asked on Direct Access name resolution
Hello,
I have a 2012 R2 direct access server running on a site. This is working well.
The site is on a 192.168.1.0/24 IP range and there is a gateway on 1.254.
Also on this site, connected to the router on 1.254 is another router on the 10.32.0.0 IP range.
The site's DNS server has conditional forwards in place for some websites. For examble www.website.int and when clients ping the address, they will get a reply from a 10.32. address. This is normal and expected.
However, any direct access clients on an external network are not able to resolve the names (like in the above example).
I really don't want to enable force tunneling, it's only a handful of sites that need to be routed to the 10.32 network. All other internet traffic can use the clients external internet connections.
Any ideas on how to get the DA clients to resolve the internal names (or use) the site's DNS server?
Thanks,
Jamie
I have a 2012 R2 direct access server running on a site. This is working well.
The site is on a 192.168.1.0/24 IP range and there is a gateway on 1.254.
Also on this site, connected to the router on 1.254 is another router on the 10.32.0.0 IP range.
The site's DNS server has conditional forwards in place for some websites. For examble www.website.int and when clients ping the address, they will get a reply from a 10.32. address. This is normal and expected.
However, any direct access clients on an external network are not able to resolve the names (like in the above example).
I really don't want to enable force tunneling, it's only a handful of sites that need to be routed to the 10.32 network. All other internet traffic can use the clients external internet connections.
Any ideas on how to get the DA clients to resolve the internal names (or use) the site's DNS server?
Thanks,
Jamie
Windows Server 2012DNSRemote Access
Last Comment
JamieD71
It sounds like the FQDNs of those sites need to be added to the Name Resolution Policy Table. As long as DirectAccess is working properly, the NRPT should designate how those FQDNs are to be resolved by DA clients.
ASKER
Hi,
Thanks for the reply.
On my DC, I've got conditional forwarders setup so traffic for (example) internalserver.com is pointing to another DNS server on the 10. network.
On the Direct Access console, I've looked at the DNS section on infrastructure setup. I can specify the domain name there, but I think I can only specify the DNS server on my domain... if I try and specify the IP of the DNS server on the 10. network, it complains.
I was hoping that if I specified my DNS server, the request would be forwarded...
Any ideas?
Thanks,
Jamie
Thanks for the reply.
On my DC, I've got conditional forwarders setup so traffic for (example) internalserver.com is pointing to another DNS server on the 10. network.
On the Direct Access console, I've looked at the DNS section on infrastructure setup. I can specify the domain name there, but I think I can only specify the DNS server on my domain... if I try and specify the IP of the DNS server on the 10. network, it complains.
I was hoping that if I specified my DNS server, the request would be forwarded...
Any ideas?
Thanks,
Jamie
On a DirectAccess client, run netsh namespace show policy from an administrative command prompt and post the output here. You can obscure anything you don't want public.
ASKER
Sorry for the delay.... Not much here, other than the default...
DNS Name Resolution Policy Table Settings
Settings for DirectAccess-NLS.cab.local
--------------------------
Certification authority :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS Servers) :
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Use default browser settings
Settings for .cab.local
--------------------------
Certification authority :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS Servers) : fd64:74c:631f:3333::1
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Bypass proxy
DNS Name Resolution Policy Table Settings
Settings for DirectAccess-NLS.cab.local
--------------------------
Certification authority :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS Servers) :
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Use default browser settings
Settings for .cab.local
--------------------------
Certification authority :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (DNS Servers) : fd64:74c:631f:3333::1
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Bypass proxy
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi. Thanks for this - now working after the NRPT entry.