DNS/DHCP

[Guest]

I have a small business (18 users) on a Win2K server box with DNS/DHCP/Dynamic IP enabled. All user workstations are on XP Professional. I have DSL coming in through a Watchguard Firebox. Up until now, I had all user workstations DNS configured with the preferred and secondary DNS servers being our DSL provider's DNS servers and my server as the default gateway. However, now I have users with Laptops that I want to VPN in, and the users have to reconfigure to access internet at their home

Question
Can I configure this so that users can get our ISP's DNS addresses from my server when connecting to the LAN in-office so that I don't have to hard-code it in?

 

[SaltPeter]

I have a small business (18 users) on a Win2K server box with

DNS/DHCP/Dynamic IP enabled. All user workstations are on XP Professional.
I have DSL coming in through a Watchguard Firebox. Up until now, I had all
user workstations DNS configured with the preferred and secondary DNS
servers being our DSL provider's DNS servers and my server as the default
gateway. However, now I have users with Laptops that I want to VPN in, and
the users have to reconfigure to access internet at their home.

Question:
Can I configure this so that users can get our ISP's DNS addresses from my

server when >connecting to the LAN in-office so that I don't have to
hard-code it in?

A private client should never rely on your ISP's DNS server directly. You
should instead configure your intranet's DNS server to forward request on
behalf of the clients in your private namespace. This implies that your DNS
server has no root zone and has forwarders pointing to ISP's DNS.

Read:
Question: Should I point the other Windows 2000-based and Windows Server
2003-based computers on my LAN to my ISP's DNS servers?
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

This way, the laptop users can connect to their ISP, VPN into your private
network and rely on the private DNS server to resolve the private namespace
if required. The key here is to ensure that the incoming VPN connection can
route to the local/private DNS server.

 

[Guest]

Will this also eliminate my need to list the server as the default gateway

----- SaltPeter wrote: ----

I have a small business (18 users) on a Win2K server box wit

DNS/DHCP/Dynamic IP enabled. All user workstations are on XP Professional
I have DSL coming in through a Watchguard Firebox. Up until now, I had al
user workstations DNS configured with the preferred and secondary DN
servers being our DSL provider's DNS servers and my server as the defaul
gateway. However, now I have users with Laptops that I want to VPN in, an
the users have to reconfigure to access internet at their home

Can I configure this so that users can get our ISP's DNS addresses from m

server when >connecting to the LAN in-office so that I don't have t
hard-code it in

A private client should never rely on your ISP's DNS server directly. Yo
should instead configure your intranet's DNS server to forward request o
behalf of the clients in your private namespace. This implies that your DN
server has no root zone and has forwarders pointing to ISP's DNS

Read
Question: Should I point the other Windows 2000-based and Windows Serve
2003-based computers on my LAN to my ISP's DNS servers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;29138

This way, the laptop users can connect to their ISP, VPN into your privat
network and rely on the private DNS server to resolve the private namespac
if required. The key here is to ensure that the incoming VPN connection ca
route to the local/private DNS server

 

[SaltPeter]

Will this also eliminate my need to list the server as the default

gateway?

If you are reffering to the default gateway assigned to an incoming VPN
client, this depends how the VPN's ip_address is distributed. There are
special considerations when dhcp is residing on the same server as the
RAS/VPN server (in which case the clients inherit the server's default
gateway).

Otherwise, the problem is not so much the gateway, but rather the metric
(hops) assigned to the gateway's route. The point is that it depends on what
you want a VPN client to be able to route to. If you need a VPN client to
resolve the private network, you need to provide a route to local/private
DNS server. Thats why consulting the routing table at VPN server becomes
critical (is an ADD Route... required?).

