AD DNS for remote office

Hello:

I have a single forest single domain and several satellite offices
that are connected to HQ using small VPN router and DSL lines. Some
of the remote offices are in outlying areas and there internet
connections are not reliable, sometimes dropping the vpn links. THe
remote offices each have one or two users, not warranting the expense
of their own DC.

I would like them to be able to use the internet if the vpn link is
down but I would like to use my AD DNS servers for all name
resolution. If I put a couple of DNS servers on the public network
and set their DNS to point to them it would work.

The problem is I don't want to put DNS servers on the public network
with my private IP addresses in them. Anyone know a way to get around
this.

Thanks,
Mark

Mark,
add remote users to Network Configuration Operators group and give them
instructions on how to configure their DNS settings to point to the ISP DNS
servers.

hth
Marcin

"Mark A. Dudley" <> wrote in message
news:...
> Hello:
>
> I have a single forest single domain and several satellite offices
> that are connected to HQ using small VPN router and DSL lines. Some
> of the remote offices are in outlying areas and there internet
> connections are not reliable, sometimes dropping the vpn links. THe
> remote offices each have one or two users, not warranting the expense
> of their own DC.
>
> I would like them to be able to use the internet if the vpn link is
> down but I would like to use my AD DNS servers for all name
> resolution. If I put a couple of DNS servers on the public network
> and set their DNS to point to them it would work.
>
> The problem is I don't want to put DNS servers on the public network
> with my private IP addresses in them. Anyone know a way to get around
> this.
>
> Thanks,
> Mark

Mark,
I don't know of anything that would authenticate the DNS client over a
public network.
It sounds a slightly unusual requirement. If the internet is available then
the VPN should be up.
Assuming the internet is available but the VPN is down, what is the
objective of giving them your DNS instead of the public DNS?
Anthony,
http://www.airdesk.com


"Mark A. Dudley" <> wrote in message
news:...
> Hello:
>
> I have a single forest single domain and several satellite offices
> that are connected to HQ using small VPN router and DSL lines. Some
> of the remote offices are in outlying areas and there internet
> connections are not reliable, sometimes dropping the vpn links. THe
> remote offices each have one or two users, not warranting the expense
> of their own DC.
>
> I would like them to be able to use the internet if the vpn link is
> down but I would like to use my AD DNS servers for all name
> resolution. If I put a couple of DNS servers on the public network
> and set their DNS to point to them it would work.
>
> The problem is I don't want to put DNS servers on the public network
> with my private IP addresses in them. Anyone know a way to get around
> this.
>
> Thanks,
> Mark

This is very confusing for me.

Please explain your topology for your remote users. It sounds like you are
stating that they only have a single vpn connection and that is back to your
HQ's. If that is the case, no matter what you did they wouldn't have any
additional reliability.

The best that I can think of what you will need to do is to have a second
route to the internet at the remote site, provide a dns server and define
forwarding to your isp for any addresses not within your domain. This is
similar to what you should be doing at HQ.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Mark A. Dudley" <> wrote in message
news:...
> Hello:
>
> I have a single forest single domain and several satellite offices
> that are connected to HQ using small VPN router and DSL lines. Some
> of the remote offices are in outlying areas and there internet
> connections are not reliable, sometimes dropping the vpn links. THe
> remote offices each have one or two users, not warranting the expense
> of their own DC.
>
> I would like them to be able to use the internet if the vpn link is
> down but I would like to use my AD DNS servers for all name
> resolution. If I put a couple of DNS servers on the public network
> and set their DNS to point to them it would work.
>
> The problem is I don't want to put DNS servers on the public network
> with my private IP addresses in them. Anyone know a way to get around
> this.
>
> Thanks,
> Mark

