how does XP find the domain controler ?

[Vincent Schmid]

Hi,

According to what I understand so far, a Windows XP workstation which is
part of an AD domain will need to contact a domain controller at startup.

It will query the DNS for a particular SRV record in which it should
find information about the domain controller.

We have some workstations which are located outside our offices, on a
network that we do not control. They are using DHCP, so we do not
control which DNS server they are querying. These servers will not know
about our local domain controlers.

How can we indicate to these workstations what the domain controler is ?
Is there a way do do this using the HOSTS file, or something similar ?

Thanks by advance,
Best regards,
Vincent

 

[Kent W. England [MVP]]

Vincent Schmid wrote on 23-Jan-2005 6:02 AM:

According to what I understand so far, a Windows XP workstation which is
part of an AD domain will need to contact a domain controller at startup.

It will query the DNS for a particular SRV record in which it should
find information about the domain controller.

We have some workstations which are located outside our offices, on a
network that we do not control. They are using DHCP, so we do not
control which DNS server they are querying. These servers will not know
about our local domain controlers.

How can we indicate to these workstations what the domain controler is ?
Is there a way do do this using the HOSTS file, or something similar ?

Most people use a VPN to connect remote users to their local network.
Exposing your domain on the Internet is risky because of the security
vulnerabilities.

 

[Admiral Q]

A double reinforcement of what Kent said - you should not allow any
connection to your "domain" network unless a) via VPN or b) through a server
outside the DMZ under your control.

 

[Vincent Schmid]

A double reinforcement of what Kent said - you should not allow any
connection to your "domain" network unless a) via VPN or b) through a server
outside the DMZ under your control.

Well, actually it will be something like two separate VPN, connected
trough some router. This will not be over the internet.

I'm not sure about all the details, but I suspect that a machine in one
of the VPN could have trouble finding the domain controler in the other VPN.

I've heard something about putting the domain name in the lmhost file,
could that be used to indicate what the domain controller is ?

Vincent

 

[Rebecca Chen [MSFT]]

Hi Vincent,

I agree with Kent and Admiral that we need to use VPN to logon to the
remote DC. The reason why WinXP can find the DC depends on how you
configure win2k VPN server. Technically speaking, you need to configure the
VPN server to assign the correct IP address and point to the correct DNS
server. When the VPN established, winXP will act as if it is in the LAN.
For more details, please refer to the following articles:

How To Install and Configure a Virtual Private Network Server in Windows
Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323441

How to configure a connection to a virtual private network (VPN) in Windows
XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;314076

With regards to the lmhost file, please refer to the following article to
add an entry looks like the following, that will help your client located
DC:

102.54.94.97 primary#PRE#DOM:mydomain#The mydomain PDC

LMHOSTS File
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/
en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en
-us/cnet/cnfd_lmh_tgvz.asp

HTH!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.