is
> >
> > using
> >
> >>NAT while the other one has a standard IP address space. The domain
> >>controller at each site uses its opposite at the other site for
resolution
> >>thus the creating the great circle of DNS. After running DCDIAG.exe on
the
> >>DC behind the NAT it returns an error:
> >
> >

Relevant Pages
Loading