"Mark A. Dudley" <> wrote in message
news:...
> Hello:
>
> I have a single forest single domain and several satellite offices
> that are connected to HQ using small VPN router and DSL lines. Some
> of the remote offices are in outlying areas and there internet
> connections are not reliable, sometimes dropping the vpn links. THe
> remote offices each have one or two users, not warranting the expense
> of their own DC.
>
> I would like them to be able to use the internet if the vpn link is
> down but I would like to use my AD DNS servers for all name
> resolution. If I put a couple of DNS servers on the public network
> and set their DNS to point to them it would work.
>
> The problem is I don't want to put DNS servers on the public network
> with my private IP addresses in them. Anyone know a way to get around
> this.
>

Are the remote computers joined to the domain? If they are not you can set
their ISP's DNS server as an alternate DNS server. If the main office
Internet connection goes down and they loose the VPN they will switch over
to the alternate DNS server. They will probably have to reboot to
re-establish the AD DNS server once the VPN is back up. If they are joined
to the domain you may run into problems with this configuration.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

It "just ain't gonna happen" the way you want.

If the Internet is up then the VPN should be up.

The real way to handle it is to place a DC at each site. The network design
and the Active Directory design and the way it works does not care if there
is 100 users at the site of only 2,...that isn't going to change how it
works.

The fact that you have a remote office justifies having a local DC in
it,...not how many people are at the site.

However that said I have two remote sites,..one with three people and one
with two. I solve that by just not using a Site-to-Site VPN in the first
place. I use User Initiated Remote Access VPN for those. Each user
independently connects with VPN using their own machine,...if for some
reason the VPN won't work they can still get to the Intenet just fine.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------



"Mark A. Dudley" <> wrote in message
news:...
> Hello:
>
> I have a single forest single domain and several satellite offices
> that are connected to HQ using small VPN router and DSL lines. Some
> of the remote offices are in outlying areas and there internet
> connections are not reliable, sometimes dropping the vpn links. THe
> remote offices each have one or two users, not warranting the expense
> of their own DC.
>
> I would like them to be able to use the internet if the vpn link is
> down but I would like to use my AD DNS servers for all name
> resolution. If I put a couple of DNS servers on the public network
> and set their DNS to point to them it would work.
>
> The problem is I don't want to put DNS servers on the public network
> with my private IP addresses in them. Anyone know a way to get around
> this.
>
> Thanks,
> Mark

"Mark A. Dudley" <> wrote in message
news:...
> Hello:
>
> I have a single forest single domain and several satellite offices
> that are connected to HQ using small VPN router and DSL lines. Some
> of the remote offices are in outlying areas and there internet
> connections are not reliable, sometimes dropping the vpn links. THe
> remote offices each have one or two users, not warranting the expense
> of their own DC.
>
> I would like them to be able to use the internet if the vpn link is
> down but I would like to use my AD DNS servers for all name
> resolution. If I put a couple of DNS servers on the public network
> and set their DNS to point to them it would work.
>
> The problem is I don't want to put DNS servers on the public network
> with my private IP addresses in them. Anyone know a way to get around
> this.
>
> Thanks,
> Mark


If the VPN link is down, and I assume (you didn't specify) that all sites
are connected via VPN tunnels across the internet. So if the VPN link is
down, and more than likely I see this because the internet link goes down,
and not the VPN itself, then how will they connect to the internet?

For multiple locations, each location is normally designed to use their own
internal DNS servers. So that is a defacto. Therefore, I do not know what
you mean by "I would like to use my AD DNS servers for all name
resolution..." Isn't it set that way anyway based on the way AD works and
requiring to ONLY use your internal DNS servers?

Maybe you can elaborate on your topology with specifics to get a better
understanding of what you actually have in order to make more specific
recommendations.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Every book I've read suggests that every site have a DC, but I don't agree
with that. Why would anyone risk putting a DC in a remote office which
probably doesn't even have a lock on the server room door? I previously
worked at a large corporation (Fortune 500) that only had DC/DNS/DHCP
servers at the main HQ and regional HQs. All satellite offices would use the
services from one of the HQs. We never had any issues with this setup. Some
might ask, what if the link from the satellite office to a HQ goes down?
Well, if that link goes down, the users won't be able to get to Exchange and
other critical apps, so not being able to connect to a DC/DNS/DHCP server
would be the least of their worries.

