Link to home
Start Free TrialLog in
Avatar of JamieD71
JamieD71Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Direct Access name resolution

Hello,

I have a 2012 R2 direct access server running on a site.  This is working well.

The site is on a 192.168.1.0/24 IP range and there is a gateway on 1.254.

Also on this site, connected to the router on 1.254 is another router on the 10.32.0.0 IP range.

The site's DNS server has conditional forwards in place for some websites.  For examble www.website.int and when clients ping the address, they will get a reply from a 10.32. address.  This is normal and expected.

However, any direct access clients on an external network are not able to resolve the names (like in the above example).

I really don't want to enable force tunneling, it's only a handful of sites that need to be routed to the 10.32 network.  All other internet traffic can use the clients external internet connections.

Any ideas on how to get the DA clients to resolve the internal names (or use) the site's DNS server?

Thanks,


Jamie
Avatar of DrDave242
DrDave242
Flag of United States of America image
It sounds like the FQDNs of those sites need to be added to the Name Resolution Policy Table. As long as DirectAccess is working properly, the NRPT should designate how those FQDNs are to be resolved by DA clients.
Avatar of JamieD71
JamieD71
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Hi,

Thanks for the reply.

On my DC, I've got conditional forwarders setup so traffic for (example) internalserver.com is pointing to another DNS server on the 10. network.

On the Direct Access console, I've looked at the DNS section on infrastructure setup.  I can specify the domain name there, but I think I can only specify the DNS server on my domain...  if I try and specify the IP of the DNS server on the 10. network, it complains.

I was hoping that if I specified my DNS server, the request would be forwarded...

Any ideas?

Thanks,


Jamie
Avatar of DrDave242
DrDave242
Flag of United States of America image
On a DirectAccess client, run netsh namespace show policy from an administrative command prompt and post the output here. You can obscure anything you don't want public.
Avatar of JamieD71
JamieD71
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Sorry for the delay....  Not much here, other than the default...

DNS Name Resolution Policy Table Settings

Settings for DirectAccess-NLS.cab.local
----------------------------------------------------------------------
Certification authority                 :
DNSSEC (Validation)                     : disabled
DNSSEC (IPsec)                          : disabled
DirectAccess (DNS Servers)              :
DirectAccess (IPsec)                    : disabled
DirectAccess (Proxy Settings)           : Use default browser settings



Settings for .cab.local
----------------------------------------------------------------------
Certification authority                 :
DNSSEC (Validation)                     : disabled
DNSSEC (IPsec)                          : disabled
DirectAccess (DNS Servers)              : fd64:74c:631f:3333::1
DirectAccess (IPsec)                    : disabled
DirectAccess (Proxy Settings)           : Bypass proxy
ASKER CERTIFIED SOLUTION
Avatar of DrDave242
DrDave242
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of JamieD71
JamieD71
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Hi.  Thanks for this - now working after the NRPT entry.