Solved

Name resolutions over VPN

Posted on 2007-04-09
5
252 Views
Last Modified: 2010-04-12
I have created a VPN server in our office using Windows 2003 Standard Edition. The clients all run Windows XP Professional. The server assigns IP addresses to tbe client from a pool of addresses. At the VPN server the private NIC is configured to use the internal DNS server and the public NIC is not assigned any DNS server at all. The internal DNS server is configured as a forwarder. From the VPN server I can ping any computer on the internal network by name with no problem at all. When the client computer connects it is unable to resolve computer names. I can ping by IP address, but not by name. IPCONFIG shows that the VPN connnection has been assigned the DNS server on the internal network. When I try to ping or do nslookup to a computer name on the internal network it is resolving to a public IP address. Can anyone help me, please??
0
Comment
Question by:rcg112355
  • 3
  • 2
5 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 125 total points
ID: 18875805
Name resolution over VPN's is a common issue, however if the clients are assigned you DNS server properly I am surprised you are having problems, unless the VPN client also has the local ISP's DNS, in which case it may be solving using that first, even though it is not the primary DNS server. Following are ways to deal with accessing resources over a VPN. You can ignore the first regarding using IP's

NetBIOS names  (computer names) are not broadcast over most VPN's.
You can resolve this in several ways:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfd_lmh_qxqq.mspx?mfr=true
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
0
 

Author Comment

by:rcg112355
ID: 18887084
Actually, I had pretty much done all of the things that you suggested. It is a small network so I eneded up adding the important static address to the HOSTS file.

However, I did run into another problem. The internal network behind the VPN has a subnet of 192.168.1.x. Of course this is pretty popular for home networks as well. So if one of them connects to the VPN and they share the same subnet the client is unable to see the VPN network at all. It can't even ping by address.

I changed the subnet on the two remote users, but I realize that is not the ultimate solution. What happens when the company owner is sitting in a hotel and can't browse his network?? I guess the best solution is to give them a more unique subnet internally such as 172.16.x.x. That should dramatically reduce the chance for a conflict.

Do you have any other suggestions??

Thanks.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18887140
Hosts file works very well, but a bit of a pain. If you can set up a WINS server it often works better, and is dynamic.

As for the IP addressing, it is a common problem and only solution is to change the corporate Subnet, though that can be a big project on some networks. 172.16 is a great choice, but I would still avoid 172.16.0.x  I usually use something like 192.168.ab.x where ab is the last 2 digits of the client's street address just so I can remember who is who <G>

If by any chance your users only need access to the RRAS server, and no other PC's or servers, as a rule if the "use default remote gateway" option is checked on the VPN client (it is by default), they should be able to connect to that server only with the remote and local subnets the same.

Thanks rcg112355,
--Rob
0
 

Author Comment

by:rcg112355
ID: 18887301
I thought that I was using the WINS Server. I was assigning the WINS address to the dynamically assigned IP's, but failed to configure it on the static IP's. What a rookie mistake!!

Unfortunately, they do need to connect to computers beyond the RRAS, so it looks like I will be changing subnets this weekend.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18889116
DHCP for VPN clients is a little odd. It only passes the IP, gateway, and subnet mask. There is an other alternative; you can use the DHCP relay agent with-in RRAS. This requests an IP from the "normal" DHCP server and therefore inherits more of the scope options, such as WINS. You can't use DHCP reservations with this method, and I don't know what happens if you use this method and assign static IP's in the user profile in conjunction with the DHCP relay agent, but would be interesting to test.

Regardless,sStill need to change subnets.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now