Windows 2008 R2 isn't giving clients a connection specific DNS suffix

2011-08-20

Question

_{Saturday, August 20, 2011 2:01 PM | 1 vote}

I am using Windows Server 2008 R2 and I have configured this machine to have DHCP and RAS roles. When I connect via VPN, I get the following connection information:

PPP adapter Home:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Home

Physical Address. . . . . . . . . :

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

IPv4 Address. . . . . . . . . . . : 10.3.1.4(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 0.0.0.0

DNS Servers . . . . . . . . . . . : 8.8.8.8

10.3.1.120

NetBIOS over Tcpip. . . . . . . . : Enabled

As you can see, I am missing the Connection-specific DNS suffix. I have specified options 015 and 119, however I still don't get a DNS suffix for this connection. I'm not an expert with Windows Server or networking in general, I'm learning as I go. Does anyone have any troubleshooting steps I can follow? Any other ideas of how to solve this problem? What options can I check on the server/clients to find out what the problem is?

I've tested this on 2 client computers both running Windows 7.

All replies (23)

_{Saturday, August 20, 2011 4:56 PM | 3 votes}

You'll need a DHCP Relay Agent configured on the RRAS server to get the DHCP Options to get applied to the VPN clients. Here's some info on it:

======
RRAS DHCP Options

DHCP Options are NOT passed to a RRAS client (dialup or VPN). Instead, Instead, this information is taken directly from the RAS server's settings.

If a RAS server has WINS or DNS entries, these entries are passed to the client.

However, if you configure the RRAS server as a DHCP Relay agent, it will pass the DHCP options to the client.

Understanding DHCP IP Address Assignment for RAS Clients
http://support.microsoft.com/kb/160699/EN-US

Thread Discussion: DNS DHCP option 006 not being applied to VPN clients via RRAS
This is a good discusion with specifics about how an IP config is passed to a RRAS client and DHCP relay agents
http://www.petri.co.il/forums/showthread.php?t=35748

Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options
http://www.isaserver.org/img/upl/vpnkitbeta2/dhcprelay.htm

RRAS (VPN) DHCP options
http://msmvps.com/blogs/robwill/archive/2008/05/09/rras-dhcp-options.aspx

Using DHCP with ISA/VPN Server Clients
http://www.isaserver.org/tutorials/dhcpoptions.html

Cisco ASA/PIX: IPsec VPN Client Addressing Using DHCP Server with ASDM Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, August 21, 2011 11:41 AM}

Thank you so much! This solved the issue perfectly.

However, there is still another issue. Now that my DNS search list looks appropriate on my client (Windows 7), when I do 'nslookup printer', where 'printer' is an A record in my server that I've VPNed to, it doesn't even try to search there for it. My DNS list is:

8.8.8.8

10.3.1.120

The second IP address is the LAN IP of my DNS / DHCP / VPN server (Windows 2008 R2). It tries to resolve the name using 8.8.8.8, which is Google's DNS service, and fails:

C:\Users\rdailey>nslookup printer

Server: google-public-dns-a.google.com

Address: 8.8.8.8

*** google-public-dns-a.google.com can't find printer: Non-existent domain

I thought that Windows would use the DNS search list to keep trying different DNS servers to see which one resolves the domain, but it isn't doing that. Previously I had 10.3.1.120 in my DNS servers as the first server, but the Compliance checker for my DHCP server said it should not be the first entry in the list, so I changed it.

Help is greatly appreciated! Thanks again!

_{Sunday, August 21, 2011 5:22 PM | 1 vote}

It looks like the 8.8.8.8 is coming from the RRAS server itself, or you have it configured as a DHCP Option.

To better help disgnose the source, we'll need to see a complete and unedited **ipconfig /all **from a few machines, and not the partial ipconfigs you've provided - we need to see the full ones. To make it easier, you can run for example for the VPN client: ipconfig /all > c:\vpnclient.txt, or ipconfig /all > c:\rrasipconfig.txt, etc.

