Site-to-site BOVPNs with same Domain name but unique
I've got a number of sites, each having it's own WIN2016 LAN with same subnets. Each LAN's Domain Name is the same, for ex. "DARK", but they're each unique, too. We'd like to create a site-to-site BOVPN topology that will allow NOC users to access systems remotely at any of the sites. I understand using 1-1 NAT will resolve the duplicate subnets or simply renumbering each sites subnet is better but how do I get around conflicting with the duplicate Domain Names? Block AD services on each BOVPN leg? Changing the sites Domain Names is not an option at this time. Any suggestions would be welcomed.
Best Answer
-
james.carson Moderator, WatchGuard Representative
subdomain would be the "afb1, afb2, etc"
As long as they're unique, DNS/WINS should handle them.The firewall doesn't do anything with the DNS queries, so as long as you've NAT'ed them out appropriately you should be fine.
If you'd like to direct the DNS queries elsewhere you can use DNS redirection.
-James Carson
WatchGuard Customer Support1
Answers
Hi @BillOfBo
The firewall itself doesn't resolve DNS, it just forwards it or directs the PC that accessed it to the correct place. Anything related to WINS or DNS would need to be changed there.
Since it's windows, AD DNS should be able to be authorative for each subdomain. Making sure each DNS server can reach the others and that they have unique subdomains should do it.
So for example
site1.dark.DC1.net
site2.dark.DC1.net
etc.
-James Carson
WatchGuard Customer Support
Thanks for the feedback, much appreciated. Sorry but I'm somewhat confused about the subdomains you're referencing. To be more specific about each of our sites 2016 LANs, they were basically cookie cut (cloned) from the original prototype LAN. All sites systems do follow a standard naming convention though, {site-name}, but still, the Domain Name at them all is the same. And we don't want the DCs replicating. We lack the bandwidth and our AD would explode in size. Could you elaborate on the subdomains your referencing? FWIW, the LANs have been isolated from the Internet since installation, too. It's a MIL requirement.
afb1.dark.afb1-DC1.private
afb1.dark.afb1-DC2.private
afb2.dark.afb2-DC1.private
afb2.dark.afb2-DC2.private
afb3.dark.afb3-DC1.private
afb3.dark.afb3-DC2.private
etc...
Thanks James. Much appreciated. We'll take a look at this approach. C'ya!