2 DNS servers, one for Internet, one for AD

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Jo Stick - 26 Jun 2007 13:57 GMT

I work remotely, connected by VPN to the office server and Active Directory.
For AD to wotk properly, I need to use the office server for DNS, but this
makes Internet lookups slow. Is there a way to have my remote PC direct
Internet DNS queries to my ISP but still retain the use of the office DNS
where appropriate?

thanks for help,
Jo

Reply to this Message

Lanwench [MVP - Exchange] - 26 Jun 2007 18:58 GMT

> I work remotely, connected by VPN to the office server and Active
> Directory. For AD to wotk properly, I need to use the office server
[quoted text clipped - 4 lines]
> thanks for help,
> Jo

You'd need to disable the "use remote gateway" option in your VPN client (if
this is permitted) but note that this is a bad idea from a security
perspective. You'd be exposing your company's network to any traffic coming
in to your own. And yes, having anything other than the internal DNS server
in can cause AD problems.

If your office has a terminal server, or an XP Pro box you can use for
Remote Desktop, that might be a better option.

You really ought to talk to your office IT folk about this, I think.

Reply to this Message

Jo Stick - 27 Jun 2007 11:46 GMT

Thanks for responding. My own PC is behind a firewall, as is the office, so
there is no security problem there. The VPN is between the firewalls. I
guess I wasn't clear with my question. What I woul dlik eto achieve is for
my PC to do its name resolution for non-work domain addresses through the
ISP DNS server, but to still register with the office DNS and use it for LAN
lookups. All works if I only have the office DNS in my PC settings, but
internt is slower to browse as it involvees going to office server though
VPN rather than straight up to ISP.

Jo

>> I work remotely, connected by VPN to the office server and Active
>> Directory. For AD to wotk properly, I need to use the office server
[quoted text clipped - 15 lines]
>
> You really ought to talk to your office IT folk about this, I think.

Reply to this Message

Lanwench [MVP - Exchange] - 27 Jun 2007 20:44 GMT

> Thanks for responding. My own PC is behind a firewall, as is the
> office, so there is no security problem there. The VPN is between the
[quoted text clipped - 6 lines]
> straight up to ISP.
> Jo

Well....you probably aren't going through the office network to get to the
Internet - just for your DNS resolution. Unfortunately, there's no way to
make this work as you wish. Your computer's communication with AD will be
very badly screwed up if you use anything other than the office DNS server.
If there's a terminal services box, or WinXP Pro box, in the office network,
it won't matter what you have in your own IP config; you can initiate an RD
session to the office, and then use your own browser (locally) to surf,
using your ISP's DNS servers. And performance for pretty much everything
will be a lot better, because very little will actually be going across the
slow VPN link (just screen shots).

>>> I work remotely, connected by VPN to the office server and Active
>>> Directory. For AD to wotk properly, I need to use the office server
[quoted text clipped - 15 lines]
>>
>> You really ought to talk to your office IT folk about this, I think.

Reply to this Message

Kevin D. Goodknecht Sr. [MVP] - 28 Jun 2007 13:18 GMT

Read inline please.

In news:f5r287$b90$1$8300dec7@news.demon.co.uk,
Jo Stick <jo@stick.com> typed:

> I work remotely, connected by VPN to the office server and Active
> Directory. For AD to wotk properly, I need to use the office server
> for DNS, but this makes Internet lookups slow. Is there a way to have
> my remote PC direct Internet DNS queries to my ISP but still retain
> the use of the office DNS where appropriate?

Have you verified that it is DNS resolution that is causing the slowness?
DNS uses very little bandwidth, and I would find it hard to believe that the
problem is slow DNS resolution, that is if the AD DNS server is configured
correctly. I would consider DNS to be slow if a query take more than 500 ms
to resolve, which is almost un-noticeable when browsing.
Did you clear the "Use default gateway on remote network" check box? By
clearing this check box, the only data that travels through the VPN when
connected, is packets to and from that subnet.

What is your DNS Suffix search list in your ipconfig /all with the VPN
connected?
One more question I must ask because I've seen it happen so regularly, is
the VPN connection on a different subnet from the local subnet?

Signature

Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Reply to this Message

Jo Stick - 29 Jun 2007 09:36 GMT

Yes, it is DNS causing slowness. Its the extra 2 hops (ther and back) to the
office DNS server. The slowness is just a momentray pause (couple of seconds
or so) when I change web pages. Using ISP DNS resolves issue but screws AD
and Domain access.

DNS suffixes (suffixe?) are lan.companydomain.com, lan, companydomain.com.

The remote and office subnets are different (both private).

I'm surprised that there is no way to direct DNS requests according to what
is being resolved. Maybe it is becasue everything is a .com?

Thasnk for the input,
Jo

> Read inline please.
>
[quoted text clipped - 19 lines]
> One more question I must ask because I've seen it happen so regularly, is
> the VPN connection on a different subnet from the local subnet?

Reply to this Message

Kevin D. Goodknecht Sr. [MVP] - 29 Jun 2007 17:16 GMT

Read inline please.

In news:f62g1q$s8f$1$8300dec7@news.demon.co.uk,
Jo Stick <jo@stick.com> typed:

> Yes, it is DNS causing slowness. Its the extra 2 hops (ther and back)
> to the office DNS server. The slowness is just a momentray pause
> (couple of seconds or so) when I change web pages. Using ISP DNS
> resolves issue but screws AD and Domain access.

Win2k3 DNS?

Try changing the "All other DNS domains" forwarder to the ISP, with
Conditional Forwarders to the remote site's domain. (Check the "Do not use
recursion" on the Conditional forwarder)

> DNS suffixes (suffixe?) are
> lan.companydomain.com,
> lan,
> companydomain.com.

Three suffixes?
How many AD Domains do you have?
You should have one DNS suffix for each AD domain. For example, if your AD
Domain is lan.companyname.com, that should be the only suffix in your list,
if the other two are not actually AD Domains and don't have a zone in DNS,
you should clear the check box on the DNS tab, "Append Parent Suffixes of
the Primary DNS suffix" There is a Group policy to do this.
Some of the problem may be caused by the unknown suffixes, for example, the
"lan" suffix, if there is no local "lan" forward lookup zone, will cause a
lookup to be sent to the Internet Root servers one EVERY DNS query and
should not be in the list. It is far better to just have suffixes in your
DNS suffix search list that you only have local zones for.

> The remote and office subnets are different (both private).

That is good, you'd be surprised on this one.

> I'm surprised that there is no way to direct DNS requests according
> to what is being resolved. Maybe it is becasue everything is a .com?

You can, with Win2k3 DNS, it's called Conditional Forwarding or Stub zones.

Signature

Reply to this Message