none
Direct Access Server 2012 - Internal and External Domains are the Same RRS feed

  • Question

  • Hi,

    I am currently implementing direct access on our network, historically (and rather annoyingly our internal domain is the same as our external domain)

    As an example, I have purchased a secure certificate to connect to da.domain.com and set up the relevant A Record however when my laptop is away from the network I am unable to connect to Direct Access as it has taken control of any requests to domain.com therefore I can't resolve da.domain.com and as a result I can't connect. I have tried specifically adding that host to my host file but to no avail, I can not access anything with the domain.com domain.

    I have found a domain article that deals with exactly the same issues here http://social.technet.microsoft.com/Forums/forefront/en-US/28e71d05-2b49-40f7-9212-e178dc594555/internal-and-external-domain-name-are-identical-now-what however it is for an older version of Direct Access (I think) and I can't find the same options. I have tried changing a few things to replicate the forums suggestion but had no luck, has anyone here got the same setup working and if so can you advise what settings you changed?

    Kind Regards

    David

    Tuesday, December 24, 2013 10:14 AM

Answers

  • Hi David,

    In the DA wizard, under "Infrastructure server settings" there is DNS options that allow you to specify which domain suffix and/or specific hosts will be include or exclude from the NRPT.

    At this place you can specify some specific server to be exclude from the DA DNS by put the hostname with a blank "DNS Server Address".

    Hope this helps..

    Ophir.

    • Marked as answer by dasmitchell Tuesday, January 7, 2014 4:14 PM
    Tuesday, December 24, 2013 7:13 PM
    Moderator
  • Hi David,

    Yes. the above setup should "do the trick" as the servers you put with blank DNS entry should be excluded in the NRPT table.

    You can confirm this by running at the client: netsh name show polocy at command line and see something like:

    Settings for da.domain.com
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

    Settings for .domain.com
    -----------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 1234:1234:1234:3333::1
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

    So in this scenario the .domain.com is using the DA while the specific entry (da.domain.com) is set as exclude and have emptry DNS ...

    Hope this helps,

    Ophir.

    • Marked as answer by dasmitchell Tuesday, January 7, 2014 4:14 PM
    Tuesday, December 31, 2013 10:24 AM
    Moderator

All replies

  • Hi David,

    In the DA wizard, under "Infrastructure server settings" there is DNS options that allow you to specify which domain suffix and/or specific hosts will be include or exclude from the NRPT.

    At this place you can specify some specific server to be exclude from the DA DNS by put the hostname with a blank "DNS Server Address".

    Hope this helps..

    Ophir.

    • Marked as answer by dasmitchell Tuesday, January 7, 2014 4:14 PM
    Tuesday, December 24, 2013 7:13 PM
    Moderator
  • Thanks Ophir,

    Sorry for the delay replying during the festive period

    Just to clarify, under Infrastructure Server Setup I can see four options

    Network Location Server
    DNS
    DNS Suffix Search List
    Management

    Under Network Location Server I have specified my NLS server, that works fine.

    Under DNS I have two columns, Name Suffix and DNS Server Address, I think this is what you would like me to change, at the moment I just have one entry for domain.com with my internal DNS servers, should I then add da.domain.com with a blank DNS Server Address?

    I then have my DNS Suffix Search List, at the moment I have domain.com in my "domain suffixes to use", I am assuming that is correct?

    Finally I have left my management servers blank for now.

    I have tried the setup above but I still have the same problem, but I am not sure if the reason for that is the domain.com entry  in DNS Server Address?

    Any suggestions would be very welcome.

    Thanks again,

    David

    Tuesday, December 31, 2013 8:59 AM
  • Hi David,

    Yes. the above setup should "do the trick" as the servers you put with blank DNS entry should be excluded in the NRPT table.

    You can confirm this by running at the client: netsh name show polocy at command line and see something like:

    Settings for da.domain.com
    ----------------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              :
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Use default browser settings

    Settings for .domain.com
    -----------------------------------------------------------------
    Certification authority                 :
    DNSSEC (Validation)                     : disabled
    DNSSEC (IPsec)                          : disabled
    DirectAccess (DNS Servers)              : 1234:1234:1234:3333::1
    DirectAccess (IPsec)                    : disabled
    DirectAccess (Proxy Settings)           : Bypass proxy

    So in this scenario the .domain.com is using the DA while the specific entry (da.domain.com) is set as exclude and have emptry DNS ...

    Hope this helps,

    Ophir.

    • Marked as answer by dasmitchell Tuesday, January 7, 2014 4:14 PM
    Tuesday, December 31, 2013 10:24 AM
    Moderator
  • Thanks Ophir, that did the trick and it is fully working now. Many thanks again.
    Tuesday, January 7, 2014 4:14 PM