Need help with naming conflict

  • Thread starter Thread starter Brian Vallelunga
  • Start date Start date
B

Brian Vallelunga

I am working on a small domain (2 servers, 10 computers) with a naming
conflict. The system was set up with a domain name, for example, x.com. The
problem is that the public domain name, x.com is not owned by the company.
They are just using it internally. Publicly, x.com is owned by someone else,
with *.x.com being resolved to a public IP somewhere.

This really isn't a problem within the office. The problem lies when I tried
to set up a VPN link to the office. So internally, the computers are have
dns records of a.x.com, b.x.com, etc. After creating the VPN, the internal
computers can't be reached because all of the *.x.com dns entries go to a
wildcard for the x.com public domain name.

I am trying to figure out a way around this. Obviously renaming the internal
domain would be nice, but that is not feasible. They are using Windows 2000
in native mode. I am wondering if I can create a parallel set of DNS entries
on the internal DNS server. Something like x.local. This way, whenever they
establish a VPN connection they can type in a.x.local to get to their
personal computer via Remote Desktop.

I am unsure how to create this second set of DNS entries, or if it is even
possible at all. Internal IPs are assigned dynamically, and I don't want to
have to move to static IP addresses. I guess the other question would be if
I can force the VPN users to use the internal DNS server before their main
DNS server for just this domain name.

I hope this is the best place to put this post. Thanks.

Brian
 
This is a common issue when your private namespace is identical to you
public namespace. Even though you can't fix the internal namespace all of
your suggested workarounds should work fine. I usually recommend these:

1. If possible add a HOSTS file to the VPN clients. That way when they try
and resolve a address you can control whether that address resolves to a
public name or a private name.

2. Add the internal DNS addresses on the remote clients LAN settings. This
creates an extremely small and unnoticeable delay when surfing the web but
will allow queries for names to be sent to the internal DNS's first.

You could add a new zone called x.local with all the records in that zone
and that should work fine too, just so long as it's not resolvable publicly.
That's actually a great idea I hadn't thought about before.

Hope this helps,

--
J.C. Hornbeck, MCSE
Microsoft Product Support

NOTE: Please reply to the newsgroup and not directly to me. This allows
others to add to and benefit from these threads and also helps to ensure a
more timely response. Thank you!

This posting is provided "AS IS" without warranty either expressed or
implied, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose.
 
The problem with most of these solutions is that there are several different
users, all with computers in the office that are assigned dynamic ip
addresses. When the computers get their IP addresses, they update their
records in the domain server's dns list. Hosts files don't solve the problem
when a computer gets a new IP. The same with the DNS. I'm trying to figure
out if there is a way for the DNS to create two entries, one in each zone.
One zone would be for the existing domain, and the new zone would be for the
new .local zone. I have no idea how to do this though. Suggestions are
appreciated.

Brian
 
In
Brian Vallelunga said:
The problem with most of these solutions is that there are several
different users, all with computers in the office that are assigned
dynamic ip addresses. When the computers get their IP addresses, they
update their records in the domain server's dns list. Hosts files
don't solve the problem when a computer gets a new IP. The same with
the DNS. I'm trying to figure out if there is a way for the DNS to
create two entries, one in each zone. One zone would be for the
existing domain, and the new zone would be for the new .local zone. I
have no idea how to do this though. Suggestions are appreciated.

Brian
Click to expand...

Clients update their records into a DNS zone by using the name in their
Primary DNS Suffix. To make it do that, you would require mutliple Primary
DNS Suffixes, but that is not possible in Windowsm that is, as far as I
know.... maybe JC can shed light on that, but I've never heard of it being
done.

I am assuming that you are trying to connect to specific client machine
rather than a DC or file server, since you're worried about a change of IP.
Normally what JC mentioned is our method of circumventing the VPN issue, and
I also assume you are speaking of a direct client VPN rather than Tunnel
Mode (from office to office). If the resource they're tyring to connect to
is a fixed IP server, then the VPN is usually the answer, however, since
you're trying to connect to specific DHCP clients, maybe WINS maybe a better
answer?

Hope that helps...




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Yup, I'm talking about direct client to office VPNs from their home
computers. Also, the employees need to be able to get to their individual
machines. If this weren't the case, then I could easily create the static IP
addresses and use the various other methods listed.

If I implement a WINS server (which I thought we weren't really supposed to
do anymore), how would I know that the WINS naming would be used before the
DNS naming for resolving a computer name? Or could I just not pass down a
DNS server to the VPN clients?

I am sending the internal DNS server to the VPN clients, but they're
obviously using their personal DNS server entry first.

Quite a quandry. I really do wish I could automatically have a machine
register in both DNS zones. That would be an elegant solution. I wonder if I
could write a script that reads the dns entries and then creates new ones.
Hmm...

Brian
 
In
Brian Vallelunga said:
Yup, I'm talking about direct client to office VPNs from their home
computers. Also, the employees need to be able to get to their
individual machines. If this weren't the case, then I could easily
create the static IP addresses and use the various other methods
listed.

If I implement a WINS server (which I thought we weren't really
supposed to do anymore), how would I know that the WINS naming would
be used before the DNS naming for resolving a computer name? Or could
I just not pass down a DNS server to the VPN clients?

I am sending the internal DNS server to the VPN clients, but they're
obviously using their personal DNS server entry first.

Quite a quandry. I really do wish I could automatically have a machine
register in both DNS zones. That would be an elegant solution. I
wonder if I could write a script that reads the dns entries and then
creates new ones. Hmm...

Brian
Click to expand...

Actually meant to say that a HOSTS file is the usual answer....

I would be difficult to use the DNS server since you're on a private subnet.
But since you say you have public IPs, then I'm to assume that the DNS
server is accessible from the Internet? If so, then you can use that on your
clients, but then you would need to instruct the users on how to set that as
a static entry and still get the rest of their IP config from their ISPs.

Either way it's a quandry, and believe me, this has been discussed countless
of times. And yes, the ISP's DNS is the difficult issue. One of the MVPs
developed this tool to populate a user's HOSTS file by double clicking on it
on the desktop as to gain access to AD resources while VPN'd in.

HOSTS files!

:-)





--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top