Joining Networks over the Internet with a Gateway to Gateway VPN: ISA Server to Branch Office ISA Server/Domain Controller – Part 1

Joining Networks over the Internet with a Gateway to Gateway VPN:

ISA Server to Branch Office ISA Server/Domain Controller – Part 1

by Thomas W Shinder M.D.

In my article Joining Network over the Internet with a Gateway to Gateway VPN: ISA Server to Windows 2000 RRAS (find parts 1 and 2 over at www.isaserver.org/shinder), I shared with you a procedure for creating a gateway to gateway VPN connection that joins networks over the Internet when one side had ISA Server and the other side only had a Windows 2000 Server running the Routing and Remote Access Service (RRAS). This is a common scenario for organizations that have a central office and several branch offices.

Another scenario I’m seeing more of is when the central office runs ISA Server and the remote offices also want to run ISA Server. However, not only do the remote offices want to run ISA Server, they also want that ISA Server to be a domain controller that’s part of the main office domain. This configuration allows users at the branch offices to authenticate locally and also use a local DNS server to resolve names throughout the organization (as well as the Internet).

The network diagram would look something like what you see in the figure below. Note that while this diagram shows only a single VPN gateway to gateway connection, you could create the same VPN Gateway links between 2 or 200 branch offices and the central office.

The challenge is to make the remote server a domain controller while it’s a remote server. I usually recommend you make the branch office machine a domain controller while the machine is connected to the local network. Its much easier to do that way, and if you have a large Active Directory database, the initial replication will go much faster. Then after the machine has been promoted, it can be shipped to the branch office. However, there are many situations where you can’t or don’t want to take that machine to the main office. In that case you’ll have to run DCPROMO when the computer is at the remote office.

The good news is you can promote the member server to a domain controller while its at the remote office. Once you’ve created the VPN gateway connection to the main office, the remote VPN gateway will be able to use the VPN link to connect to the main office domain controller and transfer the Active Directory information during its promotion to a domain controller.

The first thing you need to do is create the gateway to gateway VPN link that joins the main office network to the branch office network. Full details of that configuration are given in my article Joining Network over the Internet with a Gateway to Gateway VPN: ISA Server to Windows 2000 RRAS. If you haven’t read it yet, make sure you do, because you need to understand how to configure the VPN gateway to gateway link. Once you get the link working, you need to perform the following actions:

1. Add a User Account for the Calling VPN gateway to the Active Directory
2. Install DNS on the remote (branch office) VPN gateway and manually configure forward and reverse lookup zones for the domain
3. Run DCPROMO
4. Change the Domain name in the dial up credentials on the calling VPN gateway
5. Change the DNS zones to Active Directory integrated
6. Make Registry changes to prevent bogus address registrations on remote (branch office) DNS server
7. Install ISA Server on the remote (branch office) ISA Server

In part 1 of this two part article we’ll examine the procedures required to add the user account and how to install and configure DNS services at the remote office in preparation for its promotion to a domain controller. In part 2 we’ll run DCPROMO, fix the credentials used by the calling VPN router, tweak the DNS configuration with some Registry and console changes, and install ISA Server at the remote office.

Let’s get started!

When we first configured the gateway to gateway VPN link, we used a local account on the remote VPN gateway to allow the Local VPN gateway access to the remote VPN gateway. The local VPN gateway uses this username and password to create the authenticated VPN gateway link to the remote VPN gateway.

A problem we’ll run into is that when you promote the remote VPN gateway to a domain controller, that gateway no longer has a local SAM. Because there is no longer a local SAM, the user account used by the local VPN gateway is gone.

What’s worse, you won’t be able to get into the Active Directory on the remote gateway to add the user account because it can’t connect to the domain controller at the main office and you won’t be able to establish the gateway to gateway VPN link that would allow you to fix the problem. That’s why it’s vital that you add the user account used by the Local VPN gateway (the calling gateway in this example) to the Active Directory before you promote the remote VPN gateway to a domain controller.

Perform the following steps to create the domain user account that the local (calling) VPN gateway will use to call the remote VPN gateway:

1. Open the Active Directory Users and Computers console from the Administrative Tools menu.
2. In the Active Directory Users and Computers console, expand your domain name and right click on the Users folder. Point to New and click User.
3. On the first page of the New Object – User Wizard, type a first name for the user and then the User logon name. The User logon name is the name of the account you created on the remote VPN gateway for the local VPN gateway to use to connect the gateway interface. Following up on the example we used in the last article, we’ll name this account LOCALVPN. Click Next.
4. On the second page of the Wizard, type in a password and confirm the password. I recommend you use the same password you assigned to the account you initially created on the remote VPN gateway machine. While this isn’t required, it’ll make management a bit easier and I’ll make the assumption you’re using the same password later in this article. Make sure there are checkmarks only in the User cannot change password and Password never expires checkboxes. The other checkboxes should not be checked. Click Next.

5. Click Finish on the last page of the New Object – User page.
6. Double click on the user account. On the user account Properties dialog box, click on the Dial-in tab. Select the Allow access option and click OK.

