Hi,

This is more of a theoretical question, but I have a situation I'm trying to apply it to.

Basically, there are two sites. They have a hardware VPN (Two Netgear routers, identical).

On site 1 there is a Windows 2003 SBS DC and ten clients PC's.

on site 2 there are just clients PC's, no server here (budget doesn't allow).

The PC's on site two need to have full AD capabilities, all are members of domain etc. The DNS settings on the client PC's at site 2 are not allocated through DHCP on site 2's router as the router has no way of specifying several DNS server details through the DHCP service, and the client PC's need to use the DNS service from the Domain Controller at site 1 for AD purposes (group policy etc).

So on the client PC's I have manually specified the Default gateway as the router (as normal) and for DNS I have put the primary DNS as the Windows DC at site 1 and for secondary I have specified the local router.

The question is, when users use the internet, I don't want the DNS queries to go down to site 1, I want all Internet to be flow through router and directly out to the ISP.

I don't understand how this works though, how is the router supposed to know that relative domain names like the name of the server (W2K3SERVER) is to be forwarded to site 1 over th VPN but other domains such as (bbc.co.uk) are to be queried against the external DNS settings on the WAN interface of the router? I haven't specified DNS suffix on the client PC's.

The thing is the site is working for Internet and for Domain tasks such as group policy and login scripts etc, but users are complaining of slow internet access, and I wonder if this is because the DNS queries or indeed all HTTP requests are going down the VPN connection to site 1?

I've spoken to the ISP at site 2 and they say that the bandwidth is nowhere near maxed out, but they are seeing a lot of requests to site 1 and not many replies in return??

Any help greated appreciated

Thanks

xshaun

Hopefully you've setup and encrypted VPN tunnel between the two sites. If not, your data is unprotected.

Having said that, and knowing you said up front the budget doesn't allow for a second server, you need to stress to the bossman that a second DC in site 2 is the answer (maybe he'll open the budget enough to purchase another server - a low end server isn't that expensive).

A second server, configured as a DC in site 2 is the best answer in this situation. Clients would authenticate to the local DC upon login. Requests outside the local zone would go to that site's provider's DNS for resolution via the DC in site 2's DNS forward. Replication between DC's would happen across the VPN link.

Without that, you're stuck with what you have. Which is to say, all traffic from site 2, both local and external, going to the DC at site one for resolution.

The only other ways I see to accomplish what you're asking is to spend as much (or more) money on a real router (which is to say, not a SOHO router) capable of inspecting packet headers, deciding which is internal and which is external and directing them appropriately. Or, spending money on real VPN appliances (again, not a SOHO router) that's capable of doing the same thing a router could do for you in this situation (ie: decide which is local/external and direct them appropriately). A VPN device capable of this (well actually, you'd need two) would be as, or more, expensive as a low end server.

It is worth noting, if you know your way around UNIX, you could install OpenBSD and use it as a router. This would of course require a PC to install the OS on and in-depth knowledge of OpenBSD and the pf tables inside it.