Score:0

DNS suffix not being used with windows server hostnames over VPN

it flag

Our internal network is a windows domain, contoso.net. Internally, if a user needs to get to a file server share, they can navigate to \\fileserver\share or \\fileserver.contoso.net\share and both resolve without issue.

We recently stood up an external VPN (Azure P2S) using IKEv2 that is configured to use our internal DNS servers, DNS suffix contoso.net and is configured for split tunneling.

PPP adapter Contoso VPN - User Tunnel:

   Connection-specific DNS Suffix  . : contoso.net
   Description . . . . . . . . . . . : Contoso VPN - User Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.31.1.131(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.5
                                       192.168.1.6
   NetBIOS over Tcpip. . . . . . . . : Enabled

Over the VPN, users are able to use the fqdn of servers as before for browsing \\fileserver.contoso.net but are unable to use the 'unqualified' name \\fileserver.

I've come across a number of posts and articles with a similar situation, but I'm not sure if I'm using the right 'terms' when looking for a resolution to this issue. From what I can tell, this connection should be appending the specified suffix contoso.net to unqualified hostnames automatically, but that doesn't appear to be happening.

Using nslookup on both the fqdn and short names try to resolve using my ISP DNS, unless I specify the internal server, in which case they are both successful.

Is there a registry or GPO-based setting that I am missing in order to 'force' automatically appending the specified DNS suffix to hostnames without it?

UPDATE

I changed the metric on the VPN network adapter to '1' and now nslookup defaults to using my internal DNS servers, so both short names and FQDN names resolve with that utility. However, browsing to the short name in file explorer as if to access a file share still does not work, which is ultimately my main issue.

Score:0
it flag

I ended up identifying the problem as the UseRasCredentials value in the rasphone.pbk file.

It defaults to a value of 1 which means to use the VPN client credentials, which in this case was a SCEPman certificate and not my domain credentials.

Setting the value of this to 0 and restarting the VPN fixed name resolution right away.

Credit to Richard Hicks for helping me identify this issue.

Score:0
cn flag

If your main issue for now is to resolve the 'unqualified' name \\fileserver to its internal address you have three options:

  1. Uncheck the Use default gateway on remote network option into the VPN connection properties.
  2. Use a definition for that server in the local LMHOSTS file on the client computer.
  3. Use a WINS server in your internal network and use it over the VPN connection.

I hope these suggestions can help you.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.