Now we need to install and configure a DNS server on the remote VPN gateway. The machines on the remote network can use this DNS server to resolve names on the internal networks (main and branch offices) and the Internet. The remote clients can resolve names locally and don’t need to use the VPN link to reach the remote network to resolve internal network names. Web Proxy and Firewall clients on the remote branch office will benefit because the ISA Server local to them will be able to resolve Internet host names on their behalf.

Perform the following steps to configure the DNS server on the remote VPN gateway:

1. Install the DNS Server Service on the remote VPN gateway. Click Start and point to Control Panel. In the Control Panel, open the Add/Remove Programs applet.
2. In the Add/Remove Programs applet, click the Add/Remove Windows Components button.
3. In the Windows Components dialog box, click on the Network Services entry and click the Details button.
4. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.

5. Click Next on the Windows Components page. You may be asked for the Windows 2000 CD during the installation, so make sure to have that handy. Point the Wizard to the i386 folder when it asks for the CD.
6. Click Finish when the Wizard completes. Close the Add/Remove Programs applet.

We can now configure the DNS server properties:

1. Open the DNS console from the Administrative Tools menu.
2. Right click on your server name in the left pane of the DNS console and click the Properties command.
3. Click on the Interface tab in the Properties dialog box for the DNS server. Select the Only the following IP addresses option. Remove all the IP addresses in the list except the IP address of the internal interface. You do not want any other IP address listening for the DNS server. I’m assuming you’re not going to use this as a public DNS server since the DNS server at the central office should be hosting your public DNS. Select each of the IP addresses you don’t want and click the Remove button. When you’re done, there should be only a single IP address in the list. Click Apply.

4. Click on the Root Hints tab and confirm that your Root Hints entries are populated. This allows your DNS server to resolve Internet host names and prevents you from needing to use a Forwarder. Using a Forwarder is optional and we won’t go through that procedure in this article. Note that a DNS Query Filter is installed automatically when ISA Server is installed. If you are running mail services on the internal network that need to resolve MX domain names, then you’ll need to create another packet filter for TCP 53 outbound. ISA Server isn’t installed on this machine yet, but you should keep these things in mind for when you install the ISA Server. Click OK.

The next step is to create the reverse lookup zones:

1. Expand all nodes in the left pane. Right click on the Reverse Lookup Zone and click New Zone. Click Next on the Welcome to the New Zone Wizard page.
2. On the Zone Type page, select the Standard secondary option and click Next.
3. On the Reverse Lookup Zone page, type in the network ID used at the central office. If you have several network IDs, you’ll have to go through this procedure several times. In our current example, the central office computers are all contained within 10.0.0.0/24. We’ll select the Network ID option and enter that information and click Next.

4. On the Master DNS Servers page, type in the IP address of the DNS server at the main office. In this example, the DNS server is on the domain controller on the main network and the IP address is 10.0.0.2. Click Add to add the address, then click Next.
5. Click Finish on the Completing the New Zone Wizard page.
6. Now we’ll repeat the procedure, but this time create a reverse lookup zone for the branch office network ID. If the branch office has more than one network ID, you’ll have to repeat the produce for each network ID. Right click Reverse Lookup Zones and click New Zone. Click Next on the Welcome to the New Zone Wizard page.
7. On the Zone Type page, select the Standard Primary option and click Next. Don’t worry about getting this information back to the main office network; later we will convert these zones to Active Directory integrated zones. Click Next.
8. On the Reverse Lookup Zone page, type in the network ID on the branch office network. Click Next.

9. On the Zone File page, leave the default selection as it is and click Next.

10. Click Finish on the Completing the New Zone Wizard page.

Now let’s create the Forward Lookup Zone:

1. Right click on the Forward Lookup Zones node and click on the New Zone command. Click Next on the Welcome to New Zone Wizard page.
2. On the Zone Type page, select the Standard secondary option and click Next.
3. On the Zone Name page, type in the name of the domain that you want the remote VPN gateway to join in the Name text box. Click Next.

4. In the Master DNS Servers page, type in the IP address of the DNS server on the main network. In our current example, the DNS server at the main office is on the Domain Controller. Click Add to add the IP address and click Next.
5. Click Finish on the Completing the New Zone Wizard page.

The remote VPN gateway needs to use the IP address of its internal interface as its DNS server address.

1. Right click the My Network Places object on the desktop and click Properties.
2. In the Network and Dial-up Connections window, right click on your internal interface and click Properties.
3. In the Properties dialog box for the internal interface, click on the Internet Protocol (TCP/IP) entry and then click the Properties button.
4. In the Internet Protocol (TCP/IP) Properties dialog box, type in the IP address of the internal interface in the Preferred DNS server text box. Click OK.
5. Click OK in the internal interface Properties dialog box.

Summary

In part 1 of this two part article on how to create a gateway to gateway VPN link and promote a remote VPN gateway to a domain controller over the link, we went over the basic concepts involved with promoting a machine to a domain controller over the Internet. We then covered the steps required to create the calling VPN router’s user account and DNS server configuration on the branch office router. We’ll finish up next week in part 2, where we’ll promote the branch office VPN router to a domain controller, and then make some tweaks to the DNS configuration to prevent annoying disconnection issues for internal network clients. Then we’ll finish up with installing ISA Server at the branch office. See you then!

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001438 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom