Direct Access DNS resolution local domain network

Similar Messages

• DNS best practice in local domain network of Windows 2012?

  Hello.
  We have a small local domain network in our office. Which one is the best practice for the DNS: to setup a DNS in our network forwarding to public DNSs or directly using public DNS in all computers including
  server?
  Thanks.
  Selim

  Hi Selim,
  Definately the first option  "setup a DNS in our network forwarding to public DNSs " and all computers including server has local DNS configured
  Even better best practice would be, this local DNS points to a standalone DNS server in DMZone which queries the public DNS.
  Using a centralized DNS utilizes the DNS cache to answer similar queries, resulting in faster response time, less internet usage for repeated queries.
  Also an additional DNS layer helps protect your internal DNS data from attackers out in the internet.
  Using internal DNS on all the computer will also help you host intranet websites and accessibility to them directly. Moreover when you are on a AD domain, you need to have the computers DNS configured properly for AD authentication to happen.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Direct Access: DNS error on Operations Status (DNS server not responding)

  Hi!
  I am testing Direct Access on Windows 2012 R2 Standard. So far I have deployed the Remote Access role to our server "ABC-DA1". I have completed the configuration wizard for a Single NIC deployment and defined a FQDN as the "public name"
  (da.domain.com).
  After completing the wizard I go to the the Operations Status page and find the an error telling me one of the DNS servers is unavailable. The mentioned server is no longer operational as it was running on an old Win2k8R2 DC server that was demoted. 
  Is there a way to remove the reference to the old server? I have 3 new DNS servers running on the new Domain Controllers but it seems like the old DC did not completely remove itself.
  Below is a screenshot of the operations status.
  Thank you for your help :)

  Hi,
  Please go to the Name Resolution Policy and check if you can change the DNS server there.
  Computer Configuration -> Policies -> Windows Settings -> Name Resolution Policy
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Error "NOTICE: [0] disk access failed" during guest domain network booting

  Hi,
  Could you please tell me what is the problem with my configuration?
  I created guest domain on my T1000 server.
  As a disk I used disk from disk array: /dev/dsk/c0t18d0
  I added disk using commands:
  # ldm add-vdsdev /dev/dsk/c0t18d0 vol1@primary-vds0
  # ldm add-vdisk vdisk1 vol1@primary-vds0 myldom1
  # ldm set-variable auto-boot\?=false myldom1
  # ldm set-variable boot-device=/virtual-devices@100/channel-devices@200/disk@0 myldom1
  Then I logged to guest domain and booted from network to install OS from JumpStart server:
  {0} ok boot net - install
  Boot device: /virtual-devices@100/channel-devices@200/network@0 File and args: - install
  Requesting Internet Address for 0:14:4f:f9:78:19
  SunOS Release 5.10 Version Generic_137137-09 64-bit
  Copyright 1983-2008 Sun Microsystems, Inc. All rights reserved.
  Use is subject to license terms.
  Configuring devices.
  NOTICE: [0] disk access failed.
  Checking rules.ok file...
  Using begin script: install_begin
  Using finish script: patch_finish
  Executing SolStart preinstall phase...
  Executing begin script "install_begin"...
  Begin script install_begin execution completed.
  ERROR: No disks found
  - Check to make sure disks are cabled and powered up
  Solaris installation program exited.
  Configuration:
  [root@gt1000a /]# ldm list-bindings
  NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
  primary active -n-cv- SP 4 2G 0.5% 2h 23m
  MAC
  00:14:4f:9f:71:4e
  HOSTID
  0x849f714e
  VCPU
  VID PID UTIL STRAND
  0 0 5.3% 100%
  1 1 0.5% 100%
  2 2 0.5% 100%
  3 3 0.4% 100%
  MAU
  ID CPUSET
  0 (0, 1, 2, 3)
  MEMORY
  RA PA SIZE
  0x8000000 0x8000000 2G
  VARIABLES
  keyboard-layout=US-English
  IO
  DEVICE PSEUDONYM OPTIONS
  pci@780 bus_a
  pci@7c0 bus_b
  VCC
  NAME PORT-RANGE
  primary-vcc0 5000-5100
  CLIENT PORT
  myldom1@primary-vcc0 5000
  VSW
  NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
  primary-vsw0 00:14:4f:fa:ca:94 bge0 switch@0 1 1
  PEER MAC PVID VID
  vnet0@myldom1 00:14:4f:f9:78:19 1
  VDS
  NAME VOLUME OPTIONS MPGROUP DEVICE
  primary-vds0 vol1 /dev/dsk/c0t18d0
  CLIENT VOLUME
  vdisk1@myldom1 vol1
  VCONS
  NAME SERVICE PORT
  SP
  NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
  myldom1 active -n---- 5000 12 2G 0.1% 2h 18m
  MAC
  00:14:4f:f9:e7:ae
  HOSTID
  0x84f9e7ae
  VCPU
  VID PID UTIL STRAND
  0 4 0.5% 100%
  1 5 0.0% 100%
  2 6 0.0% 100%
  3 7 0.0% 100%
  4 8 0.0% 100%
  5 9 0.0% 100%
  6 10 0.0% 100%
  7 11 0.0% 100%
  8 12 0.0% 100%
  9 13 0.0% 100%
  10 14 0.0% 100%
  11 15 0.0% 100%
  MEMORY
  RA PA SIZE
  0x8000000 0x88000000 2G
  VARIABLES
  auto-boot?=false
  boot-device=/virtual-devices@100/channel-devices@200/disk@0
  NETWORK
  NAME SERVICE DEVICE MAC MODE PVID VID
  vnet0 primary-vsw0@primary network@0 00:14:4f:f9:78:19 1
  PEER MAC MODE PVID VID
  primary-vsw0@primary 00:14:4f:fa:ca:94 1
  DISK
  NAME VOLUME TOUT DEVICE SERVER MPGROUP
  vdisk1 vol1@primary-vds0 disk@0 primary
  VCONS
  NAME SERVICE PORT
  myldom1 primary-vcc0@primary 5000
  [root@gt1000a /]#
  Kind regards,
  Daniel

