Quote From: Edward Ned Harvey [mailto:[email protected]] > One of the companies I work for doesn't even go that far - They have one > domain name, and when you VPN in, they don't assign you any dns suffix at > all. You just have to use the complete domain name on all your requests.
Yeah.. I would get strung up and hung in the courtyard if I did that. Everyone wants to just be able to type in the unqualified hostname that they're shooting for. Having to type in a FQDN is "too much typing." > So I understand, your vpn client is only able to take one DNS suffix. For > most situations that is enough. Do you have more than one domain name > internally? (obviously, the answer is going to be yes, so we move on...) I > am curious how that situation came about. Would you mind telling a little > story of legacy? ;-) Over time, we have had growing needs to delegate portions of our DNS namespace to different automated systems or groups of people outside of our IT department. It has now reached critical mass. For example: 1) We have routes from our network to over 4000 hosts at our customer sites. Each of those hosts gets a specially-formulated name within our internal DNS so that it's "easy" for our tech support folks to connect. Every day, we are asked to perform between 5 and 20 adds/deletes/changes to these hosts, which includes a manual step of updating DNS for each one (the rest of the work flow is mostly automated). What I plan to do is put those 4000+ hosts in to their own DNS zone, auto-generate that zone file and have the zone included in our company-wide DNS suffix search order. 2) There are a couple groups who are both outside of our IT department and are - shall we say - a little less savvy about being system admins. They frequently add/delete/change names of their servers, which requires us to go in and manually update DNS each time. We want to delegate a specific DNS zone to these less-savvy groups and put the delegated DNS zones "farther down" the company-wide DNS suffix search order than the zones that our IT group uses for our core production servers. > Since you're not having the problem internally (just on the VPN) how do you > solve it internally? Is your DHCP server able to assign multiple domains to > the clients? Or did you assign some sort of group policy? Or did you > manually edit the network configuration of all the clients? For the Windows machines that are part of our AD domain, yes, we did a group policy for this. For the *NIX servers, the system admins are getting more hands-on education on why a configuration management system would be a good thing. ;-) Other systems are outliers and we're publishing internal documentation/shortcuts/etc. to help the caretakers add the DNS suffix search order to them. > My first thought would be - When you are configuring your VPN server, you > are not strictly required to use the Cisco built-in DHCP server (which is > very limited in functionality.) You could do DHCP pass-through, to a more > powerful internal DHCP server, such as I think you already have, which is > able to assign more than one dns suffix. Not possible? We are using our internal DHCP servers rather than the Cisco built-in DHCP server, however we're back to the case where the client isn't requesting the search order option and/or Cisco's VPN system is stripping the information out. We haven't really dug in to which one of those is happening - we just know it isn't making it from our DHCP servers to the clients somehow. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