Therefore, let's see a complete and unedited ipconfig /all from:

The RRAS server
The VPN Client after it's connected
From the DC
From a sample DHCP enabled workstation inside your network (not a VPN client)

Thanks,
Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, August 21, 2011 6:53 PM}

Here is the ipconfig /all from a Windows 7 machine not on my physical LAN but connected via VPN:

Windows IP Configuration

 Host Name . . . . . . . . . . . . : DTDEV7269w7
 Primary Dns Suffix . . . . . . . : PACS.local
 Node Type . . . . . . . . . . . . : Hybrid
 IP Routing Enabled. . . . . . . . : No
 WINS Proxy Enabled. . . . . . . . : No
 DNS Suffix Search List. . . . . . : PACS.local
          dailey.home.local

PPP adapter Home:

 Connection-specific DNS Suffix . : dailey.home.local
 Description . . . . . . . . . . . : Home
 Physical Address. . . . . . . . . :
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes
 IPv4 Address. . . . . . . . . . . : 10.3.1.6(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.255
 Default Gateway . . . . . . . . . :
 DNS Servers . . . . . . . . . . . : 8.8.8.8
          10.3.1.120
 NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

 Connection-specific DNS Suffix . : PACS.local
 Description . . . . . . . . . . . : Intel(R) 82567LM-3 Gigabit Network Connec
tion
 Physical Address. . . . . . . . . : 00-22-19-18-0A-C1
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
 Link-local IPv6 Address . . . . . : fe80::4c61:160d:87c7:5bb5%10(Preferred)
 IPv4 Address. . . . . . . . . . . : 172.16.3.80(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Lease Obtained. . . . . . . . . . : Wednesday, August 17, 2011 9:25:19 AM
 Lease Expires . . . . . . . . . . : Monday, August 29, 2011 9:25:26 AM
 Default Gateway . . . . . . . . . : 172.16.3.254
 DHCP Server . . . . . . . . . . . : 172.16.0.42
 DHCPv6 IAID . . . . . . . . . . . : 234889753
 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-37-9B-F0-00-22-19-18-0A-C1

 DNS Servers . . . . . . . . . . . : 172.16.0.56
          172.16.0.42
 NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.PACS.local:

 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . : PACS.local
 Description . . . . . . . . . . . : Microsoft ISATAP Adapter
 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.dailey.home.local:

 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . : dailey.home.local
 Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes

And here is the ipconfig /all from my server, which acts as all of the services you asked for before: Domain Controller, DHCP, DNS, and RRAS:

Windows IP Configuration

 Host Name . . . . . . . . . . . . : server
 Primary Dns Suffix . . . . . . . : dailey.home.local
 Node Type . . . . . . . . . . . . : Hybrid
 IP Routing Enabled. . . . . . . . : Yes
 WINS Proxy Enabled. . . . . . . . : No
 DNS Suffix Search List. . . . . . : dailey.home.local

Ethernet adapter Local Area Connection:

 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network Connec
tion
 Physical Address. . . . . . . . . : 00-1E-C9-83-C3-60
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes
 IPv4 Address. . . . . . . . . . . : 10.3.1.120(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.0.0.0
 Default Gateway . . . . . . . . . : 10.3.1.1
 DNS Servers . . . . . . . . . . . : 8.8.8.8
          127.0.0.1
 NetBIOS over Tcpip. . . . . . . . : Enabled

PPP adapter RAS (Dial In) Interface:

 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : RAS (Dial In) Interface
 Physical Address. . . . . . . . . :
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes
 IPv4 Address. . . . . . . . . . . : 10.3.1.8(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.255
 Default Gateway . . . . . . . . . :
 NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{E08CB308-3B9D-4590-90EF-26F529C69C20}:

 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Microsoft ISATAP Adapter
 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes

