Direct Access DNS resolution local domain network
Hey guys,
some information to my test environment...
My direct access server and my DC are based on Windows Server 2012 R2. The direct access server has one nic. Port 443 requests are forwarded through an firewall to the direct access server. The configuration for direct access is based on the built in assistens
to configure it.
On client side i am using Windows 8.1 x64.
Now the to my problem...
If I do an ping or a gpupdate when i am not connected to my local company network, the server responds and gpupdate/ping works fine. As soon as i am connected to my local company network i am not able to do a gpupdate or a ping (error in resolving dns).
But i am able to use nslookup to query names.
Anyone a suggestion where the problem could be?
Hi,
It seems that this problem is caused by the issue of Network Location Server.
Does the client know that it is connected to the local network?
When the client connects to the local network, it should show "Connected to network locally or through VPN".
Here is the screenshot of my lab server,
Aslo, we can use the command below to verify this,
netsh dns show state
The Machine location should be "Inside corporate network" when the client is connected to the local network.
If the client doesn't know that it is inside the corporate network, please check if client can access the Network Location Server.
Best Regards.
Steven Lee
TechNet Community Support
Similar Messages
-
DNS best practice in local domain network of Windows 2012?
Hello.
We have a small local domain network in our office. Which one is the best practice for the DNS: to setup a DNS in our network forwarding to public DNSs or directly using public DNS in all computers including
server?
Thanks.
SelimHi Selim,
Definately the first option "setup a DNS in our network forwarding to public DNSs " and all computers including server has local DNS configured
Even better best practice would be, this local DNS points to a standalone DNS server in DMZone which queries the public DNS.
Using a centralized DNS utilizes the DNS cache to answer similar queries, resulting in faster response time, less internet usage for repeated queries.
Also an additional DNS layer helps protect your internal DNS data from attackers out in the internet.
Using internal DNS on all the computer will also help you host intranet websites and accessibility to them directly. Moreover when you are on a AD domain, you need to have the computers DNS configured properly for AD authentication to happen.
Regards,
Satyajit
Please “Vote As Helpful”
if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you. -
Direct Access: DNS error on Operations Status (DNS server not responding)
Hi!
I am testing Direct Access on Windows 2012 R2 Standard. So far I have deployed the Remote Access role to our server "ABC-DA1". I have completed the configuration wizard for a Single NIC deployment and defined a FQDN as the "public name"
(da.domain.com).
After completing the wizard I go to the the Operations Status page and find the an error telling me one of the DNS servers is unavailable. The mentioned server is no longer operational as it was running on an old Win2k8R2 DC server that was demoted.
Is there a way to remove the reference to the old server? I have 3 new DNS servers running on the new Domain Controllers but it seems like the old DC did not completely remove itself.
Below is a screenshot of the operations status.
Thank you for your help :)Hi,
Please go to the Name Resolution Policy and check if you can change the DNS server there.
Computer Configuration -> Policies -> Windows Settings -> Name Resolution Policy
Hope this helps.
Jeremy Wu
TechNet Community Support -
Error "NOTICE: [0] disk access failed" during guest domain network booting
Hi,
Could you please tell me what is the problem with my configuration?
I created guest domain on my T1000 server.
As a disk I used disk from disk array: /dev/dsk/c0t18d0
I added disk using commands:
# ldm add-vdsdev /dev/dsk/c0t18d0 vol1@primary-vds0
# ldm add-vdisk vdisk1 vol1@primary-vds0 myldom1
# ldm set-variable auto-boot\?=false myldom1
# ldm set-variable boot-device=/virtual-devices@100/channel-devices@200/disk@0 myldom1
Then I logged to guest domain and booted from network to install OS from JumpStart server:
{0} ok boot net - install
Boot device: /virtual-devices@100/channel-devices@200/network@0 File and args: - install
Requesting Internet Address for 0:14:4f:f9:78:19
SunOS Release 5.10 Version Generic_137137-09 64-bit
Copyright 1983-2008 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Configuring devices.
NOTICE: [0] disk access failed.
Checking rules.ok file...
Using begin script: install_begin
Using finish script: patch_finish
Executing SolStart preinstall phase...
Executing begin script "install_begin"...
Begin script install_begin execution completed.
ERROR: No disks found
- Check to make sure disks are cabled and powered up
Solaris installation program exited.
