pyotrek
asked on
VPN access to Windows Server 2016 - no DNS resolution on remote network
I just finished setting up new Server 2016 Domain Controller (Small business only 5 users).
I have trouble with Remote Access VPN.
I set it up - I think correctly, but when the Windows 10 client connects - they can not resolve host names on the remote network.
Not sure if this affects Win10 only - I do not have windows 7 to test.
The users do not have problems connecting - in fact it connects very quickly - when testing I can ping host by the IP, but not by the name.
Any idea what I may be doing wrong.
I have trouble with Remote Access VPN.
I set it up - I think correctly, but when the Windows 10 client connects - they can not resolve host names on the remote network.
Not sure if this affects Win10 only - I do not have windows 7 to test.
The users do not have problems connecting - in fact it connects very quickly - when testing I can ping host by the IP, but not by the name.
Any idea what I may be doing wrong.
For a very small number of users, you can put the Server Name / IP Address in the local HOSTS file and then they can connect by name.
ASKER
Yes I tried that and it works, but I do not want to use "patches" on freshly installed network.
I see some postings all over Internet that Windows 10 has issues with DNS resolution on remote network over the VPN, but they are from 2015, 2016. I wonder if this is still an issue or I am doing something wrong.
I see some postings all over Internet that Windows 10 has issues with DNS resolution on remote network over the VPN, but they are from 2015, 2016. I wonder if this is still an issue or I am doing something wrong.
What device are you using to VPN. Is this by chance an edge router? If so, have you created access rules and groups for your VPN subnet and Interfaces? If not you are most likely firewalling yourself if a Deny ALL statement is present on your firewall.
@pyotrek - Did you try the above suggestion?
I have Windows 10 and need to look at multiple businesses and the HOSTS file approach works fine.
I have Windows 10 and need to look at multiple businesses and the HOSTS file approach works fine.
ASKER
No VPN device - it is PPTP on Server 2016 itself. No rules on firewall.
On the connecting client machine, in the VPN client config, you have to add the corporate server as the ONLY DNS server. You also have to leave the "use default gateway option" checked.
PS- this article may be of some help (My blog from a few years ago)
https://blog.lan-tech.ca/2011/05/14/vpn-client-name-resolution-2/
https://blog.lan-tech.ca/2011/05/14/vpn-client-name-resolution-2/
Nice article Rob!
Thanks !
You can also build a custom deployable client, if you don't want to make the settings on a per machine basis
https://blog.lan-tech.ca/tag/cmak/
And if the machines are domain joined, you can have Group policy applied over the VPN, by connecting to VPN before logon
https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/
You can also build a custom deployable client, if you don't want to make the settings on a per machine basis
https://blog.lan-tech.ca/tag/cmak/
And if the machines are domain joined, you can have Group policy applied over the VPN, by connecting to VPN before logon
https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/
ASKER
Thank you guys - I am aware of the settings that Rob mentions in his article. BTW all those articles are great and very clear.
I have clients connecting to PPTP VPN on older versions of Windows Servers and all seems to work.
After posting this question I tried few different connections - and I think that I can confirm that this issue is happening on PPTP VPN created on Server 2012 and 2016.
If you have the "Use default Gateway on remote network" checked name resolution will work at times, but not always.
As soon as you check it off - the name resolution would not work.
I have a reason for un-checking "Use default Gateway on remote network" for the VPN user - I do not want their "local" internet access to be tunneled though slow VPN connection. I want them to connect to network shares over the VPN, but being able to connect to Internet Services over their local Internet Connection.
It works (worked for years) on Server 2008 networks as far as I can tell. The only thing that I had to do was to hard code the DNS server and DNS suffix. for it to work.
I have clients connecting to PPTP VPN on older versions of Windows Servers and all seems to work.
After posting this question I tried few different connections - and I think that I can confirm that this issue is happening on PPTP VPN created on Server 2012 and 2016.
If you have the "Use default Gateway on remote network" checked name resolution will work at times, but not always.
As soon as you check it off - the name resolution would not work.
I have a reason for un-checking "Use default Gateway on remote network" for the VPN user - I do not want their "local" internet access to be tunneled though slow VPN connection. I want them to connect to network shares over the VPN, but being able to connect to Internet Services over their local Internet Connection.
It works (worked for years) on Server 2008 networks as far as I can tell. The only thing that I had to do was to hard code the DNS server and DNS suffix. for it to work.
Firstly, just for the record, both using PPTP and disabling split tunneling (un-check use remote gateway) is an incredibly insecure connection.
If you are going to uncheck Use remote default gateway you will need to set the corporate DNS server as the only server in the NIC configuration, thus all Name resolution but not browsing is via VPN, or configure the Hosts file:
https://blog.lan-tech.ca/tag/lmhosts/
John's suggestion of using the IP is likely the simplest solution.
You could enable the "essentials role", which would allow you to access shares via a web browser. Much more secure, and no VPN required.
http://youritsource.org/msft/configuring-windows-server-2016-standard-with-the-essentials-role/
If you are going to uncheck Use remote default gateway you will need to set the corporate DNS server as the only server in the NIC configuration, thus all Name resolution but not browsing is via VPN, or configure the Hosts file:
https://blog.lan-tech.ca/tag/lmhosts/
John's suggestion of using the IP is likely the simplest solution.
You could enable the "essentials role", which would allow you to access shares via a web browser. Much more secure, and no VPN required.
http://youritsource.org/msft/configuring-windows-server-2016-standard-with-the-essentials-role/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.