Direct Access name resolution

Hello,

I have a 2012 R2 direct access server running on a site.  This is working well.

The site is on a 192.168.1.0/24 IP range and there is a gateway on 1.254.

Also on this site, connected to the router on 1.254 is another router on the 10.32.0.0 IP range.

The site's DNS server has conditional forwards in place for some websites.  For examble www.website.int and when clients ping the address, they will get a reply from a 10.32. address.  This is normal and expected.

However, any direct access clients on an external network are not able to resolve the names (like in the above example).

I really don't want to enable force tunneling, it's only a handful of sites that need to be routed to the 10.32 network.  All other internet traffic can use the clients external internet connections.

Any ideas on how to get the DA clients to resolve the internal names (or use) the site's DNS server?

Thanks,


Jamie
JamieD71Asked:
Who is Participating?
 
DrDave242Commented:
The FQDNs of the internal websites aren't in the cab.local domain, right? If that's the case, that explains why DirectAccess clients can't resolve them. The Name Resolution Policy Table describes where DA clients send DNS queries for specified names. If a name isn't included in any of the NRPT entries, a DA client will only try to resolve the name using the DNS servers configured on its NIC, which will undoubtedly be external DNS servers and won't be able to resolve the name.

Try adding the name of one of those websites to the NRPT and specifying your internal DNS server. The appropriate conditional forwarder should do the rest.
0
 
DrDave242Commented:
It sounds like the FQDNs of those sites need to be added to the Name Resolution Policy Table. As long as DirectAccess is working properly, the NRPT should designate how those FQDNs are to be resolved by DA clients.
0
 
JamieD71Author Commented:
Hi,

Thanks for the reply.

On my DC, I've got conditional forwarders setup so traffic for (example) internalserver.com is pointing to another DNS server on the 10. network.

On the Direct Access console, I've looked at the DNS section on infrastructure setup.  I can specify the domain name there, but I think I can only specify the DNS server on my domain...  if I try and specify the IP of the DNS server on the 10. network, it complains.

I was hoping that if I specified my DNS server, the request would be forwarded...

Any ideas?

Thanks,


Jamie
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
DrDave242Commented:
On a DirectAccess client, run netsh namespace show policy from an administrative command prompt and post the output here. You can obscure anything you don't want public.
0
 
JamieD71Author Commented:
Sorry for the delay....  Not much here, other than the default...

DNS Name Resolution Policy Table Settings

Settings for DirectAccess-NLS.cab.local
----------------------------------------------------------------------
Certification authority                 :
DNSSEC (Validation)                     : disabled
DNSSEC (IPsec)                          : disabled
DirectAccess (DNS Servers)              :
DirectAccess (IPsec)                    : disabled
DirectAccess (Proxy Settings)           : Use default browser settings



Settings for .cab.local
----------------------------------------------------------------------
Certification authority                 :
DNSSEC (Validation)                     : disabled
DNSSEC (IPsec)                          : disabled
DirectAccess (DNS Servers)              : fd64:74c:631f:3333::1
DirectAccess (IPsec)                    : disabled
DirectAccess (Proxy Settings)           : Bypass proxy
0
 
JamieD71Author Commented:
Hi.  Thanks for this - now working after the NRPT entry.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.