Mombu the Microsoft Forum sponsored links

Go Back   Mombu the Microsoft Forum > Microsoft > INTERNET SECURITY AND ACCELERATION (ISA) SERVER (TECHNET) > VPN Clients Not Registering DHCP IP with DNS
User Name
Password
REGISTER NOW! Mark Forums Read

sponsored links


Reply
 
1 28th July 18:59
ben
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben
  Reply With Quote


  sponsored links


2 28th July 19:00
robert l ms-mvp
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben
  Reply With Quote
3 28th July 19:00
ben
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


Hi Robert,

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!?

Ben

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben
  Reply With Quote
4 28th July 19:00
robert l ms-mvp
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


Hi Ben,

Thank you for the update. We need that.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!? Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23E$KDU3TGHA.1868@TK2MSFTNGP09.phx.gbl...
Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben
  Reply With Quote
5 28th July 19:02
ben
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


Hi Bob,

I was thinking today, even if CMAK is causing the problem, it still gets it's IP from the DHCP server, and DHCP is set to register all connections with DNS, whether the client requests it or not. So shouldn't DHCP still be registering the VPN client connection in DNS, even if CMAK isn't registering the connection?

Ben

Thank you for the update. We need that.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:%23N3nsu4TGHA.4436@TK2MSFTNGP10.phx.gbl...
Hi Robert,

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!? Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23E$KDU3TGHA.1868@TK2MSFTNGP09.phx.gbl...
Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben
  Reply With Quote
6 28th July 19:02
robert l ms-mvp
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


It should. It's the result of nslookup?

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

I was thinking today, even if CMAK is causing the problem, it still gets it's IP from the DHCP server, and DHCP is set to register all connections with DNS, whether the client requests it or not. So shouldn't DHCP still be registering the VPN client connection in DNS, even if CMAK isn't registering the connection? Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23bs5Qp5TGHA.4740@TK2MSFTNGP14.phx.gbl...
Hi Ben,

Thank you for the update. We need that.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:%23N3nsu4TGHA.4436@TK2MSFTNGP10.phx.gbl...
Hi Robert,

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!? Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23E$KDU3TGHA.1868@TK2MSFTNGP09.phx.gbl...
Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben
  Reply With Quote
7 28th July 19:02
ben
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


Just basic nslookp, from the client, results in my ISPs DNS server, but then I'd expect that as we're not using the VPN as the default gateway.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:er6DmxEUGHA.4600@TK2MSFTNGP11.phx.gbl...
Hi Bob,

I was thinking today, even if CMAK is causing the problem, it still gets it's IP from the DHCP server, and DHCP is set to register all connections with DNS, whether the client requests it or not. So shouldn't DHCP still be registering the VPN client connection in DNS, even if CMAK isn't registering the connection? Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23bs5Qp5TGHA.4740@TK2MSFTNGP14.phx.gbl...
Hi Ben,

Thank you for the update. We need that.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:%23N3nsu4TGHA.4436@TK2MSFTNGP10.phx.gbl...
Hi Robert,

I've just found out something interesting, I created a new VPN connection, just using the standard windows wizard, and not CMAK, took all the defaults, then set VPN to L2TP & smart cards, and changed the DNS tab in TCP/IP properties to append parent suffixes of the primary DNS suffix, added ourdomain.com as the DNS suffix, then checked both register this connection's address in DNS & Use this connection's DNS suffix.
When I made the VPN connection, and checked DNS, I found it was registering & updating perfectly.
So it must be something in the CMAK profile, but what I don't know!? Ben
"Robert L [MS-MVP]" <noreply@hotmail.com> wrote in message news:%23E$KDU3TGHA.1868@TK2MSFTNGP09.phx.gbl...
Could the VPN client still use the local computer DNS? posting the results of nslookup and ping -a IP (here the IP is remote DNS IP).

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Ben" <bjblackmore@mailhot.com> wrote in message news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
Hi,

I think we have some problems with our DHCP/DNS setup. We are using ISA 2004
for VPN & Firewall access, when our users connect via the VPN, their laptops
(WinXP sp2) aren't registering with DNS, although when they are in the
office on the LAN they do. ISA is configured to use our internal DHCP server
to issue out IPs, rather than issuing them from it's own static pool, and in
the advanced setup it's configured for DNS & wins to be issued via DHCP
also.

If you look at DHCP address leases it has 10 IPs leased to the ISA server
(unique ID - RAS), so ISA seems to be using the DHCP server correctly.
However if you look at the forward and reverse lookup zones in DNS none of
the IP details are registered.

Both DNS & DHCP are installed on the same server, windows 2003 sp1,
configured as a DC, DNS is AD integrated. ISA server is win2003 sp1,
standalone, using RADIUS to authenticate users with the DC.

DNS tab in the DHCP scope has:
Enable DNS dynamic updates - checked.
Always dynamically update DNS A & PTR records - selected.
Discard A & PTR records when lease is deleted - checked.
Dynamically update DNS A & PRT records for DHCP clients that do not request
updates.

DHCP lease is 5 days, DNS scavenging is 5 days, dynamic updates are secure
only.

I can't think of anything that might be wrong! Am I missing something? I
think it's starting to affect some of our applications, such as VoIP, as
name resolution isn't working.

Ben
  Reply With Quote
8 28th July 19:03
bill grant
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


No, it won't. A remote client does not get its IP from the DHCP server.
As you pointed out yourself, RRAS leases the IP addresses from DHCP. The
client gets its IP from the RRAS/ISA server as part of the PPP setup
negotiation.

I would use the method you described. That is, make sure that the client
has the correct DNS suffix set in the connection properties and have it
register the connection itself. That way, the entry is dynamic. It is set up
when the client connects and released when the client disconnects. Remote
clients need to be independent of the DHCP lease time.
  Reply With Quote
9 28th July 19:03
boudewijn plomp
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


Hi Ben,

This has to do with the binding order. There is a known issue with DNS and
VPN Client. When you are connection start nslookup, you will notice that it
will always connect to your DNS Server wich is bound on your LAN, ther is a
mechanism that sill uses your VPN DNS settings, but only if the record you
query is not found...
See the Microsoft Knowledgebase article...

Cannot Change the Binding Order for Remote Access Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;311218&Product=winxp

The is a script available at http://www.isascripts.org wich allows you to add a
script that runs after connection with your CMAK profile.

On the other end you should be able to allow DHCP to register you DNS
record, but you have to use a service account that is member of DNSAdmins or
authorize your DHCP server.

Good luck!

Boudewijn

"Ben" <bjblackmore@mailhot.com> schreef in bericht
news:OpeBrh0TGHA.2244@TK2MSFTNGP14.phx.gbl...
  Reply With Quote
10 28th July 19:03
ben
External User
 
Posts: 1
Default VPN Clients Not Registering DHCP IP with DNS


Hi Bill,

Thanks for the explanation, I understand a bit more about what's going on. I
didn't realise the client didn't get he IP directly from the DHCP server,
but via RRAS.
As you said, I can have the connection register itself, this works if I
setup a manual VPN connection, and set the option under TCP/IP to 'Register
this connections address with DNS', however I'm using a CMAK profile, and it
doesn't look like this option is available to CMAK, only DNS options are
DNSSuffix & DNS_Address. I'm just about to look at Boudewijn's script (post
below) and see if that can register it.

Ben
  Reply With Quote
Reply


Thread Tools
Display Modes




Copyright 2006 SmartyDevil.com - Dies Mies Jeschet Boenedoesef Douvema Enitemaus -
666