And here is the ipconfig /all from a PC physically connected to my LAN (not through VPN). Note also that it obtains DHCP address from the same server machine:

Windows IP Configuration

 Host Name . . . . . . . . . . . . : robert-PC
 Primary Dns Suffix . . . . . . . : dailey.home.local
 Node Type . . . . . . . . . . . . : Hybrid
 IP Routing Enabled. . . . . . . . : No
 WINS Proxy Enabled. . . . . . . . : No
 DNS Suffix Search List. . . . . . : dailey.home.local

Ethernet adapter Local Area Connection 2:

 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller #2
 Physical Address. . . . . . . . . : 00-1F-BC-01-55-35
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

 Connection-specific DNS Suffix . : dailey.home.local
 Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
 Physical Address. . . . . . . . . : 00-1F-BC-01-55-34
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
 Link-local IPv6 Address . . . . . : fe80::b8d2:68c0:7f9b:d494%10(Preferred)
 IPv4 Address. . . . . . . . . . . : 10.3.1.31(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Lease Obtained. . . . . . . . . . : Sunday, August 21, 2011 6:36:42 AM
 Lease Expires . . . . . . . . . . : Wednesday, August 31, 2011 6:36:40 AM
 Default Gateway . . . . . . . . . : 10.3.1.1
 DHCP Server . . . . . . . . . . . : 10.3.1.120
 DHCPv6 IAID . . . . . . . . . . . : 234889148
 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-8E-D4-20-00-1F-BC-01-55-34

 DNS Servers . . . . . . . . . . . : 10.3.1.120
          8.8.8.8
 NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{0C9F7085-292A-4D21-909A-2F16A1F182B1}:

 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Microsoft ISATAP Adapter
 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . :
 Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.dailey.home.local:

 Media State . . . . . . . . . . . : Media disconnected
 Connection-specific DNS Suffix . : dailey.home.local
 Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
 DHCP Enabled. . . . . . . . . . . : No
 Autoconfiguration Enabled . . . . : Yes

Let me know if you need any other information!

_{Sunday, August 21, 2011 7:12 PM | 1 vote}

OK, I see where it's coming from. Notice the LAN connected workstation ipconfig DNS addresses? It's coming from DNS.

Here's a rule of thumb that we need you to remember when it comes to Active Directory:

"NEVER use any other DNS address in any machine's NIC properties that is part of an Active Directory Infrastructure.."

If you don't, you will get unexpected results, incorrect results, and possibly to the point that AD communications WILL FAIL.

This applies to everything, including the DC, member servers, workstations, laptops, printers, any other devices, etc. Here'a good explanation:

Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx

Therefore, here's what we need to do:

On the DC, REMOVE the Google address from the NIC -> Go into the NIC properties, and REMOVE 8.8.8.8. I would also suggest to change the 127.0.0.1 to the actual IP of the DC, 10.3.1.120. Make sure that's the only address in the NIC.
On the DC, Configure a Forwarder - > Go into the DNS console, right-click the DC's server name, properties, Forwarders Tab, and type in the Google DNS address, 8.8.8.8.
Remove the Google address from DHCP Option 006 -> DHCP console, check the Server and Scope Option 006 -> REMOVE the Google address, 8.8.8.8. Make sure that only 10.3.1.120 is the only DNS address in there.

I would also sugget on the VPN client adapter to uncheck the "Use Remote Gateway" setting. This will allow the VPN client to use it's own gateway when it is accessing internet traffic and not company data, otherwise all internet VPN client traffic will be going through the company's network routers.

I hope that helps!
Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, August 21, 2011 10:37 PM}

Thanks for the tips. I put the Google DNS in my router for clients so that if my DC ever went down, clients could still resolve domain names. I guess that didn't work out too well.

My subnet mask is set to 255.0.0.0 in my DC NIC settings. Is this recommended? I think Windows set this up for me automatically. I normally use a subnet mask of 255.255.255.0. Should I change this?

