Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, October 29, 2019 7:24 PM
Hello,
Always On VPN is working pretty well. I just have a couple more items to work out before we decide if we'll use it. If someone could help resolve the issue below, I'd greatly appreciate it.
We use split tunneling.
When a vpn client connects by wireless, we have no issues with DNS.
When a vpn client connects by wired, it wants to use the nic's dns to resolve queries. It can't resolve anything.
If we change the metric on the vpn adapter to something low, it will work right. Surely this isn't the norm though and I'm missing something as we don't want to have to update this regularly for staff.
Thank you much,
Matt
All replies (6)
Tuesday, October 29, 2019 8:21 PM
I'm hoping this is the answer. I'll test more tomorrow
Wednesday, October 30, 2019 5:12 AM
Hi ,
I will wait for your good news.
If you have any updates during this process, please feel free to let me know.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, October 30, 2019 12:13 PM
Hi Candy,
Unfortunately it doesn't seem to work.
Here's my interface list. I currently don't have a connection to nic (I219-LM) to test with so I changed my wifi card interface to have a lower metric then the always on vpn interface. This would be the same scenario. So here's my list.
Interface List
11...8c ec 4b e7 b9 94 ......Intel(R) Ethernet Connection (5) I219-LM
24...........................Always On VPN
16...74 e5 f9 f5 44 6c ......Microsoft Wi-Fi Direct Virtual Adapter
18...76 e5 f9 f5 44 6b ......Microsoft Wi-Fi Direct Virtual Adapter #2
7...74 e5 f9 f5 44 6b ......Intel(R) Dual Band Wireless-AC 8265
14...74 e5 f9 f5 44 6f ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
--
I added below to my vpn ps1 script and recreated my vpn connection
<DomainNameInformation>
<DomainName>.company.lan</DomainName>
<DnsServers>10.100.6.205,10.100.6.210</DnsServers>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>.company.org</DomainName>
<DnsServers>10.100.6.205,10.100.6.210</DnsServers>
</DomainNameInformation>
--
I connected to my vpn. I cannot connect to internal connections with .company.org. It's trying to use out my wifi interface dns instead of my always on vpn interface dns.
C:\Users\username>nslookup wiki.company.org
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: fe80::cba:2377:d84e:8b0d
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
--
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8265
Physical Address. . . . . . . . . : 74-E5-F9-F5-44-6B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5090:29cf:1789:3255%7(Preferred)
IPv4 Address. . . . . . . . . . . : 172.20.10.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Lease Obtained. . . . . . . . . . : Tuesday, October 29, 2019 4:57:26 PM
Lease Expires . . . . . . . . . . : Thursday, October 31, 2019 7:36:22 AM
Default Gateway . . . . . . . . . : 172.20.10.1
DHCP Server . . . . . . . . . . . : 172.20.10.1
DHCPv6 IAID . . . . . . . . . . . : 108324345
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-21-57-D8-8C-EC-4B-E7-B9-94
** DNS Servers . . . . . . . . . . . : fe80::cba:2377:d84e:8b0d%7**
172.20.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 74-E5-F9-F5-44-6C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 10:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
Physical Address. . . . . . . . . : 76-E5-F9-F5-44-6B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Ethernet 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : centerstone.lan
Description . . . . . . . . . . . : Dell Giga Ethernet
Physical Address. . . . . . . . . : A4-4C-C8-A3-68-A4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
PPP adapter Always On VPN:
Connection-specific DNS Suffix . : company.lan
Description . . . . . . . . . . . : Always On VPN
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.30.32.16(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.100.6.210
10.100.6.205
NetBIOS over Tcpip. . . . . . . . : Enabled
Wednesday, October 30, 2019 1:46 PM
This appears to be the issue.
https://github.com/MicrosoftDocs/windowsserverdocs/issues/1527
Basically I need to delete HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig
An empty DNSPolicyConfig key in registry will cause the AOVPN NRPT to be ignored.
Soon as I delete it, it works as expected. The Get-DnsClientNrptPolicy pulls up the entries where before it was blank.
From reading, it will come back since I have a Network/DNS policy configured in a GPO.
I'm going to try a few things to get it removed. I'll probably just create a GPO preference item to delete it.
Thursday, October 31, 2019 1:29 AM
Hi ,
Appreciate your effort and time!
Thanks for sharing in the forum as it would be helpful to anyone who encounters similar issues.
If there is anything else we can do for you, please feel free to post in the forum.
Best Regards,
Candy
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, July 23, 2020 4:41 PM
Although this is an old/resolved issue, I would like to add for those referencing this thread that you should not use nslookup.exe to test client name resolution when using the DomainNameInformation element in your ProfileXML. Specifying DNS servers using DomainNameInformation enables the Name Resolution Policy Table (NRPT) on the client. Nslookup.exe bypasses the NRPT and will yield unexpected results. It is recommended to use the Resolve-DnsName PowerShell command when testing name resolution on Windows 10 clients.
Hope that helps!
Richard M. Hicks
Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
directaccess.richardicks.com