Scanning and deploying to RRAS VPN clients (DNS/DHCP issue)
I'm having trouble with managing laptops in our Windows (2012 R2) domain.
We have our DNS server configured for secure dymanic updates. We have our DHCP server configured to always update the DNS server records using an AD user credential (let's call it DHCPUpdateUser).
When the laptops are in the office and connected to the local network, DHCP leases them an IP address and registers it on the DNS server as expected.
However, when the laptops are taken out of the office and connect to our SSTP VPN, RRAS gives them a new IP address and this does not get registered on the DNS server, so PDQ can't resolve the hostnames and thinks they're offline.
I have a DHCP Relay Agent set up in RRAS, but that doesn't seem to make any difference (other than passing DHCP scope options through to the VPN clients).
I have tried enabling the "Register this connection's addresses in DNS" option in the VPN connection settings on the laptops, but that doesn't work because the existing records on the DNS server are all owned by the aforementioned DHCPUpdateUser and the laptops do not have permission to edit them. The laptops will not create additional records on the DNS server either.
How can I get the VPN clients' IP addresses to be registered on the DNS server so that PDQ can resolve the hostnames and see they're online?
Comments
Nomen,
Do you have "Test Multiple Addresses in Name Resolution" enabled under Preferences > Network in Inventory?
Hi Luke,
Yes, I enabled that option a few days ago, but it didn't really seem to have any effect.
One other thing I've noticed though, is that if a laptop acquires a DHCP lease on the local network and is then out of the office for long enough that the lease expires and the corresponding DNS record is scavenged, the laptop suddenly shows up as online in PDQ Inventory via the VPN.
However, there is no new DNS record created for that laptop's hostname, so I have no idea how that's even happening...
Nomen,
You are probably seeing those machines as online even though they have no new DNS record due to the DNS cache on your PDQ server. I recommend that you set up your server to regularly flush its DNS cache, instructions here:
Unfortunately I can't help you with your RRAS issues since I don't have enough experience with it. Hopefully someone else can help out.
Ah, thanks Luke. I now see what's going on as far as the strange behaviour in my 2nd post is concerned.
PDQ is actually running on the same server as RRAS, so that server's local DNS cache knows the VPN clients' correct IP addresses, but they seemingly get overridden by any DNS records which exist on our primary DNS server.
When those primary DNS records expire and are scavenged, PDQ then uses the locally cached DNS records, (which are the true IP addresses), so PDQ starts working fine until such time as the laptops are brought back to the office then taken out of the office again, at which point the problem returns.
Anyway, the root of the problem is that our DNS server does not get updated with VPN clients' IP addresses, so if anyone has any further insight into that particular issue I'd be most grateful!
After a whole lot of trial and error I think I've come up with a reasonable solution to this problem.
In this way, the laptops can control their own DNS records without DHCP taking over and without affecting the entire scope, plus the short TTL means other machines (such as a PDQ server) shouldn't cache those records for extended periods.
So far, it all seems to be working exactly the way I want.