• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1651
  • Last Modified:

DNS suffix search list overwritten on VPN reconnect

I have several users who use Cisco Systems VPN client to connect to our network from home.  I need them to have a DNS suffix search list with numerous entries in order for them to be able to access all of our intranet pages after they connect.  On most computers, I can specify this information at [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] and the machine will use that information for the search list from that point on (at least after an ipconfig /renew or a restart).  

The problem I am having is that one some machines running Windows 2000 (but not on others) when I disconnect/reconnect from the VPN the entries that I specified at the location above are overwritten with an incomplete list.  I cannot figure out where the incomplete list is being taken from.  Can anyone give me help on where the incorrect information might be coming from?  I cannot find any plausible registry entries where the information could be stored.  Thanks.
  • 2
2 Solutions
have you checked the dhcp server scope that the Cisco is using (so on either the cisco if it's doing the dhcp or a windows server dhcp for example).
To add some additional information to what the prior comment addressed, is that you have to make sure that your VPN configuration pushes out DNS servers along with the IP for the VPN user.  An option to push the search domains might be an option as well.
How are you modifying the Registry with the VPN process?
Is this a domain based system where you have a GPO that pushes the search domains that goes offsite when the VPN connection is used??
GPOs are not enforced when the system is outside the LAN (slow link speed detection mechanism) determines whether a DC is nearby and applies the GPO.
PTVKAuthor Commented:
I don't think that the VPN client normally tries to push search domains down... if it did, do you know where it would be getting the information from?  I know we do not use GPOs to push search domains, instead we use a batch file that is called in our login script to overwrite the key I mentioned above, which at least on restart should result in the full suffix list populating.  The really strange behavior in this case is that when I manually overwrite the key(s) that holds the suffix list, they are somehow replaced with incorrect information when I merely disconnect/reconnect the VPN client and I cannot figure out what is doing it.  I do not know how the VPN process modifies the registry, I cannot find settings related to that.

This problem persists through reinstalls of VPN clients that are identical to the version in PCs that do not exhibit this behavior.
The VPN client pushes nothing. You need to configure your Cisco VPN server to push the LAN DNS servers as part of the VPN policy.  Often the VPN DNS servers will be queried.  Not sure whether you can push search domains through the same mechanism.

The above provides an example which you could use in configuring your VPN policy. I.e. define the default domain and then the list of other domains that should be queried through your LAN DNS servers.
Registry alterations might get flushed when the VPN is not present and the dns handling in windows cycles through trying to resolve a host with the search suffix.  When the VPN is not present, those domains are seens as non-existent and it would seem reasonable to speed up future queries domains that do not exist should not be checked again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now