new dns setup

[newenglandit]

Hi all. I'd appreciate any comments and suggestions on my new project.

I have been running a small network ( ~ 15 clients, 3 servers) for
few years and we're expanding rapidly. We bought a new central office
and new servers. Here's what my topology looks like / will look like
and what I need to do:

Central office, with 1 PDC, maybe 1 BDC (unsure), 5 member server
(email, application hosting over terminal services, and storage),
client machines. All servers running win2k server, all clients runnin
win2k. Central office will run a cisco vpn router behind dsl router.

8 remote offices with cisco vpn routers running fractional T1 services
no servers, approximately 6 win2k clients at each location.

I think the best plan of attack for me is to start everything ove
again. The server that will be my PDC is new anyway. I have severa
registered domain names (public) for my comany and its child companies
Let's say the company name is xyzcompany.

My currently registered website is www.xyzcompany.com. I have hear
that I should NOT name my domain xyzcompany, as that will create
problem. Is this true?

Does anyone have any experience with logging into a domain an
authenticating, etc over a VPN? Will this work? Currently we use th
domain structure for only the clients in the same building as th
server, and assign the domain name as the workgroup name for the othe
sites. I'd like to have them log in and authenticate if possible, bu
I'm not sure of the bandwidth requirements.

Thanks for your suggestions


-
newenglandi

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi all. I'd appreciate any comments and suggestions on my new
project.

I have been running a small network ( ~ 15 clients, 3 servers) for a
few years and we're expanding rapidly. We bought a new central
office, and new servers. Here's what my topology looks like / will
look like, and what I need to do:

Central office, with 1 PDC, maybe 1 BDC (unsure), 5 member servers
(email, application hosting over terminal services, and storage), 6
client machines. All servers running win2k server, all clients
running win2k. Central office will run a cisco vpn router behind dsl
router.

8 remote offices with cisco vpn routers running fractional T1
services, no servers, approximately 6 win2k clients at each location.

I think the best plan of attack for me is to start everything over
again. The server that will be my PDC is new anyway. I have several
registered domain names (public) for my comany and its child
companies. Let's say the company name is xyzcompany.

My currently registered website is www.xyzcompany.com. I have heard
that I should NOT name my domain xyzcompany, as that will create a
problem. Is this true?

Does anyone have any experience with logging into a domain and
authenticating, etc over a VPN? Will this work? Currently we use the
domain structure for only the clients in the same building as the
server, and assign the domain name as the workgroup name for the other
sites. I'd like to have them log in and authenticate if possible, but
I'm not sure of the bandwidth requirements.

Thanks for your suggestions!

No, you should not name the domain 'xyzcompany', that would be a single
label domain name and a major head ache. Using xyzcompany.com would be
possible, but then again not highly recommended because using that name
internally blocks access to the external domain for that name. You can add
the records like www, mail, and etc. but that adds adminstrative work and
causes serious problems for the VPN users. You can go to a third level name
like local.xyzcompany.com which makes it much easier for everyone, but it
still causes some problems for the VPN users, because the third level name
doesn't exist in the public DNS zone. You can use xyzcompany.local which may
cause the the ISP's DNS to delay long enough to move the VPN DNS server to
the preferred DNS for the system.
You can add the subdomain to the public zone with private records, but some
public DNS hosting companies don't allow private records to be created in
the public zone.

The closest there is to a perfect picture would be to use the third level
name (local.xyzcompany.com) then install install BIND PE on the VPN clients
with a Microsoft Loopback adapter with an static IP with BIND PE listening
on the Loopback adapter. Then use the loopback adapters address for DNS.
Then create a Stub zone for the internal Domain name in BIND PE. This stub
zone would point the way to the internal DNS server and the internal domain
name. Under this scenario I'd increase the Expire time on the AD zone for a
long enough period that the Stub zone won't expire over long periods of not
being used, (such as vacations) even the default one day is too short for
this scenario, because you can't expect users to connect every day to update
the Stub zones and the stub zone can't update unless the VPN is connected.