Configuration:
[root@gt1000a /]# ldm list-bindings
NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
primary active -n-cv- SP 4 2G 0.5% 2h 23m
MAC
00:14:4f:9f:71:4e
HOSTID
0x849f714e
VCPU
VID PID UTIL STRAND
0 0 5.3% 100%
1 1 0.5% 100%
2 2 0.5% 100%
3 3 0.4% 100%
MAU
ID CPUSET
0 (0, 1, 2, 3)
MEMORY
RA PA SIZE
0x8000000 0x8000000 2G
VARIABLES
keyboard-layout=US-English
IO
DEVICE PSEUDONYM OPTIONS
pci@780 bus_a
pci@7c0 bus_b
VCC
NAME PORT-RANGE
primary-vcc0 5000-5100
CLIENT PORT
myldom1@primary-vcc0 5000
VSW
NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
primary-vsw0 00:14:4f:fa:ca:94 bge0 switch@0 1 1
PEER MAC PVID VID
vnet0@myldom1 00:14:4f:f9:78:19 1
VDS
NAME VOLUME OPTIONS MPGROUP DEVICE
primary-vds0 vol1 /dev/dsk/c0t18d0
CLIENT VOLUME
vdisk1@myldom1 vol1
VCONS
NAME SERVICE PORT
SP
NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
myldom1 active -n---- 5000 12 2G 0.1% 2h 18m
MAC
00:14:4f:f9:e7:ae
HOSTID
0x84f9e7ae
VCPU
VID PID UTIL STRAND
0 4 0.5% 100%
1 5 0.0% 100%
2 6 0.0% 100%
3 7 0.0% 100%
4 8 0.0% 100%
5 9 0.0% 100%
6 10 0.0% 100%
7 11 0.0% 100%
8 12 0.0% 100%
9 13 0.0% 100%
10 14 0.0% 100%
11 15 0.0% 100%
MEMORY
RA PA SIZE
0x8000000 0x88000000 2G
VARIABLES
auto-boot?=false
boot-device=/virtual-devices@100/channel-devices@200/disk@0
NETWORK
NAME SERVICE DEVICE MAC MODE PVID VID
vnet0 primary-vsw0@primary network@0 00:14:4f:f9:78:19 1
PEER MAC MODE PVID VID
primary-vsw0@primary 00:14:4f:fa:ca:94 1
DISK
NAME VOLUME TOUT DEVICE SERVER MPGROUP
vdisk1 vol1@primary-vds0 disk@0 primary
VCONS
NAME SERVICE PORT
myldom1 primary-vcc0@primary 5000
[root@gt1000a /]#
Kind regards,
DanielIssue solved.
There was a wrong disk name:
primary-vds0 vol1 /dev/dsk/c0t18d0
I changed to c0t18d0s2 and now I sucessfuly installed OS from Jumpstart. -
Can address book be accessed on a local area network
I am using Thunderbird on a network.
How can I access the addressbook from other computers?
Alternatively, can I locate the address book on the server?
Thanks,
[email protected]Thunderbird support is over here. <br />
http://www.mozillamessaging.com/en-US/support/ <br />
or here: <br />
http://forums.mozillazine.org/viewforum.php?f=39 -
Direct Access: No Security Associations under Main mode and Quick Mode: No SA
Could someone please help me with the issue here :'(
Windows Firewall advanced security--> Monitoring --> Main mode (Empty)
--> quick Mode (Empty)
Its been days I am trying to trouble shoot this issue. All the setup seems good. I am not able to figure out this certificate issue.Hi Sijin,
What is the status of this issue ? If you still have issue please confirm the following.
1) What is the Network Topology?
2) What is the client OS?
3) If you have it configured for Windows 7 and 8 both then do you have Client Authentication Certificate in Personal store and Root Certificate from Internal CA present on client machine?
4) What is the Status of IPHTTPS Interface?
5) Are you able to Ping Direct Access (DNS Server) IP Address (2002:836b:33:3333::1 from client?
6) What is the status of below services on the client machine?
IKE and AuthIP IPsec Keying Modules
IPSec Policy Agent
7) Which Windows Firewall profile is enable on DA Server and Client?
Regards
Kapil -
Direct Access: domain.LOCAL supported?
Hi,
Our domain was configured using company.local. I am now trying to deploy Direct Access on a Windows Server 2012 R2 server using a single NIC deployment.
Do we have to change our domain name to company.com in order to deploy Direct Access? If not - are there any special considerations when deploying using the .local domain?
We have a forward lookup zone for domain.com in addition to the domain.local on our DNS servers. We intend to use "da.domain.com" as the "public name used by clients to connect to the Remote Access server".Hi,
You do not have to change.
With a single NIC, I suppose your server is behind a NAT device.