 

[Guest]

Ok -
1) I have deleted the "." forward-zone in DNS which subsequently enabled root hints and forwarders
2) I added the IPs of the ISP's DNS servers as forwarders
3) On the server, I have the server referencing its own IP as its primary DNS address
4) On the workstations, I have eliminated the manual DNS addresses
5) On the server and the workstations, I have left the firewall's internal IP as the Default Gatewa

Result

Server: Surf's Up! Able to surf the web no problem from the server
Workstations: Can only surf to websites that the have been previously accessed from the actual server terminal

----- SaltPeter wrote: ----


gateway

If you are reffering to the default gateway assigned to an incoming VP
client, this depends how the VPN's ip_address is distributed. There ar
special considerations when dhcp is residing on the same server as th
RAS/VPN server (in which case the clients inherit the server's defaul
gateway)

Otherwise, the problem is not so much the gateway, but rather the metri
(hops) assigned to the gateway's route. The point is that it depends on wha
you want a VPN client to be able to route to. If you need a VPN client t
resolve the private network, you need to provide a route to local/privat
DNS server. Thats why consulting the routing table at VPN server become
critical (is an ADD Route... required?)

 

[Guest]

I misspoke, workstations are stll not able to resolve any external domains (though able to ping)

Any thoughts?

 

[SaltPeter]

I misspoke, workstations are stll not able to resolve any external domains (though able to ping).

Any thoughts?

Yes, you've not configured the DNS server appropriately. Delete root zone +
add forwarders on local DNS server.

 

[Guest]

Sorry... you didn't see the earlier part of the thread because I forgot to include the original text. I've modified it a bit for the new facts

1) I have deleted the "." forward-zone in DNS which subsequently enabled root hints and forwarders
2) I added the IPs of the ISP's DNS servers as forwarders
3) On the server, I have the server referencing its own IP as its primary DNS address
4) On the workstations, I have eliminated the manual DNS addresses
5) On the server and the workstations, I have left the firewall's internal IP as the Default Gatewa
6) On the server, in DNS, I added scope option 15 to read "mydomain.local" (which is the server's domain)

Result

Server: Surf's Up! Able to surf the web no problem from the server
Workstations: no luc

----- SaltPeter wrote: ----

I misspoke, workstations are stll not able to resolve any external domain (though able to ping)

Yes, you've not configured the DNS server appropriately. Delete root zone
add forwarders on local DNS server

 

[Enkidu]

Inline and below..

Sorry... you didn't see the earlier part of the thread because I forgot to include the original text. I've modified it a bit for the new facts.

1) I have deleted the "." forward-zone in DNS which subsequently enabled root hints and forwarders.
OK.

2) I added the IPs of the ISP's DNS servers as forwarders.
OK,

3) On the server, I have the server referencing its own IP as its primary DNS address.

OK, the DNS is on the DC, right? (I missed the earlier posts). If not,
the *DNS* server points to itself for DNS, and the DC points to the
DNS server for DNS. Just checking.

4) On the workstations, I have eliminated the manual DNS addresses.

OK so that means they get addresses by DHCP?

5) On the server and the workstations, I have left the firewall's internal IP as the Default Gateway
Can be done by DHCP.

6) On the server, in DNS, I added scope option 15 to read "mydomain.local" (which is the server's domain).

That sounds like a DHCP option.

Result:

Server: Surf's Up! Able to surf the web no problem from the server.
Workstations: no luck

Since I missed the start of the thread you may have done some of these
already, but I suggest.

1) Do ipconfig /all on the workstations. Ensure that they are getting
the correct addresses from the DHCP server for IP, DNS netmask and
gateway. If these are not correct do ipconfig /release and ipconfig
/renew. Check again with ipconfig /all.

2) Do ipconfig /all on the server(s) and ensure that they have the
correct ip addresses for self, netmask, DNS and gateway. DON'T do a
release/renew. (These are normally statically assigned).

3) nslookup <internal machine>. See if you can resolve an internal
machine by name. nslookup <internal machine>.<your internal domain>.
Do this on the WS and the server(s).

4) nslookup <external domain name> (eg www.microsoft.com). Do this
both on the WS and the server(s).

Cheers,

Cliff

 

[Guest]

Yes, the DC is also the DNS server (192.168.1.1) and workstations get their IPs via DHCP. I have added a DHCP option that lists 192.168.1.1 as the DNS server so IPCONFIG on both the server and client shows that as the DNS server. I also added a DHCP option for router so that now showing as default gateway on clients. And per your response to #6 below, yes that is the other option I have set in DHCP (not in DNS as I had said)

Ipconfig /all on server and workstations now shows right IP, DNS, netmask and gateway

nslookup fails on clients both looking for internal machines and external domains

Also on clients, DHCP server giving IPs properly and leases showing at console, but at clients, I can't ping the server IP or the router?