Things seem to be working a little better after following your guide about eliminating Google's DNS from clients, however from my remote PC that I use to VPN into my local network, it still doesn't seem to be able to resolve hostnames unless I use the FQDN:

C:\Users\rdailey>nslookup printer
Server: UnKnown
Address: 10.3.1.120

*** UnKnown can't find printer: Non-existent domain

C:\Users\rdailey>nslookup printer.dailey.home.local
Server: UnKnown
Address: 10.3.1.120

Name:  printer.dailey.home.local
Address: 10.3.1.123

And here is the updated ipconfig all for this machine:

Windows IP Configuration

  Host Name . . . . . . . . . . . . : DTDEV7269w7
  Primary Dns Suffix . . . . . . . : PACS.local
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : PACS.local
                    dailey.home.local

PPP adapter Home:

  Connection-specific DNS Suffix . : dailey.home.local
  Description . . . . . . . . . . . : Home
  Physical Address. . . . . . . . . :
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  IPv4 Address. . . . . . . . . . . : 10.3.1.4(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . :
  DNS Servers . . . . . . . . . . . : 10.3.1.120
  NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

  Connection-specific DNS Suffix . : PACS.local
  Description . . . . . . . . . . . : Intel(R) 82567LM-3 Gigabit Network Connec
tion
  Physical Address. . . . . . . . . : 00-22-19-18-0A-C1
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::4c61:160d:87c7:5bb5%10(Preferred)
  IPv4 Address. . . . . . . . . . . : 172.16.3.80(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Wednesday, August 17, 2011 9:25:19 AM
  Lease Expires . . . . . . . . . . : Monday, August 29, 2011 9:25:25 AM
  Default Gateway . . . . . . . . . : 172.16.3.254
  DHCP Server . . . . . . . . . . . : 172.16.0.42
  DHCPv6 IAID . . . . . . . . . . . : 234889753
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-37-9B-F0-00-22-19-18-0A-C1

  DNS Servers . . . . . . . . . . . : 172.16.0.56
                    172.16.0.42
  NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.PACS.local:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . : PACS.local
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.dailey.home.local:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . : dailey.home.local
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Any idea why this isn't working quite yet?

_{Monday, August 22, 2011 4:35 AM}

Thanks for the tips. I put the Google DNS in my router for clients so that if my DC ever went down, clients could still resolve domain names. I guess that didn't work out too well.

Configure the Google DNS as a Forwarder.

My subnet mask is set to 255.0.0.0 in my DC NIC settings. Is this recommended? I think Windows set this up for me automatically. I normally use a subnet mask of 255.255.255.0. Should I change this?

How many machines do you have? Do you have over 200?

255.0.0.0 mask (/8) gives you over 16 million addresses
255.255.0.0 /16 mask gives you 65.535 addresses
255.255.255.0 /24 gives you 256 addresses

Whatever mask you choose, make sure ALL machines have the same mask.

Things seem to be working a little better after following your guide about eliminating Google's DNS from clients, however from my remote PC that I use to VPN into my local network, it still doesn't seem to be able to resolve hostnames unless I use the FQDN:

C:\Users\rdailey>nslookup printer
Server: UnKnown
Address: 10.3.1.120

*** UnKnown can't find printer: Non-existent domain

C:\Users\rdailey>nslookup printer.dailey.home.local
Server: UnKnown
Address: 10.3.1.120

Name: printer.dailey.home.local
Address: 10.3.1.123

It appears that the client side search suffix is using dailey.home.local. Is the printer under the pas.local zone? Can we see an iponfig /all of the machine you ran this on?

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, August 22, 2011 1:24 PM}

The ipconfig /all for the machine that the nslookup failed on is in my previous post (see above). Also, 'printer' is on dailey.home.local, not pacs.local.

