VPN DNS/WINS settings

  • Thread starter Thread starter John Faris
  • Start date Start date
J

John Faris

Hi all.

Can someone please enlighten me on the following. I am using VPN to connect
client PCs at one site to a server at another remote site. The server they
are connecting to through VPN has DNS and WINS running on it. But so does
the Server on the local LAN that the PCs are on to start with. Which
DNS/WINS addresses should I enter in the VPN connections properties? Both
local and remote settings seem to work, but I want to know the correct
approach. What I have started to see is two entries in DNS for one machine,
its original IP on the local LAN and the one it is assigned through VPN. I
am assuming this is not a good thing. What should I be doing?

TIA.

John.
 
John Faris said:
Hi all.

Can someone please enlighten me on the following. I am using VPN to connect
client PCs at one site to a server at another remote site. The server they
are connecting to through VPN has DNS and WINS running on it. But so does
the Server on the local LAN that the PCs are on to start with. Which
DNS/WINS addresses should I enter in the VPN connections properties?
Click to expand...

General case for VPN (or RAS) is that you use the WINS/DNS/Router of the
VPN Server (or ras etc.). You are remoting your client to that network so
the
settings much make sense at that (server's) remote location.
Both local and remote settings seem to work, but I want to know the correct
approach.
Click to expand...

As long as they have the same information it won't really matter but you
cannot
count on that in the GENERAL case.

Configure the local name resolvers locally, and the remote resolvers on the
VPN/RAS connection.
What I have started to see is two entries in DNS for one machine,
its original IP on the local LAN and the one it is assigned through VPN. I
am assuming this is not a good thing. What should I be doing?
Click to expand...

The ones from the RAS or VPN are DESIGNED to temporarily overide the
local settings for the duration of the connection.
 
Whether your remote clients register their "received" IP addresses with
the DNS server on the VPN server LAN depends on how your DNS is configured.
By default, DNS will allow registrations on any interface if dynamic DNS is
enabled. You can change this so that the server only listens on the LAN
interface.You can also set the switch in the client's connection properties
to allow or disallow registration.

If you want your remotes to register in DNS but want to avoid confusion,
set up a separate zone for them and put the suffix for this zone (say
remotes.mydomain.org) in the client's connection properties. Then all
remotes currently connected will be listed in DNS in this zone (with their
VPN IP address).

The only thing that causes real problems is the server's "received" IP
address appearing in DNS. This gives you problems similar to the old
multihomed DC problem in NT.
 
Bill Grant said:
Whether your remote clients register their "received" IP addresses with
the DNS server on the VPN server LAN depends on how your DNS is configured.
By default, DNS will allow registrations on any interface if dynamic DNS is
enabled. You can change this so that the server only listens on the LAN
interface.You can also set the switch in the client's connection properties
to allow or disallow registration.
Click to expand...

Presumabliy having them registered is better than not?
If you want your remotes to register in DNS but want to avoid confusion,
set up a separate zone for them and put the suffix for this zone (say
remotes.mydomain.org) in the client's connection properties. Then all
remotes currently connected will be listed in DNS in this zone (with their
VPN IP address).
Click to expand...

This sounds like a good plan.
The only thing that causes real problems is the server's "received" IP
address appearing in DNS. This gives you problems similar to the old
multihomed DC problem in NT.
Click to expand...

Can you explain what the problem was. I have a had a few networking issues
since I started doing VPN. Every now and again I'm getting a client PC
report the following in the system log:-
-------------------------------------------
Event Type: Warning
Event Source: DnsApi
Event Category: None
Event ID: 11180
Date: 15/01/2004
Time: 09:16:40
User: N/A
Computer: HURRICANE
Description:
The system failed to update and remove registration for the network adapter
with settings:

Adapter Name : {80154D98-B1C3-4837-AF38-033081B64EA6}
Host Name : hurricane
Adapter-specific Domain Suffix : tsigroup.co.uk
DNS server list :
192.168.0.5
Sent update to server : None
IP Address(es) :
192.168.0.4

The reason for this failure is because the DNS server it sent the update
request to timed out. The most likely cause of this failure is that the DNS
server authoritative for the zone where the registration was originally made
is either not running or unreachable through the network at this time.
-----------------------------------
After this the only way to get the PC to talk to the network again is to
click disable on the network card in device manager and then click enable.
This seems to cure the problem. It is only slowly driving me mad. I can
see that the VPN server does indeed have two entries in DNS. What can I do
to resolve this?

Thanks.
 
Is this RRAS/DNS server also a DC? If it is, you may also get problems
with things like netlogon after a RAS client connects.

Regarding WINS (and Netbt in general), any machine which is a browse
master or potential browse master should not be multihomed. (This includes
RRAS servers which become effectively multihomed as soon as a client
connects). So you need to disable Netbios over TCP/IP on all but one
interface. For the RRAS internal interface this requires a registry change.

To prevent Netbt on the RRAS interface.

Open Registry Editor.
Navigate to HKLM\System\CurrentControlSet\Services (continued next line)
\RemoteAccess\Parameters\Ip

Create a new REG_DWORD called DisableNetbiosOverTcpip
Set its value to 1

After you restart RRAS, check that there are no "old" records still in
WINS for this interface.

If DNS is configured to listen on all interfaces, you can get a similar
sort of problem with multiple IPs registering for the server name. As
mentioned above, this is a particular problem if the machine is also a DC.
See KB 289735 .

In general, the VPN client will receive the DNS address that is
configured on the RRAS server when it connects, and use that DNS address for
all traffic going over the connection. (You can turn off this option and set
it yourself manually). It is a good idea to carefully check the domain
suffix(es) configured in the connection properties of the client. Make sure
that all DNS zones you want to see across the link are included here.

Although W2k has been out for four years now, most of us still have a
lot to learn about dynamic DNS. (Or DNS in general !)
 
Is this RRAS/DNS server also a DC? If it is, you may also get problems
with things like netlogon after a RAS client connects.
Click to expand...

Yes, unfortunately it is. I know there are many reasons not to do this, but
no choice in this case.
Regarding WINS (and Netbt in general), any machine which is a browse
master or potential browse master should not be multihomed. (This includes
RRAS servers which become effectively multihomed as soon as a
Click to expand...
client..............
................................. it yourself manually). It is a good idea to
carefully check the domain
suffix(es) configured in the connection properties of the client. Make sure
that all DNS zones you want to see across the link are included here.
Click to expand...

Thanks for all this info!
Although W2k has been out for four years now, most of us still have a
lot to learn about dynamic DNS. (Or DNS in general !)
Click to expand...

I totally agree. Are there any good books or websites to reference on this
as I'd like to understand it all better?

Thanks.

John.
 
Back
Top