DO I NEED TO REBOOT THE SWITCH AT SOME POINT

Lastly On server
nslookup for internal machines fails

nslookup chrislpatop.mydomain.loca
*** Can't find server name for address 192.168.1.1: Non-existent domai
*** Default servers are not available
Server: Unknow
Address 192.168.1.

*** Unknown can't find chrislaptop.mydomain.local: Non-existent domai

Thanks for any Help



----- Enkidu wrote: ----

Inline and below.

On Sat, 24 Apr 2004 11:41:03 -0700, "ramking

Sorry... you didn't see the earlier part of the thread because I forgot to include the original text. I've modified it a bit for the new facts
OK
OK

OK, the DNS is on the DC, right? (I missed the earlier posts). If not
the *DNS* server points to itself for DNS, and the DC points to th
DNS server for DNS. Just checking
OK so that means they get addresses by DHCP
Can be done by DHCP
That sounds like a DHCP option

Workstations: no luc

Since I missed the start of the thread you may have done some of thes
already, but I suggest

1) Do ipconfig /all on the workstations. Ensure that they are gettin
the correct addresses from the DHCP server for IP, DNS netmask an
gateway. If these are not correct do ipconfig /release and ipconfi
/renew. Check again with ipconfig /all

2) Do ipconfig /all on the server(s) and ensure that they have th
correct ip addresses for self, netmask, DNS and gateway. DON'T do
release/renew. (These are normally statically assigned)

3) nslookup <internal machine>. See if you can resolve an interna
machine by name. nslookup <internal machine>.<your internal domain>
Do this on the WS and the server(s)

4) nslookup <external domain name> (eg www.microsoft.com). Do thi
both on the WS and the server(s)

Cheers

Clif

 

[Enkidu]

Hi Ramking, please see inline.

Cheers,

Cliff

Yes, the DC is also the DNS server (192.168.1.1) and
workstations get their IPs via DHCP. I have added a
DHCP option that lists 192.168.1.1 as the DNS server
so IPCONFIG on both the server and client shows that
as the DNS server. I also added a DHCP option for
router so that now showing as default gateway on clients.
And per your response to #6 below, yes that is the other
option I have set in DHCP (not in DNS as I had said).

Ipconfig /all on server and workstations now shows
right IP, DNS, netmask and gateway.

OK, I presume that the DHCP server is on the DC. That all seems OK.
What are the lease times though? Are they recent? What I'm getting at
here is the possibility that they are got this information some time
ago.

nslookup fails on clients both looking for internal machines
and external domains.

Also on clients, DHCP server giving IPs properly and
leases showing at console, but at clients, I can't ping
the server IP or the router?

It's definitely looking like a connectivity problem. However, the
clients are apparently getting the DHCP information from the server.
Hence the question about lease times above.

DO I NEED TO REBOOT THE SWITCH AT SOME POINT?

That's a thought. What sort of switch is it? It won't do any harm.

Lastly On server:
nslookup for internal machines fails:

nslookup chrislpatop.mydomain.local
*** Can't find server name for address 192.168.1.1: Non-existent domain
*** Default servers are not available
Server: Unknown
Address 192.168.1.1

*** Unknown can't find chrislaptop.mydomain.local: Non-existent domain

On the server? That is wrong. The DNS service is actually running,
isn't it? The first line of the reply says that it is looking up its
own IP address in the DNS and NOT finding it. Do you have a reverse
lookup zone? If not, create one.

Cheers,

Cliff

 

[Enkidu]

If your network is 192.168.1.0/24 (in other words 192.168.1.0 netmask
255.255.255.0) then create a reverse lookup zone with that
information. It should create a zone named 1.168.192.in-addr.arpa.
Sorry, I'm not near a server running DNS at present. As I recall, when
you set up the zone the wizard will guide you to insert the correct
information.

Is the DNS service running? The server should be able to resolve
itself in its own DNS server!!

Cheers,

Cliff