Remote users have domain name resolution issues when in house using internal DNS

Posted on 2007-12-03
Last Modified: 2010-08-05
I have 3 domain controllers all running Windows 2003 Server R2 with dns installed. I have some users that travel and work from home. Those users have issues resolving our websites because dns is resolving them to the external IP instead of the internal local IP. If they repair their network connection this usually fixes it. Below is a very detailed explanation of the problem I found online but the solution they proposed did not work properly in my environment.

"Another problem is that you are connected to the internet but there is a conflict between the DNS name you are using internally and the same domain name that is registered on the internet.  Confusion may be caused by your web server or your Exchange server registering the same domain name but with a different IP address.   For instance your ISP or InterNic may have legitimately assigned a different IP address for your domain name."

Question by:IsaacWeathers
  • 5
  • 4
LVL 11

Expert Comment

ID: 20397756
Are your DNS servers public? Do they heve a public IP?
How do your users connect from home to the server?

If they have a permanent connection to the Internet and your NS Ips are public, then they must set on there LAN connection TCP/IP-prperties Primary/Preffered DNS and Secondary/Alternative DNS = your public ips

Author Comment

ID: 20397811
DNS servers are internal not public. They do not have a public ip. Remote users are getting on our network via Microsoft VPN client. Our remote and local users are all DHCP and the DNS ips that we assign to networking settings are all internal IPs. None of the dns entries in the tcp/ip properties are pointing to public dns servers (it is recommended you only use internal dns and use dns server to foward requests for domain names it can't resolve to public dns servers)
LVL 11

Expert Comment

ID: 20397879
If you have configured the VPN Client or PPTP client to use the same group as that of the SSL VPN Client, ensure that you have enabled IPsec on the group where the client connects. This resolves the DNS issue.
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

LVL 11

Expert Comment

ID: 20397918
I did not read all of the article -but- maybe you can read it...

Name resolution issues for the VPN client are often problematic. The Firewall client needs to be able to resolve the name of the ISA Server to the internal IP address of the ISA Server. You might think configuring a WINS and DNS server would be enough, but Ive found the results to be somewhat inconsistent, even when Ive gone out of my way to create a WINS referral zone in DNS. The best solution is to configure the VPN client to receive an address of a DNS server that can resolve the name of the internal interface of the ISA Server to its internal IP address
LVL 11

Expert Comment

ID: 20397956
Something that I came up now...
Does your remote users have set the DNS suffix on there connection? That might resolve the issue.

Author Comment

ID: 20398272
Maybe I need to give an example. We have a group of users that have laptops. These users rarely come to the office. Most of the time they work off the network but when they connect to the VPN they are no longer able to connect to our websites that are hosted internally. The reason is that DNS resolves to an external IP instead of the internal IP. Firewall does not allow a user in the network to go outside the network to come back in to the external IP. Does that make more sense? Almost as if the Internal DNS servers had not been queried instead old cached dns requests had been used. This is why repairing connection usually works because the cache is cleared.
LVL 11

Accepted Solution

AkisC earned 500 total points
ID: 20398405
Goto to the Advanced TCP/IP properties of each "home user" and uncheck the Enable LMHOSTS lookup checkbox
Also check Enable BIOS iver TCP/IP

If that does not resolve the problem... A Work around...(?)
When you click repair connection the OS
attempts to renew the DHCP lease, if the connection obtains its IP address through DHCP, using a broadcast message.
Flushes the Address Resolution Protocol (ARP) cache using the command arp -d *
Flushes the NetBIOS cache using the command nbtstat -R
Flushes the DNS cache using the command ipconfig /flushdns
Reregisters the NetBIOS name and IP address with WINS using the command nbtstat -RR
Reregisters the computer name and IP address with DNS using the command ipconfig /registerdns

Create and install a script (on the users computer) that does all the above before it connects to your VPN .


Author Comment

ID: 20457113
I have been testing your solution with about 4 of the people having this problem. It seems that the work around is the only fix for it. None of the other fixes suggested have worked. The only problem I have is that I don't want to be having this script run every time a person logs on. I need something better not just a workaround.

Author Closing Comment

ID: 31422252
The proposed solution was just a bandaid. I would prefer to know the root cause of the issue not just run a script when it happens to fix it.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Changed email server and mail going to both servers 19 44
DNS Config for External Mail 3 22
DNS.exe on Azure 2 24
How to know if DNS name is  record A or if is ZONE 2 20
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Resolve DNS query failed errors for Exchange
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question