  Issue solved.
  There was a wrong disk name:
  primary-vds0 vol1 /dev/dsk/c0t18d0
  I changed to c0t18d0s2 and now I sucessfuly installed OS from Jumpstart.

• Can address book be accessed on a local area network

  I am using Thunderbird on a network.
  How can I access the addressbook from other computers?
  Alternatively, can I locate the address book on the server?
  Thanks,
  [email protected]

  Thunderbird support is over here. <br />
  http://www.mozillamessaging.com/en-US/support/ <br />
  or here: <br />
  http://forums.mozillazine.org/viewforum.php?f=39

• Direct Access: No Security Associations under Main mode and Quick Mode: No SA

  Could someone please help me with the issue here :'(
  Windows Firewall advanced security--> Monitoring --> Main mode (Empty)
    --> quick Mode (Empty)
  Its been days I am trying to trouble shoot this issue. All the setup seems good. I am not able to figure out this certificate issue.

  Hi Sijin,
  What is the status of this issue ? If you still have issue please confirm the following.
  1) What is the Network Topology?
  2) What is the client OS?
  3) If you have it configured for Windows 7 and 8 both then do you have Client Authentication Certificate in Personal store and Root Certificate from Internal CA present on client machine?
  4) What is the Status of IPHTTPS Interface?
  5) Are you able to Ping Direct Access (DNS Server) IP Address (2002:836b:33:3333::1 from client?
  6) What is the status of below services on the client machine?
  IKE and AuthIP IPsec Keying Modules
  IPSec Policy Agent
  7) Which Windows Firewall profile is enable on DA Server and Client?
  Regards
  Kapil

• Direct Access: domain.LOCAL supported?

  Hi,
  Our domain was configured using company.local.  I am now trying to deploy Direct Access on a Windows Server 2012 R2 server using a single NIC deployment.
  Do we have to change our domain name to company.com in order to deploy Direct Access? If not - are there any special considerations when deploying using the .local domain?
  We have a forward lookup zone for domain.com in addition to the domain.local on our DNS servers. We intend to use "da.domain.com" as the "public name used by clients to connect to the Remote Access server".

  Hi,
  You do not have to change.
  With a single NIC, I suppose your server is behind a NAT device.
  For your reference:
  Step-By-Step: Enabling DirectAccess in Windows Server 2012 R2
  http://blogs.technet.com/b/canitpro/archive/2014/01/06/step-by-step-enabling-directaccess-in-windows-server-2012.aspx
  STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
  http://technet.microsoft.com/en-us/library/hh831524.aspx
  Hope this helps.

