Direct Access name resolution

Hello,

I have a 2012 R2 direct access server running on a site.  This is working well.

The site is on a 192.168.1.0/24 IP range and there is a gateway on 1.254.

Also on this site, connected to the router on 1.254 is another router on the 10.32.0.0 IP range.

The site's DNS server has conditional forwards in place for some websites.  For examble www.website.int and when clients ping the address, they will get a reply from a 10.32. address.  This is normal and expected.

However, any direct access clients on an external network are not able to resolve the names (like in the above example).

I really don't want to enable force tunneling, it's only a handful of sites that need to be routed to the 10.32 network.  All other internet traffic can use the clients external internet connections.

Any ideas on how to get the DA clients to resolve the internal names (or use) the site's DNS server?

Thanks,


Jamie
JamieD71Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DrDave242Senior Support EngineerCommented:
It sounds like the FQDNs of those sites need to be added to the Name Resolution Policy Table. As long as DirectAccess is working properly, the NRPT should designate how those FQDNs are to be resolved by DA clients.
0
JamieD71Author Commented:
Hi,

Thanks for the reply.

On my DC, I've got conditional forwarders setup so traffic for (example) internalserver.com is pointing to another DNS server on the 10. network.

On the Direct Access console, I've looked at the DNS section on infrastructure setup.  I can specify the domain name there, but I think I can only specify the DNS server on my domain...  if I try and specify the IP of the DNS server on the 10. network, it complains.

I was hoping that if I specified my DNS server, the request would be forwarded...

Any ideas?

Thanks,


Jamie
0
DrDave242Senior Support EngineerCommented:
On a DirectAccess client, run netsh namespace show policy from an administrative command prompt and post the output here. You can obscure anything you don't want public.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

JamieD71Author Commented:
Sorry for the delay....  Not much here, other than the default...

DNS Name Resolution Policy Table Settings

Settings for DirectAccess-NLS.cab.local
----------------------------------------------------------------------
Certification authority                 :
DNSSEC (Validation)                     : disabled
DNSSEC (IPsec)                          : disabled
DirectAccess (DNS Servers)              :
DirectAccess (IPsec)                    : disabled
DirectAccess (Proxy Settings)           : Use default browser settings



Settings for .cab.local
----------------------------------------------------------------------
Certification authority                 :
DNSSEC (Validation)                     : disabled
DNSSEC (IPsec)                          : disabled
DirectAccess (DNS Servers)              : fd64:74c:631f:3333::1
DirectAccess (IPsec)                    : disabled
DirectAccess (Proxy Settings)           : Bypass proxy
0
DrDave242Senior Support EngineerCommented:
The FQDNs of the internal websites aren't in the cab.local domain, right? If that's the case, that explains why DirectAccess clients can't resolve them. The Name Resolution Policy Table describes where DA clients send DNS queries for specified names. If a name isn't included in any of the NRPT entries, a DA client will only try to resolve the name using the DNS servers configured on its NIC, which will undoubtedly be external DNS servers and won't be able to resolve the name.

Try adding the name of one of those websites to the NRPT and specifying your internal DNS server. The appropriate conditional forwarder should do the rest.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JamieD71Author Commented:
Hi.  Thanks for this - now working after the NRPT entry.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.