But in the poster's situation, it looks like he'll need a DC/DNS server at
the remote office if he wants the remote users to always use the internal
DNS servers even if the VPN link goes down. You user-initiated VPN
suggestion seems like a good idea.

--
Thank you,
Mel K.
MCSA: M
"Phillip Windell" <> wrote in message
news:udY95$...
> It "just ain't gonna happen" the way you want.
>
> If the Internet is up then the VPN should be up.
>
> The real way to handle it is to place a DC at each site. The network
> design and the Active Directory design and the way it works does not care
> if there is 100 users at the site of only 2,...that isn't going to change
> how it works.
>
> The fact that you have a remote office justifies having a local DC in
> it,...not how many people are at the site.
>
> However that said I have two remote sites,..one with three people and one
> with two. I solve that by just not using a Site-to-Site VPN in the first
> place. I use User Initiated Remote Access VPN for those. Each user
> independently connects with VPN using their own machine,...if for some
> reason the VPN won't work they can still get to the Intenet just fine.
>
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>
> "Mark A. Dudley" <> wrote in message
> news:...
>> Hello:
>>
>> I have a single forest single domain and several satellite offices
>> that are connected to HQ using small VPN router and DSL lines. Some
>> of the remote offices are in outlying areas and there internet
>> connections are not reliable, sometimes dropping the vpn links. THe
>> remote offices each have one or two users, not warranting the expense
>> of their own DC.
>>
>> I would like them to be able to use the internet if the vpn link is
>> down but I would like to use my AD DNS servers for all name
>> resolution. If I put a couple of DNS servers on the public network
>> and set their DNS to point to them it would work.
>>
>> The problem is I don't want to put DNS servers on the public network
>> with my private IP addresses in them. Anyone know a way to get around
>> this.
>>
>> Thanks,
>> Mark
>
>

If you go with this route, I would suggest giving the users a VBS to run to
automatically change their DNS settings. I've written something like that
for home use, so it's not difficult.

--
Thank you,
Mel K.
MCSA: M
"Marcin" <> wrote in message
news:...
> Mark,
> add remote users to Network Configuration Operators group and give them
> instructions on how to configure their DNS settings to point to the ISP
> DNS servers.
>
> hth
> Marcin
>
> "Mark A. Dudley" <> wrote in message
> news:...
>> Hello:
>>
>> I have a single forest single domain and several satellite offices
>> that are connected to HQ using small VPN router and DSL lines. Some
>> of the remote offices are in outlying areas and there internet
>> connections are not reliable, sometimes dropping the vpn links. THe
>> remote offices each have one or two users, not warranting the expense
>> of their own DC.
>>
>> I would like them to be able to use the internet if the vpn link is
>> down but I would like to use my AD DNS servers for all name
>> resolution. If I put a couple of DNS servers on the public network
>> and set their DNS to point to them it would work.
>>
>> The problem is I don't want to put DNS servers on the public network
>> with my private IP addresses in them. Anyone know a way to get around
>> this.
>>
>> Thanks,
>> Mark
>
>

You need to correct the root cause, which is the VPN dropping. Can't the
router/VPN device automatically re-establish the VPN once the connection
comes up? It seems like you're doing more work trying to get around the VPN
issue.

--
Thank you,
Mel K.
MCSA: M
"Mark A. Dudley" <> wrote in message
news:...
> Hello:
>
> I have a single forest single domain and several satellite offices
> that are connected to HQ using small VPN router and DSL lines. Some
> of the remote offices are in outlying areas and there internet
> connections are not reliable, sometimes dropping the vpn links. THe
> remote offices each have one or two users, not warranting the expense
> of their own DC.
>
> I would like them to be able to use the internet if the vpn link is
> down but I would like to use my AD DNS servers for all name
> resolution. If I put a couple of DNS servers on the public network
> and set their DNS to point to them it would work.
>
> The problem is I don't want to put DNS servers on the public network
> with my private IP addresses in them. Anyone know a way to get around
> this.
>
> Thanks,
> Mark