locked
Problem suffix DNS in Directaccess 2012 RRS feed

  • Question

  • Hi,

    I have 2 forests (forest 1 and forest 2). Trusts between forest are transitive.

    my DA is in forest 1

    DA works properly. My clients can connect via Direct Access and use resources from Forest 1.

    I want my client to access ressources from forest 2.

    I add suffix DNS of forest 2 and IP V4 Address of DNS Server of Forest 2 (Step 3: Infrastructure server)

    Every thing seems ok, Wizard validate my ip V4 address.

    I apply configuration, but after few seconds in "Operations Status" page, I have this error message:

    DNS: Not working properly

    Enterprise DNS servers (fd12:58f4:xxx:xxx:xxx) used by DirectAccess clients for name resolution are not responding.

    I noticed that DA convert my IP V4 directly to Ip V6 Address (fd12:58f4:xxx:xxx:xxx) and I can ping IP V6 Address fd12:58f4:xxx:xxx:xxx

    And of course, my client cannot access or ping any ressource of forest 2.

    Any idea ?

    Regards


    OMSTEF

    Thursday, August 29, 2013 7:46 AM

All replies

  • Hi,

    Can you try a direct DNS resolution. For this grab the IPv6 of the DNS Server managing your second forest DNS zone with a NETSH.EXE NAMESPACE SHOW POLICY on a DirectAccess client. Enter in NSLOOKUP and select the DNS Server you want to use with Server <IPv6 Address>.

    Then ask for name resolution in this second forest.

    Does this work?


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, September 2, 2013 10:08 AM
  • I've already test and nslookup don't find dns server

    OMSTEF

    Monday, September 2, 2013 12:00 PM
  • Hi

    So from the DirectAccess client point of view, your second forest internal DNS is not reachable throught IPSEC Tunnel. For sure, there might be a reason for that. A workaround could be to configure your first forest DNS servers with conditionnal forwarders that point to your second forest. From an NRPT point of view, the new entry will point to DNS64 internal IPv6 address of your URA Server.

    Hope this help.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, September 2, 2013 12:05 PM
  • No it's not a problem if my second forest internal DNS is reachable through IPSEC or not. Even in forest where DA is located, I cannot add other DNS server.

    If I add DNS Server with IPV4 address(Step 3) , DA convert IPV4 to IPV6 Address and  in "Operations Status" page, I have this error message:

    DNS: Not working properly

    Enterprise DNS servers (fd12:58f4:xxx:xxx:xxx) used by DirectAccess clients for name resolution are not responding.



    OMSTEF

    Monday, September 2, 2013 1:05 PM