Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Answered

Scanning and deploying to RRAS VPN clients (DNS/DHCP issue)

I'm having trouble with managing laptops in our Windows (2012 R2) domain.

We have our DNS server configured for secure dymanic updates. We have our DHCP server configured to always update the DNS server records using an AD user credential (let's call it DHCPUpdateUser).

When the laptops are in the office and connected to the local network, DHCP leases them an IP address and registers it on the DNS server as expected.

However, when the laptops are taken out of the office and connect to our SSTP VPN, RRAS gives them a new IP address and this does not get registered on the DNS server, so PDQ can't resolve the hostnames and thinks they're offline.

I have a DHCP Relay Agent set up in RRAS, but that doesn't seem to make any difference (other than passing DHCP scope options through to the VPN clients).

I have tried enabling the "Register this connection's addresses in DNS" option in the VPN connection settings on the laptops, but that doesn't work because the existing records on the DNS server are all owned by the aforementioned DHCPUpdateUser and the laptops do not have permission to edit them. The laptops will not create additional records on the DNS server either.

How can I get the VPN clients' IP addresses to be registered on the DNS server so that PDQ can resolve the hostnames and see they're online?

1

Comments

5 comments
Date Votes
  • Nomen,

    Do you have "Test Multiple Addresses in Name Resolution" enabled under Preferences > Network in Inventory?

    1
  • Hi Luke,

    Yes, I enabled that option a few days ago, but it didn't really seem to have any effect.

    One other thing I've noticed though, is that if a laptop acquires a DHCP lease on the local network and is then out of the office for long enough that the lease expires and the corresponding DNS record is scavenged, the laptop suddenly shows up as online in PDQ Inventory via the VPN.

    However, there is no new DNS record created for that laptop's hostname, so I have no idea how that's even happening...

    1
  • Nomen,

    You are probably seeing those machines as online even though they have no new DNS record due to the DNS cache on your PDQ server. I recommend that you set up your server to regularly flush its DNS cache, instructions here:

    Unfortunately I can't help you with your RRAS issues since I don't have enough experience with it. Hopefully someone else can help out.

    1
  • Ah, thanks Luke. I now see what's going on as far as the strange behaviour in my 2nd post is concerned.

    PDQ is actually running on the same server as RRAS, so that server's local DNS cache knows the VPN clients' correct IP addresses, but they seemingly get overridden by any DNS records which exist on our primary DNS server.

    When those primary DNS records expire and are scavenged, PDQ then uses the locally cached DNS records, (which are the true IP addresses), so PDQ starts working fine until such time as the laptops are brought back to the office then taken out of the office again, at which point the problem returns.

    Anyway, the root of the problem is that our DNS server does not get updated with VPN clients' IP addresses, so if anyone has any further insight into that particular issue I'd be most grateful!

    1
  • After a whole lot of trial and error I think I've come up with a reasonable solution to this problem.

    1. Make sure the laptops have "Register this connection's addresses in DNS" enabled on their VPN connections.
    2. Set a DHCP User Class on all of their network adaptors. (ipconfig /setclassid * "SomeClass")
    3. Create a DHCP policy in the relevant scope which only applies to DHCP clients who have the aforementioned user class. Configure the policy with a shorter DHCP lease duration if you wish, and more importantly, configure it to Dynamically update DNS records only if requested by the DHCP clients. (DHCP\<ServerName>\IPv4\Scope [n.n.n.n]\Policies)
    4. Optionally, create a GPO for the laptops which configures their DNS clients to refresh their DNS records more regularly and sets a short TTL on the records. (Computer Configuration\Administrative Templates\Network\DNS Client)

    In this way, the laptops can control their own DNS records without DHCP taking over and without affecting the entire scope, plus the short TTL means other machines (such as a PDQ server) shouldn't cache those records for extended periods.

    So far, it all seems to be working exactly the way I want.

    1