VPN Clients Not Registering DHCP IP with DNS

Sponsored Links

Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben

Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben

Hi Robert,

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!?

Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23E$KDU3TGHA.1868@TK2MSFTNGP09.phx.gbl...
Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben

Hi Ben,

Thank you for the update. We need that.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:%23N3nsu4TGHA.4436@TK2MSFTNGP10.phx.gbl...
Hi Robert,

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!?

Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23E$KDU3TGHA.1868@TK2MSFTNGP09.phx.gbl...
Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben

Hi Bob,

I was thinking today, even if CMAK is causing the problem, it still gets it's IP from the DHCP server, and DHCP is set to register all connections with DNS, whether the client requests it or not. So shouldn't DHCP still be registering the VPN client connection in DNS, even if CMAK isn't registering the connection?

Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23bs5Qp5TGHA.4740@TK2MSFTNGP14.phx.gbl...
Hi Ben,

Thank you for the update. We need that.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:%23N3nsu4TGHA.4436@TK2MSFTNGP10.phx.gbl...
Hi Robert,

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!?

Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23E$KDU3TGHA.1868@TK2MSFTNGP09.phx.gbl...
Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben

It should. It's the result of nslookup?

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:er6DmxEUGHA.4600@TK2MSFTNGP11.phx.gbl...
Hi Bob,

I was thinking today, even if CMAK is causing the problem, it still gets it's IP from the DHCP server, and DHCP is set to register all connections with DNS, whether the client requests it or not. So shouldn't DHCP still be registering the VPN client connection in DNS, even if CMAK isn't registering the connection?

Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23bs5Qp5TGHA.4740@TK2MSFTNGP14.phx.gbl...
Hi Ben,

Thank you for the update. We need that.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:%23N3nsu4TGHA.4436@TK2MSFTNGP10.phx.gbl...
Hi Robert,

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!?

Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23E$KDU3TGHA.1868@TK2MSFTNGP09.phx.gbl...
Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben

Just basic nslookp, from the client, results in my ISPs DNS server, but then I'd expect that as we're not using the VPN as the default gateway.
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:OX8s%23TFUGHA.5468@TK2MSFTNGP14.phx.gbl...
It should. It's the result of nslookup?

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:er6DmxEUGHA.4600@TK2MSFTNGP11.phx.gbl...
Hi Bob,

I was thinking today, even if CMAK is causing the problem, it still gets it's IP from the DHCP server, and DHCP is set to register all connections with DNS, whether the client requests it or not. So shouldn't DHCP still be registering the VPN client connection in DNS, even if CMAK isn't registering the connection?

Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23bs5Qp5TGHA.4740@TK2MSFTNGP14.phx.gbl...
Hi Ben,

Thank you for the update. We need that.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:%23N3nsu4TGHA.4436@TK2MSFTNGP10.phx.gbl...
Hi Robert,

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!?

Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23E$KDU3TGHA.1868@TK2MSFTNGP09.phx.gbl...
Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben

No, it won't. A remote client does not get its IP from the DHCP server.
As you pointed out yourself, RRAS leases the IP addresses from DHCP. The
client gets its IP from the RRAS/ISA server as part of the PPP setup
negotiation.

I would use the method you described. That is, make sure that the client
has the correct DNS suffix set in the connection properties and have it
register the connection itself. That way, the entry is dynamic. It is set up
when the client connects and released when the client disconnects. Remote
clients need to be independent of the DHCP lease time.

"Bill Grant" <not.available@online> wrote in message
news:u8cfgGGUGHA.776@TK2MSFTNGP09.phx.gbl...
> No, it won't. A remote client does not get its IP from the DHCP server.
> As you pointed out yourself, RRAS leases the IP addresses from DHCP. The
> client gets its IP from the RRAS/ISA server as part of the PPP setup
> negotiation.
>
> I would use the method you described. That is, make sure that the
> client has the correct DNS suffix set in the connection properties and
> have it register the connection itself. That way, the entry is dynamic. It
> is set up when the client connects and released when the client
> disconnects. Remote clients need to be independent of the DHCP lease time.

Hi Bill,

Thanks for the explanation, I understand a bit more about what's going on. I
didn't realise the client didn't get he IP directly from the DHCP server,
but via RRAS.
As you said, I can have the connection register itself, this works if I
setup a manual VPN connection, and set the option under TCP/IP to 'Register
this connections address with DNS', however I'm using a CMAK profile, and it
doesn't look like this option is available to CMAK, only DNS options are
DNSSuffix & DNS_Address. I'm just about to look at Boudewijn's script (post
below) and see if that can register it.

Ben

[dave_harris]

Hi guys,

This ones really got me stumped.

Long story short we have an intranet site which users access either by a VPN connection the server (VPN client created using CMAK) or by access to the server from static ips. Both methods use the same DNS.

If connecting by the static rounte then the public DNS will assign you the public IP of the server, when using the VPN software i have my own DNS server (publicly accessible, only contains my few dns entries) which is set to return the internal IP of the server.

Ive included the script in the CMAK to sort out the bindings that was mentioned earlier in this thred. That helped a little but im still having issues.

(for testing purposed ive created a dns zone on my server: testaddress.onmydns.servercom= 9.8.7.6)

Anyway, i thought all was working well untill i dicovererd the following:

without my vpn connection active:

---

C:\Documents and Settings\Dave Harris>ping testaddress.onmydns.servercom
Ping request could not find host testaddress.onmydns.servercom. Please check the
name and try again.

---

Which i expect as there is no public dns for that (I assume its using the DNS servers provided by my ISP), i also try an nslookup:

---

C:\Documents and Settings\Dave Harris>nslookup
Default Server: ns1.iburst.com.au
Address: 202.128.112.10

> testaddress.onmydns.servercom
Server: ns1.iburst.com.au
Address: 202.128.112.10

*** ns1.iburst.com.au can't find testaddress.onmydns.servercom: Non-existent dom
ain
>

---

That is the DNS server provided my my ISP. So then i conenct to my VPN and try nslookup: (for security reasons ive masked my DNS server IP)

---


C:\Documents and Settings\Dave Harris>nslookup
Default Server: *******.*****-*****.****
Address: ***.***.***.***

> testaddress.onmydns.servercom
Server: *******.*****-*****.****
Address: ***.***.***.***

Name: testaddress.onmydns.servercom
Address: 9.8.7.6

>

---

And again as i expect it works. But, this is the confusing bit, with the connection active, nothing has changed I try the following:

---


C:\Documents and Settings\Dave Harris>ping testaddress.onmydns.servercom
Ping request could not find host testaddress.onmydns.servercom. Please check the
name and try again.

---

Why? Its like nslookup is using one DNS server and ping is using another?

What am i missing please?

Many thanks,

DAVE.