• Enterprise DNS servers are not responding when using Windows NLB with Direct Access 2012

  Hi
  We have installed Direct Access 2012 as one server installation:
  - Two network cards. First one in DMZ and second one in internal network
  - Two consecutive IP addresses configured in DMZ because of Teredo
  - PKI because of Win7 Clients IPSec
  - Our corporate network is native IPv4 so we use DNS64/NAT64 and DA-server is configured as DNS
  - DA-servers are VMWare virtual machines 
  One server installation works fine and now we want to use Windows NLB as load balancing. NLB installation goes fine too,
  but problem is DNS. If we still try to use DA-server as DNS there comes error message below
  None of the enterprise DNS servers 2002:xxxx:xxxx:3333::1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
  When trying to configure DNS using Infrastructure access setup, DNS cannot be validated when using DA-servers DIP or cluster VIP. Only domain local DNS looks to be ok but those have no IPv6 addressess. So how DNS should be configured when using multicast
  NLB? 
  Tried to remove name suffix then adding again => Detect DNS server => DA-server IPv6 address found => validate => The specified DNS server is not responding...
  Then tried to ping detected address => General failure
  NLB clusters are configured as multicast and static ARPs are configured too. Both clusters can be connected from those subnets as they should be. 
  Any clues how to fix this?
  ~ Jukka ~

  Hi,
  Your question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various
  paid support options that are available to better meet your needs.
  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• How do I set up networking for DNS resolution?

  I am setting up a brand new iMac (10.9.4). I've put the two internal DNS servers into the network configuration (Windows Servers running DNS). However pinging by hostname and FQDN doesn't work
  Matts-iMac:~ mattgeorge$ ping victor.rafmuseum.local
  ping: cannot resolve victor.rafmuseum.local: Unknown host
  Interestingly, nslookup is fine:
  Matts-iMac:~ mattgeorge$ nslookup victor.rafmuseum.local
  Server: 172.16.0.11
  Address: 172.16.0.11#53
  Name: victor.rafmuseum.local
  Address: 172.16.0.15
  And pinging the IP address works correctly too. Windows servers appear in the finder and I can connect to them from there but the Connect to Server option again will not resolve a DNS address. Also in researching this I note that Directory Access no longer appears in Applications.
  Tim

  This is the chowder-headed default value that's arises from older Windows Server installations.   Microsoft fixed this in more recent versions.  Folks that didn't know DNS and that chose to take the default top-level domain from older Windows Server installations were led into a morass, unfortunately. 
  You're basically going to have to run parallel DNS services until you can reconfigure those Windows Server DNS servers over into a valid top-level domain — when Microsoft specified this default of .local, .local was not a reserved top-level domain — or otherwise limp along here.   This because .local is a reserved domain now, as it's used for Bonjour/mDNS. 
  The usual fix is to move into a real and registered domain, which is obviously a pain now, but only tends to get worse over time.
  The usual workaround is to set up parallel DNS services, to add "local" to the list of search domains within network preferences (haven't tried this recently, but it was the old workaround for this case, see Mac OS X v10.4, 10.5, 10.6: How to look up ".local" hostnames via both Bonjour and standard DNS) and then incrementally migrate preferably to a real-and-registered domain over time, and/or to otherwise avoid using the .local domain where that's feasible. 
  FWIW, rafmuseum.net is currently available for registration, and you can use a subdomain of one you already have — if one of those other existing registrations is associated with your organization — and there are a gazillion other new top-level domains now or coming online to choose from — though you can't have .local here, as that's RFC-reserved for Bonjour/mDNS activity.

