SBS 2003 - when someone VPN, server gets additional IP and client application get confuses multiple IPs

I have recently enabled Incoming VPN connections on SBS 2003. The problem is when the user dials in. The server gets an additional IP address fpr the VPN tunneling which is fine. But it also creates a another DNS record under the server name with the additional IP.

So for example: servername.domain.local

servername - 192.168.0.1
servername - 192.168.0.2

On the client workstations. The application querys the servername's DNS and gets the second IP address. But the server core applications are listening on the first IP address. This causes havok within the network.

How can we disable in a way that the VPN or DNS server does not create this additional record so it will only have one [A] record.

At the moment I'm deleting the host record manually and modifying the workstations hosts record.. but I can't do this everyday.

Thanks
CBM CorporateAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
CBM CorporateConnect With a Mentor Author Commented:
Still did not find a proper way. At the end I just modified all the workstations c:\windows\system32\drivers\etc\hosts file and added the server hostname and IP address.
0
 
wolfcamelCommented:
perhaps re-run the internet wizard on sbs,
the vpned workstation should get the dns record for the ip it connected with
0
 
rfportillaCommented:
Uhh, this is internal to how the VPN works.  It needs those additional dns listings to route traffic back to the VPN clients.  However, those dns listings should have the VPN client's names, so what you are saying doesn't make sense.  

Try the following.  

First, make sure that the server's only using IP addresses that are needed.  Check the networking properties.

Second, if this is a multihomed computer (more than one network card), make sure you have your services listening on the correct IP address for the correct network card.

Third, make sure that the DNS entry is correct.  Actually go into your DNS server and remove extra entries.  You can also disable your network configuration from updating DNS also.  

Fourth, you could try setting up your services to listen on all ports so it wouldn't matter which one the client connected to.

Let me know if this helps.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
CBM CorporateAuthor Commented:
There is no additional IP addresses configured with the primary adaptor. The second network card does not have an IP address and is disabled. (HP ML350 G5 server).

I just went into the DNS configuration and saw it was listening on all IP addresses. I will change it and select it only to listen on the primary IP address. See how it goes.

I wish I could enable the services to listen all. But not in this particular environment.

BTW, The actual client workstations are the actual workstations inside the network. Not the VPN clients.

Thanks
0
 
rfportillaCommented:
ahh, I just caught something else.  I should read these posts twice.  THe VPN IP is an added IP.  Of course.

Another thing to try.  Is your software dependent on the DNS name?  What I mean is that if you can add a CName to your DNS and configure your clients to go to your Cname, that would work and is generally a better solution anyway.  That way if you ever have to change servers you can just repoint the CName and not have to adjust clients again.
0
 
CBM CorporateAuthor Commented:
When the VPN client dials in, it grabs the DHCP IP address ie: 192.168.1.100 (default gateway is off). In the server itself. The PPP RAS server adaptor gets assigned 192.168.1.87 which the DNS server creates servername -> 192.168.1.87 [A] record. So it's like a round robin thing.. when the client workstations query the servername, it returns 192.168.1.87 as the servername record instead of 192.168.1.125 :(

Server ipconfig

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 192.168.1.87
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 192.168.1.125 ** main IP address
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.3

If only I could prevent it from automatically creating the [A] record servername -> 192.168.1.87 so that the other workstations will only return servername -> 192.168.1.125

I just remotely logged in. Setting DNS to listen only on the primary IP didn't make any difference.. saw a servername -> 192.168.1.87 record.
0
 
wolfcamelCommented:
it really shouldnt be doing this..have you rerun the internet wizard in sbs?
0
 
rfportillaCommented:
Setting the server to only listen on the one IP doesn't have anything to do with it.  I think your best option is to use the CNAME.  I like that design best anyway.  Create a CNAME with an address like 192.168.1.201, give it a name like customapp.server.local (whatever your local server and domain are) and point your clients to that domain name.  Problem solved.  I like this solution best because, like I said before, if you upgrade that server or move those services, you can just update the DNS entry and have everyone point to the right place.

@Wolfcamel, I think this is by Microsoft design.  They create an IP for the virtual connection and insert a dns record at the same time.  It's just strange that the software isn't listening on all ports correctly.
0
 
rfportillaCommented:
Darn, i'm not thinking.  You don't want a CNAME.  CNAME is for pointing to another domain, or an alias.  You want another A record pointing to 192.168.1.125 with a new name specific to your application.

0
 
CBM CorporateAuthor Commented:
The client workstation or application/Microsoft services will query the host name "servername" in this case. It will not query another hostname so creating a custom [A] record will not do anything.

Hmm I wonder if I can prioritize the lookup order for the second DNS entry. That may do the trick..

Thanks
0
 
rfportillaCommented:
"The client workstation or application/Microsoft services will query the host name..."

You would have to reconfigure the client one time to point to the new a record.  I think it is worth doing one time to never have to do it again.  You don't even need to do it all at once, just create the record and transition a few at a time or create a policy to update the setting.
0
 
CBM CorporateAuthor Commented:
Still did not find a proper way. At the end I just modified all the workstations c:\windows\system32\drivers\etc\hosts file and added the server hostname and IP address.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.