> I've seen interesting issues with Microsoft's default VPN > clients. On a > split-DNS, NAT'd network, any server that had the same > external name as > its internal name would inaccessible to VPN clients except > for ports it > had opene on the firewall.
That sounds like its working by design, unless I'm reading you wrong. Roger ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Ryan Malayter [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 11, 2002 2:18 PM > To: NT 2000 Discussions > Subject: RE: AD naming > > > I've seen interesting issues with Microsoft's default VPN > clients. On a > split-DNS, NAT'd network, any server that had the same > external name as > its internal name would inaccessible to VPN clients except > for ports it > had opene on the firewall. > > The Win2k clients would look at the public DNS first and bang away at > the firewalled ports using the server's external public IP. > No amount of > fiddling with binding orders on the clients would fix the problem, and > calls to PSS didn't amount to much. > > The issue til appears to exist with the PPTP and L2TP/Ipsec clients in > WinXP sp1. But as you mention, 3rd party VPN clients may not have the > problem at all. > > Ryan Malayter > Sr. Network & Database Administrator > Bank Administration Institute > Chicago, Illinois, USA > PGP Key: http://www.malayter.com/pgp-public.txt > ::::::::::::::::::::::::::::::: > Only two things are infinite, the universe and human > stupidity, and I'm > not sure about the former. > -Albert Einstein > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Posted At: Friday, October 11, 2002 11:43 AM > Posted To: Windows 2000 List > Conversation: AD naming > Subject: RE: AD naming > > > Depends on the VPN implementation really - our VPN clients receive the > internal DNS server info, so they get the same resolution as the > on-network > clients get. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Ryan Malayter [mailto:[EMAIL PROTECTED]] > > Sent: Friday, October 11, 2002 11:59 AM > > To: NT 2000 Discussions > > Subject: RE: AD naming > > > > > > In my experience, you can use your registered domain if you > > like, but be > > aware that you should probably use different server names on your > > external-facing DNS. This avoids problems with VPN > > connections from the > > outside. > > > > Ryan Malayter > > Sr. Network & Database Administrator > > Bank Administration Institute > > Chicago, Illinois, USA > > PGP Key: http://www.malayter.com/pgp-public.txt > > ::::::::::::::::::::::::::::::: > > We have just enough religion to make us hate, but not enough > > to make us > > love one another. > > -Jonathan Swift > > > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > > Posted At: Friday, October 11, 2002 6:54 AM > > Posted To: Windows 2000 List > > Conversation: AD naming > > Subject: RE: AD naming > > > > > > > If you want to keep the two independent (and it sounds like > > > you do), what's > > > wrong with building the structure around 'octech.local' or > > > 'octech.prv'? > > > > Plenty. That style of naming standard was the original suggestion > > following > > some of the JDP installs, prior to AD going gold. Since that time, > > however, > > it has been strongly suggested that you use valid, registered domain > > names > > for all AD work, specifically for guaranteed uniqueness. > > > > I would suggest one of two things - > > 1) Using your external domain name internally, and implement > > split DNS. > > This > > is a little more complicated from the DNS perspective, but > isn't that > > hard. > > > > 2) Acquire new domain name(s) from the registrar of your > > choice, and use > > those names for your AD infrastructure. This really is an > > easy way to do > > it, > > since there is no confusion for less DNS saavy admins, and > > you don't end > > up > > with long domain names. > > > > I've done both, and both work well. In fact, I just completed a > > migration > > using the second format - we're now using 2 generic DNS domains > > internally, > > that have nothing to do with our company's public DNS presence. > > > > Roger > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis - Formerly Harbinger and Extricity > > Atlanta, GA > > > > > > > -----Original Message----- > > > From: Steve Molkentin [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, October 10, 2002 6:56 PM > > > To: NT 2000 Discussions > > > Subject: RE: AD naming > > > > > > > > > Mr Foley (OK, making an assumption here), > > > > > > Having your internal DNS structure = your Net structure has > > > it's benefits if > > > you are trying to access 'stuff' inside your organisation > > > from the Net. > > > > > > If you want to keep the two independent (and it sounds like > > > you do), what's > > > wrong with building the structure around 'octech.local' or > > > 'octech.prv'? > > > > > > I'm glad to be wrong or have misunderstood your > > > requirements... interesting > > > to hear what other's think (and what you think). > > > > > > themolk. > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, 9 October 2002 11:24 am > > > > To: NT 2000 Discussions > > > > Subject: AD naming > > > > > > > > > > > > Sorry if this is a repeat, not sure if my last message got on > > > > the list. > > > > I am creating a new root forest on a new domain controller > > > > that will be > > > > the first server with AD running on our network. I am > > > planning to use > > > > ADMTv2 to migrate users and want to keep both domains running > > > > for awhile. > > > > Anyway, my question is this. Should I use my registered DNS > > > > domain name > > > > octech.edu for the forest root, or should I use something like > > > > local.octech.edu or inside.octech.edu? I run DNS on my PDC > > > now but I > > > > don't send my ISP zone transfers (it's behind the firewall). > > > > They have a > > > > list of all my servers that need outside access (email, > > > > public web page, > > > > etc.) which they put in their name servers manually. > > > > > > > > ------ > > > > You are subscribed as [EMAIL PROTECTED] > > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > > To unsubscribe send a blank email to %%email.unsub%% > > > > > > > > > > ------ > > > You are subscribed as [EMAIL PROTECTED] > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe send a blank email to %%email.unsub%% > > > > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