• Network Positioning of a Windows Server 2012 R2 Direct Access & VPN Server

  Reposted moved from Windows Server Forums- Security
  Hi
  I'm in the process of creating a new active directory forest with a single domain using AD.Contoso.com to use the Microsoft example. The reason I have decided on AD.XXXXXXXXX.com is to get way from using split horizon (Split Brain) DNS. The requirements
  for our new domain are :-
  2012 R2 AD
  Direct Access & VPN
  Exchange 2013 OWA, Active Sync Outlook Anywhere (Possibly a Hybrid Config where we have on premises mailboxes and some exchange online mailboxes Office 365 etc)
  Lync 2013 ?
  SharePoint 2013 ?
  Microsoft Active Directory Certificate Services
  System Center Configuration Manager 2012 R2
  Two way trusts between old forest and new to enable Transition/Migration
  Ok so that's what I'm aiming for so now the question.
  They are allowing me to purchase a next Generation Firewall may be a Barracuda NG firewall or a Cisco ASA X series so I need some advice on what type of network topology I should configure. I've read that using the two NIC configuration for
  the 2012 R2 Direct Access Server is preferable, one nic on the internal network one on the perimeter. The problem I have with this is that it bridges the internal network and the perimeter bypassing the backend Firewall see image
  The other alternative is to dispense with the perimeter network use the Direct Access server with a single NIC and setup the NG Firewall in a three-legged config with the DA server on the DMZ.
  So all you security experts out there what would be your design for this simple domain? we don't need any HA or Load Balancing.
  Thanks
  Simon

  Ok I'm not sure we are going to get any advice on this subject but one last effort. Our budget can only stretch to one next generation firewall so I'm considering the following three legged firewall design with a two NIC 2012 R2 Direct
  Access server. If someone could validate this configuration or suggest an alternative then I would be grateful.

• Direct Access and WIndows Phone 8.1 for MySIte Resolution?

  Hi all –
  I am reaching out to the community here because I haven’t been able to find anything concrete. 
  The scenario is that we wish to have links which are sent through an on-prem SharePoint farm resolve on a user’s Windows Phone whilst roaming. 
  The root of the issue is that the client does not have split DNS in place. 
  Therefore when they send a link from the SharePoint site it’s URL is mysite.acme.int, for example, which is not resolvable from outside of the corporate network;
  Acme.com is however.
  We have Direct Access (2012 R2) in place and use Windows Phone 8.1. 
  What I am trying to determine is whether or not we can leverage a DA connection with the Windows Phones in order to attain URL resolution.
  Barring that does anyone have any bright ideas on how to conquer the problem?
  Kind regards and thanks in advance!
  Wren

  Hi Wren,
  For your issue, you can try to configure alternate access mappings with IP address for your MySite Web Application and then you can access your site with IP address.
  As I am not familiar with Windows Phone, you can connect with the Windows Phone support or post threads in Widnwos Phone forums to ask for more information:
  http://answers.microsoft.com/en-us/winphone/forum/wp8?tab=Threads
  Best Regards,
  Eric
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Direct Access client DNS Registration q.

  Hi All,
  We have Direct Access installed, configured and mostly working on Windows 2012 R2 server supporting WIN 8.1 clients (only).
  All internal resources are accessible and have good name resolution, etc.
  However, I now have to enable "manage out" functionality. SCCM based Remote Assistance etc.
  There are various guides and I think manage out is working correctly. There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
  I have enable "secure only" DNS registration by Group Policy.
  We use split tunneling for clients.
  The Direct Access server is behind a NAT firewall. (CISCO) So the only effective transition tech is IP-HTTPS.
  Many thanks for any assistance in pointing me in the right direction.

  Hi,
  >>There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
  Did you deploy the IPv6 in your corpnet? If no, it's normal.
  If we use the IPv4 in the corpnet, the NAT64 and DNS64 will be enabled on the DirectAccess server. When the DirectAccess client sends the DNS update packet, according to the NRPT, the packet will be sent to the DirectAccess server. DirectAccess
  server will on behalf of the client to register the AAAA record.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Direct Access for Non Domain Machines

  Hi,
  In My IT-infra, there is multiple machines that is out my Office network & Domain..
  Can we join these machines in domain via Direct Access implementation ? or for implementing Direct Access we required to join those non domain & out of office network machine to Domain first ?
  secondly, can we implement the Direct access without any public certificate purchase, and without any IPV6 configuring in internal network,machines and in servers .currently i am using IPv4  IP on all Machines & Servers.
  I have gone through the Direct Access Technet guide but i feel very complex document there ...can you please brief me about direct access implementation in simpale way, i want to implement direct access to join the internet based client machines  to
  domain and manage via/for SCCM ...
  Shailendra Dev

