RE: Split DNS Questions...
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 26 Apr 2005 09:08:24 -0500
Hi Dan,
Yes, I'm glad you asked, as it reminds me that I didn't put it on my
list of articles to do in the near term.
The issues with split DNS is that when the VPN client connects, it
doesn't automatically place the RRAS adapter on the top of the adapter
list. So, you will continue to use the same DNS server that you have on
your dedicated adapter.
So, what happens is if you have a split DNS using the same name
internally and externally, the client will continue to resolve names
using the initial DNS server. There are situations where it might not
seem like this, such as if the client received a server failure on the
initial adapter, in which case it moves the RRAS adapter to the top of
the list.
PSS says there aren't enough requests to fix it, so there won't be a DCR
for this issue (my request must be the only one)
There are several fixes available, but there is a bit of admin overhead.
For example, if you have control over the clients, you can have them run
this log on script or deploy the script using your favorite method:
============================
' VBScript that places the \Device\NdisWanIp entry on the top in the
' registry value Bind (multi-string) that is found under the key
' HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage\.
' If the entry already is at the top, no registry update is done.
Const HKLM = &H80000002
sComputer = "." ' use "." for local computer
' Connect to WMI's StdRegProv class
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& sComputer & "\root\default:StdRegProv")
' Define registry location
sKeyPath = "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"
sValueName = "Bind"
oReg.GetMultiStringValue HKLM, sKeyPath, sValueName, arValues
arValuesNew = Array()
For i = 0 To UBound(arValues)
If i = 0 Then
If LCase(arValues(i)) = "\device\ndiswanip" Then
' Entry is already first in the list, no point in
continuing
Exit For
Else
' Put NdisWanIp in the first element in the new array
ReDim Preserve arValuesNew(0)
arValuesNew(0) = "\Device\NdisWanIp"
End If
End If
' Continue adding the rest of the elements to the new array
If LCase(arValues(i)) <> "\device\ndiswanip" Then
iCountNew = UBound(arValuesNew) + 1
ReDim Preserve arValuesNew(iCountNew)
arValuesNew(iCountNew) = arValues(i)
End If
Next
' If there are elements to be found in the array, update the
' registry value
If UBound(arValuesNew) > -1 Then
oReg.SetMultiStringValue HKLM, sKeyPath, sValueName, arValuesNew
End If
MsgBox "Finished!", vbInformation + vbSystemModal
=====================================
I'll include all the issues and remediations I've thought of so far in
the article that I'll put up in the next week or two.
HTH,
Tom
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Tuesday, April 26, 2005 9:03 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Split DNS Questions...
http://www.ISAserver.org
Tom,
You mentioned some problems with VPN connections on a Split DNS?
I've been using it extensively, is this related to resolving hostnames
on the Internal network?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