For your reference:
Step-By-Step: Enabling DirectAccess in Windows Server 2012 R2
http://blogs.technet.com/b/canitpro/archive/2014/01/06/step-by-step-enabling-directaccess-in-windows-server-2012.aspx
STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
http://technet.microsoft.com/en-us/library/hh831524.aspx
Hope this helps. -
Enterprise DNS servers are not responding when using Windows NLB with Direct Access 2012
Hi
We have installed Direct Access 2012 as one server installation:
- Two network cards. First one in DMZ and second one in internal network
- Two consecutive IP addresses configured in DMZ because of Teredo
- PKI because of Win7 Clients IPSec
- Our corporate network is native IPv4 so we use DNS64/NAT64 and DA-server is configured as DNS
- DA-servers are VMWare virtual machines
One server installation works fine and now we want to use Windows NLB as load balancing. NLB installation goes fine too,
but problem is DNS. If we still try to use DA-server as DNS there comes error message below
None of the enterprise DNS servers 2002:xxxx:xxxx:3333::1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
When trying to configure DNS using Infrastructure access setup, DNS cannot be validated when using DA-servers DIP or cluster VIP. Only domain local DNS looks to be ok but those have no IPv6 addressess. So how DNS should be configured when using multicast
NLB?
Tried to remove name suffix then adding again => Detect DNS server => DA-server IPv6 address found => validate => The specified DNS server is not responding...
Then tried to ping detected address => General failure
NLB clusters are configured as multicast and static ARPs are configured too. Both clusters can be connected from those subnets as they should be.
Any clues how to fix this?
~ Jukka ~Hi,
Your question falls into the paid support category which requires a more in-depth level of support. Please visit the below link to see the various
paid support options that are available to better meet your needs.
http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
Regards,
Mike
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
How do I set up networking for DNS resolution?
I am setting up a brand new iMac (10.9.4). I've put the two internal DNS servers into the network configuration (Windows Servers running DNS). However pinging by hostname and FQDN doesn't work
Matts-iMac:~ mattgeorge$ ping victor.rafmuseum.local
ping: cannot resolve victor.rafmuseum.local: Unknown host
Interestingly, nslookup is fine:
Matts-iMac:~ mattgeorge$ nslookup victor.rafmuseum.local
Server: 172.16.0.11
Address: 172.16.0.11#53
Name: victor.rafmuseum.local
Address: 172.16.0.15
And pinging the IP address works correctly too. Windows servers appear in the finder and I can connect to them from there but the Connect to Server option again will not resolve a DNS address. Also in researching this I note that Directory Access no longer appears in Applications.
TimThis is the chowder-headed default value that's arises from older Windows Server installations. Microsoft fixed this in more recent versions. Folks that didn't know DNS and that chose to take the default top-level domain from older Windows Server installations were led into a morass, unfortunately.
You're basically going to have to run parallel DNS services until you can reconfigure those Windows Server DNS servers over into a valid top-level domain — when Microsoft specified this default of .local, .local was not a reserved top-level domain — or otherwise limp along here. This because .local is a reserved domain now, as it's used for Bonjour/mDNS.
The usual fix is to move into a real and registered domain, which is obviously a pain now, but only tends to get worse over time.
The usual workaround is to set up parallel DNS services, to add "local" to the list of search domains within network preferences (haven't tried this recently, but it was the old workaround for this case, see Mac OS X v10.4, 10.5, 10.6: How to look up ".local" hostnames via both Bonjour and standard DNS) and then incrementally migrate preferably to a real-and-registered domain over time, and/or to otherwise avoid using the .local domain where that's feasible.
FWIW, rafmuseum.net is currently available for registration, and you can use a subdomain of one you already have — if one of those other existing registrations is associated with your organization — and there are a gazillion other new top-level domains now or coming online to choose from — though you can't have .local here, as that's RFC-reserved for Bonjour/mDNS activity. -
Network Positioning of a Windows Server 2012 R2 Direct Access & VPN Server
Reposted moved from Windows Server Forums- Security
Hi
I'm in the process of creating a new active directory forest with a single domain using AD.Contoso.com to use the Microsoft example. The reason I have decided on AD.XXXXXXXXX.com is to get way from using split horizon (Split Brain) DNS. The requirements
for our new domain are :-
2012 R2 AD
Direct Access & VPN
Exchange 2013 OWA, Active Sync Outlook Anywhere (Possibly a Hybrid Config where we have on premises mailboxes and some exchange online mailboxes Office 365 etc)
Lync 2013 ?
SharePoint 2013 ?
