I've seen interesting issues with Microsoft's default VPN clients. On a split-DNS, NAT'd network, any server that had the same external name as its internal name would inaccessible to VPN clients except for ports it had opene on the firewall.
The Win2k clients would look at the public DNS first and bang away at the firewalled ports using the server's external public IP. No amount of fiddling with binding orders on the clients would fix the problem, and calls to PSS didn't amount to much. The issue til appears to exist with the PPTP and L2TP/Ipsec clients in WinXP sp1. But as you mention, 3rd party VPN clients may not have the problem at all. Ryan Malayter Sr. Network & Database Administrator Bank Administration Institute Chicago, Illinois, USA PGP Key: http://www.malayter.com/pgp-public.txt ::::::::::::::::::::::::::::::: Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -Albert Einstein -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Posted At: Friday, October 11, 2002 11:43 AM Posted To: Windows 2000 List Conversation: AD naming Subject: RE: AD naming Depends on the VPN implementation really - our VPN clients receive the internal DNS server info, so they get the same resolution as the on-network clients get. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Ryan Malayter [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 11, 2002 11:59 AM > To: NT 2000 Discussions > Subject: RE: AD naming > > > In my experience, you can use your registered domain if you > like, but be > aware that you should probably use different server names on your > external-facing DNS. This avoids problems with VPN > connections from the > outside. > > Ryan Malayter > Sr. Network & Database Administrator > Bank Administration Institute > Chicago, Illinois, USA > PGP Key: http://www.malayter.com/pgp-public.txt > ::::::::::::::::::::::::::::::: > We have just enough religion to make us hate, but not enough > to make us > love one another. > -Jonathan Swift > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Posted At: Friday, October 11, 2002 6:54 AM > Posted To: Windows 2000 List > Conversation: AD naming > Subject: RE: AD naming > > > > If you want to keep the two independent (and it sounds like > > you do), what's > > wrong with building the structure around 'octech.local' or > > 'octech.prv'? > > Plenty. That style of naming standard was the original suggestion > following > some of the JDP installs, prior to AD going gold. Since that time, > however, > it has been strongly suggested that you use valid, registered domain > names > for all AD work, specifically for guaranteed uniqueness. > > I would suggest one of two things - > 1) Using your external domain name internally, and implement > split DNS. > This > is a little more complicated from the DNS perspective, but isn't that > hard. > > 2) Acquire new domain name(s) from the registrar of your > choice, and use > those names for your AD infrastructure. This really is an > easy way to do > it, > since there is no confusion for less DNS saavy admins, and > you don't end > up > with long domain names. > > I've done both, and both work well. In fact, I just completed a > migration > using the second format - we're now using 2 generic DNS domains > internally, > that have nothing to do with our company's public DNS presence. > > Roger > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Steve Molkentin [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, October 10, 2002 6:56 PM > > To: NT 2000 Discussions > > Subject: RE: AD naming > > > > > > Mr Foley (OK, making an assumption here), > > > > Having your internal DNS structure = your Net structure has > > it's benefits if > > you are trying to access 'stuff' inside your organisation > > from the Net. > > > > If you want to keep the two independent (and it sounds like > > you do), what's > > wrong with building the structure around 'octech.local' or > > 'octech.prv'? > > > > I'm glad to be wrong or have misunderstood your > > requirements... interesting > > to hear what other's think (and what you think). > > > > themolk. > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, 9 October 2002 11:24 am > > > To: NT 2000 Discussions > > > Subject: AD naming > > > > > > > > > Sorry if this is a repeat, not sure if my last message got on > > > the list. > > > I am creating a new root forest on a new domain controller > > > that will be > > > the first server with AD running on our network. I am > > planning to use > > > ADMTv2 to migrate users and want to keep both domains running > > > for awhile. > > > Anyway, my question is this. Should I use my registered DNS > > > domain name > > > octech.edu for the forest root, or should I use something like > > > local.octech.edu or inside.octech.edu? I run DNS on my PDC > > now but I > > > don't send my ISP zone transfers (it's behind the firewall). > > > They have a > > > list of all my servers that need outside access (email, > > > public web page, > > > etc.) which they put in their name servers manually. > > > > > > ------ > > > You are subscribed as [EMAIL PROTECTED] > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe send a blank email to %%email.unsub%% > > > > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