  Correct, DirectAccess clients must be domain joined. Also, only Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise clients are able to be DirectAccess connected, so that may also make a difference to your situation. I see many customers deploy
  DirectAccess for those Win7/Win8 domain-joined systems, and then make use of the traditional (RRAS) VPN on the same DirectAccess server for connecting any other operating systems or non-domain-joined machines. Those would just have to launch a manual VPN connection,
  where the DirectAccess connections are of course automatically connected.
  You don't "have" to use an SSL certificate that you purchased from a public CA, but you really should. It is definitely a best practice to use a trusted public certificate on your DirectAccess server. Further, if you have Windows 8 client computers,
  you don't even need to distribute the machine certificates inside your network, but it is also a best practice that you do this anyway, to strengthen the authentication process.
  No, you do not need IPv6 inside your network at all for DirectAccess to work.
  Sounds like you might be interested in some additional reading on DA, here are the two books available on the subject:
  https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting
  https://www.packtpub.com/networking-and-servers/windows-server-2012-unified-remote-access-planning-and-deployment

• Network Service Order Causing Conflict with Private DNS on Local Network

  I'm currently working on deploying a Snow Leopard Server-based setup for a university student-run television station, using a Mac mini Server. Because our university's own networking infrastructure is somewhat wonky and restrictive, I have recently networked our station's six other computers and the Mac mini Server together through wired Ethernet, using an AirPort Base Station as a router along with some D-Link Ethernet switches.
  As a result, our computers are networked together on their own network completely independently from our university's network, but because this wired network has no internet access, all of our computers connect to our university's wi-fi network over AirPort for internet access.
  I've set up Snow Leopard Server with a private DNS name "atvserver.private" and am intending to use this server internally for file sharing, directory services, and Wiki Server (and possibly Podcast Server). However, because of the service order in Network Preferences, if our client computers are set to give AirPort priority, then they can connect to the internet, but cannot connect to the server's private DNS. On the other hand, if our client computers are set to give Ethernet priority, they can connect to the server, but lose their internet connection.
  The only solutions that I can think of are:
  1) Bridge the university's internet connection on our private wired network (but the university will not allow us to do this because it violates their security policies), or
  2) Come up with some way to bypass the networking service order so that "atvserver.private" goes to the Ethernet network, while everything else goes to the public internet over AirPort.
  Any ideas on how to solve this problem?

  What's the ip range an subnet for the university network
  The issue has nothing to do with the IP addresses/subnets in use. It's about DNS resolution.
  Fortunately the solution is simple.
  Configure the DNS server on the SLS with the zone(s) for your private LAN.
  Enable DNS forwarders with the IP addresses of your university's DNS servers.
  Point your clients to your SLS for DNS service.
  Now all DNS requests from these clients will go to your server. For zones this server is responsible for (i.e. your private LAN) the server will reply, for all other lookups it will refer to your university's DNS servers for resolution.
  In this way your clients can resolve your private zones, the university's zones and public DNS hostnames. Problem solved

• Want to Access local and Network

  Hai
  I am doing an Application with XML in Local, and i have
  multiple link buttons to Relevant sites
  My application files are in Local and XML also in local
  folder
  When i click the link button , Flash player not permitting to
  access links. I wnat to change global settings in Adobe
  When i put them in server it works fine
  I have compiled the application with compiler argument
  -use-network=false
  If i change that to -use-network=true i can access to weblink
  , but i cant get data from local folder My flex application is
  Blank
  I also tried by setting system.security.allowdomain("*")
  and all security options
  when i trace sandbox type it says "localTrusted"
  I have an idea of changing configuration file in Flash player
  #security folder, I tried and it works fine. but my client thinks
  it is little tough.
  I need help to overcome this . Can any please help me .
  I wnat to access data from Local folder and Want to Link to
  Web.
  My application is in Local Harddrive
  Thanks
  Murugan

  You cannot easily do this. If your app is delivered via a web
  domain, then you cannot access both network and local assets.
  The only way to do what you ask is to physically install the
  application in a trusted folder.
  See this doc:
  http://livedocs.adobe.com/flex/2/docs/00001953.html
  and this for details on hot to set it up:
  http://livedocs.adobe.com/flex/2/docs/00001952.html
  Tracy