The DNS server shown by nslookup for 'printer', 10.3.1.120, is correct. That is the IP address of the DNS server on my remote network is 10.3.1.120 and has an A record for 'printer', but for some reason if I don't use the FQDN it doesn't resolve. Doesn't make any sense to me.

_{Monday, August 22, 2011 1:28 PM}

Ok, so this is the workstation while connected:

Host Name . . . . . . . . . . . . : DTDEV7269w7
Primary Dns Suffix . . . . . . . : PACS.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : PACS.local
dailey.home.local

And the printer is on the dailey.home.local zone, not pacs.local.

I may have missed this part - Does the host record 'printer' exist under the dailey.home.local zone in DNS?

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, August 22, 2011 2:11 PM}

Yes, the host record 'printer' exists in the dailey.home.local Forward Lookup Zone on my DNS server.

_{Monday, August 22, 2011 4:09 PM | 1 vote}

Looking back again (pasted below), I see that "dailey.home.local" is a connection specific suffix for the PPP connection. I assume that's coming from DHCP Option 015. I would think this should be fine.

Windows IP Configuration

Host Name . . . . . . . . . . . . : DTDEV7269w7
Primary Dns Suffix . . . . . . . : PACS.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : PACS.local
dailey.home.local

PPP adapter Home:

** Connection-specific DNS Suffix . : dailey.home.local**
Description . . . . . . . . . . . : Home
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.3.1.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.3.1.120
NetBIOS over Tcpip. . . . . . . . : Enabled

Have you tried resolving anything else under the dailey.home.local zone?

I asume you're clearing the client side cache, but then again, that only applies to pinging, not nslookup, since nslookup uses it's own resolver and caching mechanism, however, give it a shot. If you try the following on the client side, does it work?

Other than that, have you considered WINS? Anytime I have a customer that requires single name resolution across VPNs, I recommend WINS. It also provides browsing capabilities.

Also, if you search for a printer, and it's an AD client, and you have Printer Location Tracking enabled, and the printer has been published in AD, it will find it in AD (no WINS involved).

Printer Location Tracking - O, printer, where art thou?
By Danielle Ruest and Nelson Ruest, 07/01/2004
http://redmondmag.com/articles/2004/07/01/printer-location-tracking.aspx

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, August 22, 2011 10:19 PM}

I will try specifying the domain suffix explicitly and see how that works. I also did an ipconfig /flushdns to flush my DNS resolver cache before I did the nslookup, and it had no affect (previously mentioned results were after I flushed dns resolver cache). I did come up with some other interesting results I wanted to share with you in the meantime.

For some reason ping for 'printer' works, but 'nslookup' does not... this is VERY unusual:

C:\Users\rdailey>ping printer

Pinging printer.dailey.home.local [10.3.1.123] with 32 bytes of data:
Reply from 10.3.1.123: bytes=32 time=15ms TTL=254
Reply from 10.3.1.123: bytes=32 time=12ms TTL=254
Reply from 10.3.1.123: bytes=32 time=10ms TTL=254
Reply from 10.3.1.123: bytes=32 time=11ms TTL=254

Ping statistics for 10.3.1.123:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 10ms, Maximum = 15ms, Average = 12ms

C:\Users\rdailey>nslookup printer
Server: server.dailey.home.local
Address: 10.3.1.120

*** server.dailey.home.local can't find printer: Non-existent domain

Note that the above commands were run on the very same machine (the physically disconnected machine that is connecting via VPN). 'printer' is not the only resource on my network, for example my DC's domain is 'server', this does not resolve either. The printer on my network is just a TCP/IP printer, so I've assigned it a static A record on my DNS server, and it has the IP address of 10.3.1.123 (as you can see above in the ping results).

