none
AlwaysON VPN dual DNS suffix RRS feed

  • Question

  • Can this be configured?

    I do not see mention here

    I have internal domain (AD), but also a second DNS domain (that matches my external one)

    So when users are on VPN I would like the "external" domain to be resolved internally (via VPN & internal servers)

    So far could not manage to get it working this way

    Seb

    Wednesday, March 20, 2019 2:48 PM

All replies

  • Hi, 

    • You can define internal DNS servers for any namespace using the DomainNameInformation element in your ProfileXML. 
    • Or use DNS policy for Split-Brain DNS deployment. It applies to Windows Server 2016.

    Please refer to the link below:

    https://directaccess.richardhicks.com/2018/04/23/always-on-vpn-and-the-name-resolution-policy-table-nrpt/

    https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/split-brain-dns-deployment

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 21, 2019 2:51 AM
    Moderator
  • Ofcourse I been there BEFORE posting here!

    I do not think split-brain is the issue here at all.

    Seb

    Thursday, March 21, 2019 1:47 PM
  • Hi,

    What about configuring NRPT in ProfileXML?

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 22, 2019 6:23 AM
    Moderator
  • In USER Profile I do have it configured as per this

    Internal domain (single only, can I somehow add another one? - that is the VERY QUESTION HERE) and internal DNS servers

    And for this domain all works fine

    I just need to have additional domain specified

    Seb

    Friday, March 22, 2019 2:34 PM
  • Hi,

    So when users are on VPN I would like the "external" domain to be resolved internally (via VPN & internal servers)

    Do you mean that you want to change DNS suffix when resolving IP addresses?

    Best regards,

    Travis



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 25, 2019 8:22 AM
    Moderator
  • All I needed to do was double up the section in profil.xml

      <DomainNameInformation>
    <DomainName>.internal.local</DomainName>
    <DnsServers>10.0.0.21,10.0.0.22</DnsServers>
    </DomainNameInformation>
    <DomainName>.external.org</DomainName>
    <DnsServers>10.0.0.21,10.0.0.22</DnsServers>
      </DomainNameInformation>


    edit 2

    Or this can be achieved with Powershell

    Add-VpnConnectionTriggerDnsConfiguration -ConnectionName "AO VPN" -DnsSuffix "external.org" -DnsIPAddress "10.0.0.22" -PassThru
    Add-VpnConnectionTriggerDnsConfiguration -ConnectionName "AO VPN" -DnsSuffix "internal.local" -DnsIPAddress "10.0.0.21" -PassThru


    • Marked as answer by scerazy Tuesday, March 26, 2019 8:14 AM
    • Unmarked as answer by scerazy Thursday, March 28, 2019 4:36 PM
    • Edited by scerazy Wednesday, December 4, 2019 6:07 PM
    Tuesday, March 26, 2019 8:14 AM

  • But still not 100%

    ping "name" resolves to 10.0.0.x internal LAN address (which is correct as it uses .external.org dnssuffix as defined by DNS Suffix Search List)

    but

    ping "name.external.org" resolves to totally EXTERNAL public IP

    Any idea how to fix that?

    • Edited by scerazy Wednesday, December 4, 2019 6:07 PM
    Wednesday, December 4, 2019 5:55 PM