Remote users have domain name resolution issues when in house using internal DNS

Posted on 2007-12-03
Last Modified: 2010-08-05
I have 3 domain controllers all running Windows 2003 Server R2 with dns installed. I have some users that travel and work from home. Those users have issues resolving our websites because dns is resolving them to the external IP instead of the internal local IP. If they repair their network connection this usually fixes it. Below is a very detailed explanation of the problem I found online but the solution they proposed did not work properly in my environment.

"Another problem is that you are connected to the internet but there is a conflict between the DNS name you are using internally and the same domain name that is registered on the internet.  Confusion may be caused by your web server or your Exchange server registering the same domain name but with a different IP address.   For instance your ISP or InterNic may have legitimately assigned a different IP address for your domain name."

Question by:IsaacWeathers
  • 5
  • 4
LVL 11

Expert Comment

ID: 20397756
Are your DNS servers public? Do they heve a public IP?
How do your users connect from home to the server?

If they have a permanent connection to the Internet and your NS Ips are public, then they must set on there LAN connection TCP/IP-prperties Primary/Preffered DNS and Secondary/Alternative DNS = your public ips

Author Comment

ID: 20397811
DNS servers are internal not public. They do not have a public ip. Remote users are getting on our network via Microsoft VPN client. Our remote and local users are all DHCP and the DNS ips that we assign to networking settings are all internal IPs. None of the dns entries in the tcp/ip properties are pointing to public dns servers (it is recommended you only use internal dns and use dns server to foward requests for domain names it can't resolve to public dns servers)
LVL 11

Expert Comment

ID: 20397879
If you have configured the VPN Client or PPTP client to use the same group as that of the SSL VPN Client, ensure that you have enabled IPsec on the group where the client connects. This resolves the DNS issue.
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

LVL 11

Expert Comment

ID: 20397918
I did not read all of the article -but- maybe you can read it...

Name resolution issues for the VPN client are often problematic. The Firewall client needs to be able to resolve the name of the ISA Server to the internal IP address of the ISA Server. You might think configuring a WINS and DNS server would be enough, but Ive found the results to be somewhat inconsistent, even when Ive gone out of my way to create a WINS referral zone in DNS. The best solution is to configure the VPN client to receive an address of a DNS server that can resolve the name of the internal interface of the ISA Server to its internal IP address
LVL 11

Expert Comment

ID: 20397956
Something that I came up now...
Does your remote users have set the DNS suffix on there connection? That might resolve the issue.

Author Comment

ID: 20398272
Maybe I need to give an example. We have a group of users that have laptops. These users rarely come to the office. Most of the time they work off the network but when they connect to the VPN they are no longer able to connect to our websites that are hosted internally. The reason is that DNS resolves to an external IP instead of the internal IP. Firewall does not allow a user in the network to go outside the network to come back in to the external IP. Does that make more sense? Almost as if the Internal DNS servers had not been queried instead old cached dns requests had been used. This is why repairing connection usually works because the cache is cleared.
LVL 11

Accepted Solution

AkisC earned 500 total points
ID: 20398405
Goto to the Advanced TCP/IP properties of each "home user" and uncheck the Enable LMHOSTS lookup checkbox
Also check Enable BIOS iver TCP/IP

If that does not resolve the problem... A Work around...(?)
When you click repair connection the OS
attempts to renew the DHCP lease, if the connection obtains its IP address through DHCP, using a broadcast message.
Flushes the Address Resolution Protocol (ARP) cache using the command arp -d *
Flushes the NetBIOS cache using the command nbtstat -R
Flushes the DNS cache using the command ipconfig /flushdns
Reregisters the NetBIOS name and IP address with WINS using the command nbtstat -RR
Reregisters the computer name and IP address with DNS using the command ipconfig /registerdns

Create and install a script (on the users computer) that does all the above before it connects to your VPN .


Author Comment

ID: 20457113
I have been testing your solution with about 4 of the people having this problem. It seems that the work around is the only fix for it. None of the other fixes suggested have worked. The only problem I have is that I don't want to be having this script run every time a person logs on. I need something better not just a workaround.

Author Closing Comment

ID: 31422252
The proposed solution was just a bandaid. I would prefer to know the root cause of the issue not just run a script when it happens to fix it.

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Child domain picking up very stale DNS records 5 98
Fortigate 100D NTP Issue 4 76
Windows DNS Server Caching 3 27
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now