Another interesting thing I see is when I do a tracert command on my 'printer' domain:

C:\Users\rdailey>tracert printer

Tracing route to printer.dailey.home.local [10.3.1.123]
over a maximum of 30 hops:

 1 9 ms 12 ms 12 ms SERVER [10.3.1.8]
 2 114 ms 12 ms 12 ms HP3C4A920DFB80 [10.3.1.123]

For some reason, 'Server' is coming back as 10.3.1.8, which is incorrect. It should actually be 10.3.1.120. I don't really understand why my domain to IP mappings are all whacked out. it may explain why nslookup is failing. Any comments on this?

Edit:

When I look at the records in my forward lookup zone on my DNS server, I am seeing 2 static Host (A) records, both named 'server'. One points to 10.3.1.8 and the other to 10.3.1.120. I think I have two NICs somewhere forcing these duplicate records to be registered in my DNS server, I'll look into it but I'm still a bit lost on this whole issue.

Edit 2:

The address 10.3.1.8 is registered under "Address Leases" under the scope for my DHCP server. The "Unique ID" shows "RAS", so I'm assuming this IP is reserved by the RRAS for VPN clients. I don't have much more information than this, I can't figure out why Windows is automatically adding a "server" record in my DNS with IP of 10.3.1.8.

_{Monday, August 22, 2011 11:35 PM}

Ping uses the machine's suffixes, and conenction suffixes, as well as the machine's client side resolver. Nslookup has it's own built-in resolver that is independent of the machine, and is a true nameserver (hence the "ns" part) test utility.

If it's working with ping, and not nslookup, it may indicate an issue elsewhere else, such as in DNS.

If you have two NICs, check Network and Sharing Center, Manage connections. If not in there, check in Device Manager, show Hidden. If you see an extra NIC, remove it. If this is in HyperV, it may have been the original NIC that no longer shows but *may* show in Dev Manager. If you see any NIC that doesn't belonig in Network Sharing, disable it.

Now if you're saying that it's registered as a RAS record, then it's telling me that RAS is installed on your DC. That is a big no-no. It turns the DC into a multihomed DC. Multihomed DCs cause LOTS of problems!

We recommend to take RRAS off a DC and install it on a member server. For details on why, read the link below. It also explains what you can do to alter a DC's default functionality to make the extra record from not registering, including registry and other modifications (not recommended either, but it's a last resort):

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, and/or PPPoE adapters - A multihomed DC is NOT a recommended configuration, however there are ways to configure such a DC to work properly. (Matter of fact, at this time, Microsoft does not recommend or support machines with teamed NICs, DC or not.)
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, August 23, 2011 12:24 AM}

I only have 1 physical NIC. I also only have 1 physical machine to use to provide network services to my LAN, so if you are asking me to separate my Domain Controller and my Remote Access controller, that won't be possible under my current hardware configuration.

My single server, which has WS2008R2 installed, currently has the following roles installed:

Active Directory Domain Services
DHCP Server
DNS Server
File Services
Network Policy and Access Services (RRAS)

I don't quite understand what you mean by "Multihomed DC", but hopefully my description above will help you be able to evaluate whether or not that applies to me.

As far as NICs in device manager are concerned, here is the list I see:

Intel(R) 82566DM-2 Gigabit Network Connection (This is the physical NIC)
Microsoft ISATAP Adapter
Microsoft ISATAP Adapter #2
RAS Async Adapter
WAN Miniport (IKEv2)
WAN Miniport (IP)
WAN Miniport (IPv6)
WAN Miniport (L2TP)
WAN Miniport (Network Monitor)
WAN Miniport (PPPOE)
WAN Miniport (PPTP)
WAN Miniport (SSTP)

These are all under the "Network Adapters" node in Device Manager. Except for the very first one, I have no idea really what the others are. Which ones can I safely remove? Also the Intel NIC (the physical NIC) is the only one that shows up in the "Network Connections" window, I don't see any other devices to disable in this view.

Also FWIW, I only use PPTP to connect VPN clients to my knowledge, so I don't know why 1 virtual NIC has been created for so many other protocols (I'm referring to the WAN Miniport entries).

