Scanning and deploying to RRAS VPN clients (DNS/DHCP issue)

Comments

5 comments

  • Luke Nichols

    Nomen,

    Do you have "Test Multiple Addresses in Name Resolution" enabled under Preferences > Network in Inventory?

    1
    Comment actions Permalink
  • Nomen Nescio

    Hi Luke,

    Yes, I enabled that option a few days ago, but it didn't really seem to have any effect.

    One other thing I've noticed though, is that if a laptop acquires a DHCP lease on the local network and is then out of the office for long enough that the lease expires and the corresponding DNS record is scavenged, the laptop suddenly shows up as online in PDQ Inventory via the VPN.

    However, there is no new DNS record created for that laptop's hostname, so I have no idea how that's even happening...

    1
    Comment actions Permalink
  • Luke Nichols

    Nomen,

    You are probably seeing those machines as online even though they have no new DNS record due to the DNS cache on your PDQ server. I recommend that you set up your server to regularly flush its DNS cache, instructions here:

    Unfortunately I can't help you with your RRAS issues since I don't have enough experience with it. Hopefully someone else can help out.

    1
    Comment actions Permalink
  • Nomen Nescio

    Ah, thanks Luke. I now see what's going on as far as the strange behaviour in my 2nd post is concerned.

    PDQ is actually running on the same server as RRAS, so that server's local DNS cache knows the VPN clients' correct IP addresses, but they seemingly get overridden by any DNS records which exist on our primary DNS server.

    When those primary DNS records expire and are scavenged, PDQ then uses the locally cached DNS records, (which are the true IP addresses), so PDQ starts working fine until such time as the laptops are brought back to the office then taken out of the office again, at which point the problem returns.

    Anyway, the root of the problem is that our DNS server does not get updated with VPN clients' IP addresses, so if anyone has any further insight into that particular issue I'd be most grateful!

    1
    Comment actions Permalink
  • Nomen Nescio

    After a whole lot of trial and error I think I've come up with a reasonable solution to this problem.

    1. Make sure the laptops have "Register this connection's addresses in DNS" enabled on their VPN connections.
    2. Set a DHCP User Class on all of their network adaptors. (ipconfig /setclassid * "SomeClass")
    3. Create a DHCP policy in the relevant scope which only applies to DHCP clients who have the aforementioned user class. Configure the policy with a shorter DHCP lease duration if you wish, and more importantly, configure it to Dynamically update DNS records only if requested by the DHCP clients. (DHCP\<ServerName>\IPv4\Scope [n.n.n.n]\Policies)
    4. Optionally, create a GPO for the laptops which configures their DNS clients to refresh their DNS records more regularly and sets a short TTL on the records. (Computer Configuration\Administrative Templates\Network\DNS Client)

    In this way, the laptops can control their own DNS records without DHCP taking over and without affecting the entire scope, plus the short TTL means other machines (such as a PDQ server) shouldn't cache those records for extended periods.

    So far, it all seems to be working exactly the way I want.

    1
    Comment actions Permalink

Please sign in to leave a comment.