[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: FW: [m0n0wall] PPTP -> Windows Clients problems
 Date:  Sat, 11 Sep 2004 17:41:38 -0400
On Sat, 11 Sep 2004 09:16:54 -0400, Bryan Brayton <bryan at sonicburst dot net> wrote:
> Your hosts at B must use a DNS server which includes the SRV records
> that let each client machine know where the DCs are, the GCs are, and
> other necessary windows services.  All these services are advertised by
> a DNS server, and in most cases that will be one of your DCs.  So, you
> either have to point all your clients in location B at the DNS server(s)
> in location A, or you could set up a secondary DNS server in location B
> and point your clients at that.  Note that the DNS server at location B
> doesn't need to be a windows DC (though most people do it that way), it
> just has to be a DNS server capable of supporting SRV records at a
> minimum, though also supporting dynamic dns is recommended.  If you set
> this up and are not going to use a Windows 2000 or better dns server,
> BIND 8.1.2 or better is recommended (8.1.1 has known issues).
> 

As an alternative, you could have a DNS server at that site that
doesn't maintain any of the AD records, but forwards the requests for
*.your-ad-domain.com to your AD DNS servers.  I have this setup
running in a couple of locations and it works great.  That way you can
have AD resolution, but don't have internet DNS requests traversing
the VPN needlessly.

If you're using BIND, put something like this in your named.conf file,
where your-ad-domain.com is your AD domain name, and 192.168.1.2 and
192.168.1.3 are your AD DNS servers.  If you only have one AD DNS,
just remove the .3 line.

zone "your-ad-domain.com" {
        type forward;
        forward only;
        check-names ignore;
        forwarders {
                192.168.1.2;
                192.168.1.3;
        };
};

-Chris