Microsoft Active Directory Certificate Services
System Center Configuration Manager 2012 R2
Two way trusts between old forest and new to enable Transition/Migration
Ok so that's what I'm aiming for so now the question.
They are allowing me to purchase a next Generation Firewall may be a Barracuda NG firewall or a Cisco ASA X series so I need some advice on what type of network topology I should configure. I've read that using the two NIC configuration for
the 2012 R2 Direct Access Server is preferable, one nic on the internal network one on the perimeter. The problem I have with this is that it bridges the internal network and the perimeter bypassing the backend Firewall see image
The other alternative is to dispense with the perimeter network use the Direct Access server with a single NIC and setup the NG Firewall in a three-legged config with the DA server on the DMZ.
So all you security experts out there what would be your design for this simple domain? we don't need any HA or Load Balancing.
Thanks
SimonOk I'm not sure we are going to get any advice on this subject but one last effort. Our budget can only stretch to one next generation firewall so I'm considering the following three legged firewall design with a two NIC 2012 R2 Direct
Access server. If someone could validate this configuration or suggest an alternative then I would be grateful. -
Direct Access and WIndows Phone 8.1 for MySIte Resolution?
Hi all –
I am reaching out to the community here because I haven’t been able to find anything concrete.
The scenario is that we wish to have links which are sent through an on-prem SharePoint farm resolve on a user’s Windows Phone whilst roaming.
The root of the issue is that the client does not have split DNS in place.
Therefore when they send a link from the SharePoint site it’s URL is mysite.acme.int, for example, which is not resolvable from outside of the corporate network;
Acme.com is however.
We have Direct Access (2012 R2) in place and use Windows Phone 8.1.
What I am trying to determine is whether or not we can leverage a DA connection with the Windows Phones in order to attain URL resolution.
Barring that does anyone have any bright ideas on how to conquer the problem?
Kind regards and thanks in advance!
WrenHi Wren,
For your issue, you can try to configure alternate access mappings with IP address for your MySite Web Application and then you can access your site with IP address.
As I am not familiar with Windows Phone, you can connect with the Windows Phone support or post threads in Widnwos Phone forums to ask for more information:
http://answers.microsoft.com/en-us/winphone/forum/wp8?tab=Threads
Best Regards,
Eric
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Direct Access client DNS Registration q.
Hi All,
We have Direct Access installed, configured and mostly working on Windows 2012 R2 server supporting WIN 8.1 clients (only).
All internal resources are accessible and have good name resolution, etc.
However, I now have to enable "manage out" functionality. SCCM based Remote Assistance etc.
There are various guides and I think manage out is working correctly. There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
I have enable "secure only" DNS registration by Group Policy.
We use split tunneling for clients.
The Direct Access server is behind a NAT firewall. (CISCO) So the only effective transition tech is IP-HTTPS.
Many thanks for any assistance in pointing me in the right direction.Hi,
>>There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
Did you deploy the IPv6 in your corpnet? If no, it's normal.
If we use the IPv4 in the corpnet, the NAT64 and DNS64 will be enabled on the DirectAccess server. When the DirectAccess client sends the DNS update packet, according to the NRPT, the packet will be sent to the DirectAccess server. DirectAccess
server will on behalf of the client to register the AAAA record.
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Direct Access for Non Domain Machines
Hi,
In My IT-infra, there is multiple machines that is out my Office network & Domain..
Can we join these machines in domain via Direct Access implementation ? or for implementing Direct Access we required to join those non domain & out of office network machine to Domain first ?
secondly, can we implement the Direct access without any public certificate purchase, and without any IPV6 configuring in internal network,machines and in servers .currently i am using IPv4 IP on all Machines & Servers.
I have gone through the Direct Access Technet guide but i feel very complex document there ...can you please brief me about direct access implementation in simpale way, i want to implement direct access to join the internet based client machines to
domain and manage via/for SCCM ...
Shailendra DevCorrect, DirectAccess clients must be domain joined. Also, only Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise clients are able to be DirectAccess connected, so that may also make a difference to your situation. I see many customers deploy
DirectAccess for those Win7/Win8 domain-joined systems, and then make use of the traditional (RRAS) VPN on the same DirectAccess server for connecting any other operating systems or non-domain-joined machines. Those would just have to launch a manual VPN connection,
where the DirectAccess connections are of course automatically connected.
You don't "have" to use an SSL certificate that you purchased from a public CA, but you really should. It is definitely a best practice to use a trusted public certificate on your DirectAccess server. Further, if you have Windows 8 client computers,
you don't even need to distribute the machine certificates inside your network, but it is also a best practice that you do this anyway, to strengthen the authentication process.
