[ previous ] [ next ] [ threads ]
 
 From:  "Bryan Brayton" <bryan at sonicburst dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  FW: [m0n0wall] PPTP -> Windows Clients problems
 Date:  Sat, 11 Sep 2004 09:16:54 -0400
> -----Original Message-----
> From: sylikc [mailto:sylikc at gmail dot com]
> Sent: Saturday, September 11, 2004 5:02 AM
> To: Michael Monaghan
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] PPTP -> Windows Clients problems
>
> Mike,
>
> Thanks for the advice, I have a question regarding AD and it's
> reliance on DNS though...
>
> > If you're running Win2000/2003 with Active Directory, DNS is
required.
> > Having to add WINS is an indicator something is hosed up.  Make sure
> > you're DNS settings are pointing to correct servers and that the
ports
> > for those servers are accessible.  Also check the firewall rules on
> > the laptops.  XPSP2 does some really ugly things to the XP firewall.
> > Several of our tech have reported spontanious rule changes.
>
> I am running a simple AD, just one forest, etc. in LocationA.  All my
> hosts in LocationA use m0n0 to forward DNS requests to my PDC.  My PDC
> is configured so that if any DNS requests are unresolved, it forwards
> it to my ISP's DNS servers.
>
> I have some more hosts at a "remote" location at LocationB.  LocationB
> has a site2site VPN connection with LocationA (through two m0n0s).
> The VPN is set up and operational as far as I can tell.  All hosts at
> LocationA and LocationB are on the same domain and when all plugged
> into LocationA, everything works like a charm.  It's when I have these
> hosts, say X and Y at LocationB that funny things start happening.
>
> With WinXP SP2, I've disabled the Windows Firewall.  When I connect to
> a share from X to Y, I get "There are no logon servers available to
> service the logon request".  It doesn't even prompt me for a local
> user or a domain user, just straight out errors and stops.  Why?
> (When I connect from Y to a share on X, everything is OK and I can
> login as a local user on X.)

It sounds like your machines either can't access a global catalog server
(which will be on one of your DCs), or it can't look up in DNS which
machine is the GC.  If you are running a simple forest, the first DC
that you created will be your GC server.

>
> So, I understand AD relies heavily on DNS, so does that mean my hosts
> at LocationB must set their DNS to the PDC at LocationA (through the
> VPN)?  That would surely start getting messy afterawhile, but what
> would be a good way to put this all together?

Your hosts at B must use a DNS server which includes the SRV records
that let each client machine know where the DCs are, the GCs are, and
other necessary windows services.  All these services are advertised by
a DNS server, and in most cases that will be one of your DCs.  So, you
either have to point all your clients in location B at the DNS server(s)
in location A, or you could set up a secondary DNS server in location B
and point your clients at that.  Note that the DNS server at location B
doesn't need to be a windows DC (though most people do it that way), it
just has to be a DNS server capable of supporting SRV records at a
minimum, though also supporting dynamic dns is recommended.  If you set
this up and are not going to use a Windows 2000 or better dns server,
BIND 8.1.2 or better is recommended (8.1.1 has known issues).

HTH,
Bryan



________________________________

avast! Antivirus <http://www.avast.com> : Outbound message clean. 

Virus Database (VPS): 0437-1, 09/09/2004
Tested on: 9/11/2004 9:13:28 AM
avast! - copyright (c) 2000-2004 ALWIL Software.




________________________________

avast! Antivirus <http://www.avast.com> : Outbound message clean. 

Virus Database (VPS): 0437-1, 09/09/2004
Tested on: 9/11/2004 9:16:54 AM
avast! - copyright (c) 2000-2004 ALWIL Software.