By the way, thanks so much for your help so far. You're a godsend!

_{Tuesday, August 23, 2011 1:10 AM}

I'm trying... :-)

I think it's all because RRAS is installed on the DC, and the additional records registered into DNS that is causing issues. This is a known problem with RRAS installed. Don't know what else to tell you. My blog explains the reasons in greater detail.

The accepted, General DC Rule of Thumb -> keep a DC single homed, including no RAS (because it turns it into a multihomed machine), and don't install anything other than DNS, WINS and DHCP.

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, August 23, 2011 3:28 AM}

Thanks... I hate that Windows has this limitation, it is really frustrating. I don't suppose there is some VM trick or something of the like I can do? I just can't possibly run 2 machines right now...

_{Tuesday, August 23, 2011 5:22 AM}

It's not a Windows limitation, per se, rather how AD works. There's a lot behind AD, and it's the way the services work. You can follow the steps in my blog to circumvent it, but I don't know many people that like to do that with their DCs. If you have VMware or Hyperv, and you have a WIndows 2008 R2 Enterprise copy, you're allowed up to four virtual installations, including the host, so you can install another copy and make that your RRAS server. Contact your channel partner for more specifics on the licensing rules.

As far as a DC being in a virtualized environment, there are rules behind that, too! I know you wanted to hear that right about now... Basically no snapshots, run normal backups, etc:

I don't want to overwhelm you, but here are some considerations:

Virtualizing Domain Controllers and the Windows Time Service
http://msmvps.com/blogs/acefekay/archive/2011/08/23/virtualizing-domain-controllers-and-the-windows-time-service.aspx

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, August 23, 2011 11:15 PM}

I was actually thinking of only virtualizing the RRAS. I don't know if this will work but here is what I'm going to do:

I'm going to install VMware ESX on my physical server. I will then uninstall RRAS on my domain controller (physical OS installation). I will then install the RRAS on the VM, and have that be the only service running on the VM. The physically installed OS will have a DC, DNS, and DHCP only. With this configuration I should be able to set up the DHCP Relay on the RRAS to point to the IP address of the DHCP server on the physical installation.

_{Wednesday, August 24, 2011 1:54 AM}

I guess you don't want to hear this - you don't want to make your DC a HyperV machine, either. Consider this, you will need multiple NICs to assign to virtual interfaces for HyperV guests. However, AD's netlogon service will register the additional NICs into DNS.

Now maybe, and just maybe, and I know you only have the one server, is:

Install another machine with Windows 2008 R2 to use as an interim DC.
Promote it to a DC
Then demote the current physical machine to a stand alone server.
Then install HyperV on the server. Of course, make sure it has multiple NICs, such as for the physical machine network communications, and additional ones you can configure to virtual guests.
Then install a virtual Windows 2008 R2 guest
Configure it's network interface to map to one of the physical NICs
Promote it to a DC.
Take note on the time service requirements and configuration for the steps in the links in my blog
Then demote the physical interim DC.
Create from scratch another guest (do not use imaging unless you use sysprep_
Configure that with two NICs
Install and configure RRAS on it.

Sound feasible?

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, August 25, 2011 12:18 PM}

I wasn't referring to using HyperV, I'd be using VMware software for virtualization.

_{Thursday, August 25, 2011 3:25 PM}

If I understood your previous postings, you want to make the physical machine a DC and use virtualization software on it, whether it's HyperV or ESX, correct? Either way, the same thing applies. You don't want a DC to be a virtualization host. My blog has info about that and links from VMWare addresses how to handle time service issues when you have virtualized DC guests involved.

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, September 9, 2012 7:28 PM}

Ace Fekay, thank you very much for the link to Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options

_{Sunday, September 9, 2012 7:48 PM}

Ace Fekay, thank you very much for the link to Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options

You are welcome!

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

Windows 2008 R2 isn't giving clients a connection specific DNS suffix

Question

All replies (23)

Additional resources