No, you do not need IPv6 inside your network at all for DirectAccess to work.
Sounds like you might be interested in some additional reading on DA, here are the two books available on the subject:
https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting
https://www.packtpub.com/networking-and-servers/windows-server-2012-unified-remote-access-planning-and-deployment -
Network Service Order Causing Conflict with Private DNS on Local Network
I'm currently working on deploying a Snow Leopard Server-based setup for a university student-run television station, using a Mac mini Server. Because our university's own networking infrastructure is somewhat wonky and restrictive, I have recently networked our station's six other computers and the Mac mini Server together through wired Ethernet, using an AirPort Base Station as a router along with some D-Link Ethernet switches.
As a result, our computers are networked together on their own network completely independently from our university's network, but because this wired network has no internet access, all of our computers connect to our university's wi-fi network over AirPort for internet access.
I've set up Snow Leopard Server with a private DNS name "atvserver.private" and am intending to use this server internally for file sharing, directory services, and Wiki Server (and possibly Podcast Server). However, because of the service order in Network Preferences, if our client computers are set to give AirPort priority, then they can connect to the internet, but cannot connect to the server's private DNS. On the other hand, if our client computers are set to give Ethernet priority, they can connect to the server, but lose their internet connection.
The only solutions that I can think of are:
1) Bridge the university's internet connection on our private wired network (but the university will not allow us to do this because it violates their security policies), or
2) Come up with some way to bypass the networking service order so that "atvserver.private" goes to the Ethernet network, while everything else goes to the public internet over AirPort.
Any ideas on how to solve this problem?What's the ip range an subnet for the university network
The issue has nothing to do with the IP addresses/subnets in use. It's about DNS resolution.
Fortunately the solution is simple.
Configure the DNS server on the SLS with the zone(s) for your private LAN.
Enable DNS forwarders with the IP addresses of your university's DNS servers.
Point your clients to your SLS for DNS service.
Now all DNS requests from these clients will go to your server. For zones this server is responsible for (i.e. your private LAN) the server will reply, for all other lookups it will refer to your university's DNS servers for resolution.
In this way your clients can resolve your private zones, the university's zones and public DNS hostnames. Problem solved -
Want to Access local and Network
Hai
I am doing an Application with XML in Local, and i have
multiple link buttons to Relevant sites
My application files are in Local and XML also in local
folder
When i click the link button , Flash player not permitting to
access links. I wnat to change global settings in Adobe
When i put them in server it works fine
I have compiled the application with compiler argument
-use-network=false
If i change that to -use-network=true i can access to weblink
, but i cant get data from local folder My flex application is
Blank
I also tried by setting system.security.allowdomain("*")
and all security options
when i trace sandbox type it says "localTrusted"
I have an idea of changing configuration file in Flash player
#security folder, I tried and it works fine. but my client thinks
it is little tough.
I need help to overcome this . Can any please help me .
I wnat to access data from Local folder and Want to Link to
Web.
My application is in Local Harddrive
Thanks
MuruganYou cannot easily do this. If your app is delivered via a web
domain, then you cannot access both network and local assets.
The only way to do what you ask is to physically install the
application in a trusted folder.
See this doc:
http://livedocs.adobe.com/flex/2/docs/00001953.html
and this for details on hot to set it up:
http://livedocs.adobe.com/flex/2/docs/00001952.html
Tracy
Maybe you are looking for
-
Hello everyone, please help me if u can, Im desperate. Essentially wot Im tryin to do, is create a cd collection program, whereby details of the cd are entered (price, quantity, title and artist) and I would like to return statistical data on the cd
-
Some of my older photos and video are taking up too much space and I don't want to keep them anymore.
-
Pop up new form(Purchase Order) with current data
Dear All, i have created a COPY TO button in my addon form. Now my quiry is that when ever i press the COPY TO button the purchase order form will open with my addon form data. Kindly suggest me the code. Thanx Sanjoy Paul
-
MS "Color Dialogue Box" popping up instead of "Adobe Color Picker" inside PSE 10.
For purposes of this question, I'm providing definitions of the terms herein used. --Toolbox: The 2 columns of Tools on the left side of the Editor screen. --Foreground Color & Background Color: The color filled squares at the bottom of the Toolbox.
-
Can I use this ram for my MacBook?
I want this ram, http://www.newegg.com/Product/Product.aspx?Item=N82E16820231154 but I was wondering if my computer can support it. Here are my current Specs: Hardware Overview: Model Name: MacBook Model Identifier: MacBook4,1 Processor Name: Intel C