J
JDTHREE [MVP]
Here's the layout -
Corporate network - windows 2000 AD (next week will upgrade to 2003,
waiting a few days to remove the exchange 5.5 server I just moved to a
new exchange 2003 server).
I have a two DC's that are file servers, and a member server that's
running Exchange 2003 now, as well as, for a few more days, the old
5.5 exchange server on windows 2000. There are a few dozen other test
servers and such the developers use, but the two file servers and the
one mail server are the core ones I have to worry about my sales force
connecting to.
We have a watchguard firebox 1000 firewall, and VPN in through it
using the secure client VPN software that watchguard and sonicwall
use.
The question is, what is my best way to assure name resolution for the
notebook users when they're remote?
Until now, I just cheated and had lmhosts files configured for the
three servers in question. That way as soon as the users opened up
windows explorer or something, and tried to get to, say, a persistent
drive mapping, the VPN would connect automatically because the lmhosts
file would initiate the TCP/IP connection to that IP address, thus it
would be routed over the VPN client. Viola, connectivity.
This still works fine for my users, since everyone is on Office 2000
or 2002, and this hasn't posed a problem.
However, i've been running Office 2003 on my tablet PC, and have found
that with that setup, outlook would take anywhere from two to five
minutes to make it's initial connection to the server (either one, the
5.5 server or the 2003 server) and begin to update the notebook. The
whole time this took that two to five minutes, I could, however, map
drives, browse to it's website, even RDP or connect using the system
manager to do admin tasks to the server. All these things worked
immediately and without fail, even while outlook 2003 would take so
long to establish it's initial connection.
One of the guys in the outlook.general group finally got me to realize
that it was DNS. As soon as I got rid of the host and lmhost files,
and set my primary DNS server to use one of my DC's, exchange would
connect instantly upon opening the program while using the VPN tunnel.
However, this poses a problem for my mobile force I think. The whole
reason I had the lmhosts file in the first place was for when they
were mobile, at another site, and wanted to VPN back into our network.
Since they're DHCP, and most of their customer networks they go and
visit utilize DHCP as well, there was no way to assure their name
resolution for my internal machines here. Thus if they tried to get
to IKE, for instance, they'd get nowhere because the IP properties
they got from the remote network's DHCP server had no idea about my
network, obviously.
So for my outlook 2003 client to have no huge delay at the inital
startup, I've got my internal DC's private IP as my primary DNS
server, and my ISP's primary DNS server as my secondary DNS server.
Even though I have a split DNS zone (internal domain is same name as
our public domain name, so my DC's are authoritative internally, and
externally I have two standalone DNS servers in my DMZ that host the
external requests) my client test bed here works fine, since if I'm
connected through the VPN, my resolution is to the internal addresses.
If i"m not connected to the VPN, the dns lookups default to the only
server available, the secondary one, which is external.
But is this really the best way to handle it? I could set my mobile
users to pull a DHCP address, and yet have their DNS hardcoded this
way. Thus they'd still function for VPN in another corporation's
network. But it seems so much easier to just have the hosts / lmhosts
files. The mobile users aren't many here, and my network isn't fluid,
so I would only have to make changes maybe every 6 to 12 months, when
some server is upgraded or something.
However, simply using hosts / lmhosts files, I still had the timing
issue with outlook 2003, and the long delay at the inital connection.
I could just hardcode the FQDN in the host file, but since they
sometimes use outlook web access, if I hardcode the FQDN to it's
internal address so that outlook won't delay at startup, they also
wouldn't be able to hit OWA if they weren't on the VPN, which is half
the point of having OWA in the first place. I can always just change
the host name of this IP, and may do it just to simplify my life and
thus avoid any conflicts between a hardcoded FQDN with an internal
address, but I'd rather do it the best way, not just the way that
makes sense at the moment and seems easy and painless.
Sorry for the length - just wanted to cover all the bases.
