DNS server order flipped beyond VPN !

  • Thread starter Thread starter Ghazan Haider
  • Start date Start date
G

Ghazan Haider

We have a local network of Active Directory, with a PDC which is also
the DNS and DHCP server. Another server is a RAS and VPN server and
has DHCP Relay agent pointing to the PDC.

Now all local machines see the correct order of DNS and Name Servers
as specified in the DHCP setting, which has a single zone, the whole
local subnet. The RAS server is supposed to use the DHCP, and not
provide its own IP addresses, which works out fine. Except the DNS
server list received on clients connected through VPN is in reverse.
This causes trouble.

Specifically since we have a domain like example.lan locally, server
by our PDC/DNS server. The third and fourth DNS servers are external,
by the ISP, but those appear at the top on VPN clients. Those DNS
servers reject the example.lan domain completely, and the clients do
not move on to the other DNS servers.

Why are DNS servers flipped beyond the VPN??

All machines are windows 2000 professional or server, on a single
subnet, single active directory domain. Must also mention this RAS
server's IP used to be a secondary DNS server, but the server crapped
out and its a new install so the PDC might still see it as a secondary
DNS server asking for zone transfers. Would that do it?
 
If all else fails, you can configure the DNS addresses (and DNS suffix)
manually on the client (in the connection properties).

The process is a bit more complicated than it seems. The remote clients
do not get their IP or config from DHCP initially. The RRAS server leases a
batch of IPs from DHCP and hands them out to clients (for the duration of
the connection). The client also gets the DNS and/or WINS settings from the
RRAS server. That is the way PPP/PPTP works.

After they are connected, the clients can see the DHCP server, and can
get DNS info from your DNS server using DHCPINFORM. This should overwrite
the info from the RRAS server.
 
If all else fails, you can configure the DNS addresses (and DNS suffix)
manually on the client (in the connection properties).
Click to expand...

Well there are too many laptop users and people using the network at
home.
Not an option.
The process is a bit more complicated than it seems. The remote clients
do not get their IP or config from DHCP initially. The RRAS server leases a
batch of IPs from DHCP and hands them out to clients (for the duration of
the connection). The client also gets the DNS and/or WINS settings from the
RRAS server. That is the way PPP/PPTP works.

After they are connected, the clients can see the DHCP server, and can
get DNS info from your DNS server using DHCPINFORM. This should overwrite
the info from the RRAS server.
Click to expand...

That makes a whole lotta sense. I would see the two good DNS servers
for about 10 seconds, then I'd see all the DNS servers with the bad
ones first, with ipconfig /all.

I also tried setting up user classes in DHCP, setting the proper DNS
servers in the RAS user class. They dont work as documented, heck they
dont work at all.
There are server options and a master options, and there are DNS
servers, and nameservers, which is a total of 4. So I added a third
server to each setting, 192.168.0.7 for the first, .8 for second and
so on, just to see which one gets applied. None of the RAS user class
settings get applied, even after a restart of this DHCP server, and
the RAS server.

I also added such IPs to the local RAS machines DNS, that doesnt get
applied either.

I changed the DHCP relay agent from the Internal Interface to the
Ethernet Interface, and the DNS dhcp info doesnt even come through, so
I get the two good DNS servers from god knows where, and the proper IP
address, so it is fixed now.

I just wish things made sense, and worked as expected.
 
Back
Top