Thanks for any suggestions.
John
Corporate network - windows 2000 AD (next week will upgrade to 2003,
waiting a few days to remove the exchange 5.5 server I just moved to a
new exchange 2003 server).
I have a two DC's that are file servers, and a member server that's
running Exchange 2003 now, as well as, for a few more days, the old
5.5 exchange server on windows 2000. There are a few dozen other test
servers and such the developers use, but the two file servers and the
one mail server are the core ones I have to worry about my sales force
connecting to.
We have a watchguard firebox 1000 firewall, and VPN in through it
using the secure client VPN software that watchguard and sonicwall
use.
The question is, what is my best way to assure name resolution for the
notebook users when they're remote?
Until now, I just cheated and had lmhosts files configured for the
three servers in question. That way as soon as the users opened up
windows explorer or something, and tried to get to, say, a persistent
drive mapping, the VPN would connect automatically because the lmhosts
file would initiate the TCP/IP connection to that IP address, thus it
would be routed over the VPN client. Viola, connectivity.
This still works fine for my users, since everyone is on Office 2000
or 2002, and this hasn't posed a problem.
However, i've been running Office 2003 on my tablet PC, and have found
that with that setup, outlook would take anywhere from two to five
minutes to make it's initial connection to the server (either one, the
5.5 server or the 2003 server) and begin to update the notebook. The
whole time this took that two to five minutes, I could, however, map
drives, browse to it's website, even RDP or connect using the system
manager to do admin tasks to the server. All these things worked
immediately and without fail, even while outlook 2003 would take so
long to establish it's initial connection.
One of the guys in the outlook.general group finally got me to realize
that it was DNS. As soon as I got rid of the host and lmhost files,
and set my primary DNS server to use one of my DC's, exchange would
connect instantly upon opening the program while using the VPN tunnel.
However, this poses a problem for my mobile force I think. The whole
reason I had the lmhosts file in the first place was for when they
were mobile, at another site, and wanted to VPN back into our network.
Since they're DHCP, and most of their customer networks they go and
visit utilize DHCP as well, there was no way to assure their name
resolution for my internal machines here. Thus if they tried to get
to IKE, for instance, they'd get nowhere because the IP properties
they got from the remote network's DHCP server had no idea about my
network, obviously.
So for my outlook 2003 client to have no huge delay at the inital
startup, I've got my internal DC's private IP as my primary DNS
server, and my ISP's primary DNS server as my secondary DNS server.
Even though I have a split DNS zone (internal domain is same name as
our public domain name, so my DC's are authoritative internally, and
externally I have two standalone DNS servers in my DMZ that host the
external requests) my client test bed here works fine, since if I'm
connected through the VPN, my resolution is to the internal addresses.
If i"m not connected to the VPN, the dns lookups default to the only
server available, the secondary one, which is external.
But is this really the best way to handle it? I could set my mobile
users to pull a DHCP address, and yet have their DNS hardcoded this
way. Thus they'd still function for VPN in another corporation's
network. But it seems so much easier to just have the hosts / lmhosts
files. The mobile users aren't many here, and my network isn't fluid,
so I would only have to make changes maybe every 6 to 12 months, when
some server is upgraded or something.
However, simply using hosts / lmhosts files, I still had the timing
issue with outlook 2003, and the long delay at the inital connection.
I could just hardcode the FQDN in the host file, but since they
sometimes use outlook web access, if I hardcode the FQDN to it's
internal address so that outlook won't delay at startup, they also
wouldn't be able to hit OWA if they weren't on the VPN, which is half
the point of having OWA in the first place. I can always just change
the host name of this IP, and may do it just to simplify my life and
thus avoid any conflicts between a hardcoded FQDN with an internal
address, but I'd rather do it the best way, not just the way that
makes sense at the moment and seems easy and painless.
Sorry for the length - just wanted to cover all the bases.
Thanks for any suggestions.
John