When I connect a Windows XP laptop via PPTP vpn to our Windows 2003 Server, the DNS Server order is correct:
192.168.8.3
208.67.222.222
208.67.220.220
But when I connect a Windows 7 laptop via PPTP VPN to our Windows 2003 Server, the DNS order is incorrect:
208.67.222.222
208.67.220.220
192.168.8.3
What do I need to do on our Windows 2003 Server to fix this so the when I do a ping, it will work correctly?
Multiple DNS servers are usually provided for the case of redundancy, not for "chaining" requests. If you want to do that, there's a much more efficient solution.
208.67.x.x - I assume these are your ISP's DNS severs? If you want to query these only if a request to 192.168.8.3 does not resolve to anything, then you can do this with a DNS Forwarder, but even better is to skip it alltogether an use Root Hints in your DNS server (so that it gets its own DNS records, rather than proxying them through another DNS).
However, for this example, I'm going to assume you want to continue to use a DNS forwarder, for whatever reasons, and that your DNS server is also a Windows 2003 machine (credit to http://www.petri.co.il/install_and_configure_windows_2003_dns_server.htm):
- Click Start, point to Programs, point to Administrative Tools, and then click DNS to start the DNS Management Console.
- Right click the DNS Server object for your server in the left pane of the console, and click Properties.
- Click the Forwarders tab.
- Check the Enable forwarders check-box.
- In the IP address box enter the IP address of the DNS servers you want to forward queries to - typically the DNS server of your ISP. You can also move them up or down. The one that is highest in the list gets the first try, and if it does not respond within a given time limit - the query will be forwarded to the next server in the list.
- Click OK.
This way you only need to have a single DNS entry for the PPTP connections, but the end result is the same.
I have seen this same problem on XP machines and it was solved by this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
However it did not work on my Win7 machine; I ended up creating an entry in the HOSTS file - not the best soliution by a mile but it got my client up and running.
I'm assuming that when connected to the VPN from Windows 7 that you're unable to resolve internal resources because of the order that the DNS servers are listed. The way DNS server settings are applied to a VPN client are as follows: If the VPN server is configured to allocate ip addresses to the VPN client from an internal DHCP server then the client will receive the DNS servers that are configured in the DHCP scope that the VPN client gets it's ip address from. If the VPN server is configured to allocate ip addresses to the VPN client from a static pool then the VPN client will receive the DNS servers that the VPN server is configured to use (from the TCP\IP properties of the VPN server itself).
My suggestion would be to verify the DNS servers configured on the VPN server and in the DHCP scope and make sure they're correct.
Also, in addition to what Farseeker has posted I would also recommend using root hints instead of forwarders on your internal DNS server. All of your internal hosts (including the DNS server) should be configured to use the internal DNS server only. The DNS server should be configured to use itself for DNS and the DNS service should be configured to use root hints (or forwarders if you choose) for external (non-authoritative) resolution.
For what it's worth, this does appear to be a fault in Windows 7. I've seen the exact same problem with a Windows SBS 2003 server -- the only Windows 7 machine connected to it via PPTP, was assigning itself the DNS servers in reverse order, meaning that the machine could not find any resources on the remote network, as the ISP's DNS servers were being asked first, and they were rejecting .local addresses.
I'm now seeing the same thing on a Windows 7 laptop connecting to a ZyXEL VPN (P-661HW-D1 connecting to a ZyWALL 5), where the VPN-specific DNS IP address is being listed second. Here, the ZyXEL hardware is responsible for DHCP. Again, this prevents the machine functioning on the VPN as the first DNS entry (default gateway) is rejecting local addresses.
I can't say whether or not Vista was affected, but certainly something is wrong with the way Windows 7 does DNS as this fault did not occur in XP.
I set up systems with the DNS of a SBS Server first and a fallback to the Internet Router for DNS if the SBS box goes offline, this works fine locally but when a VPN connection comes in the order is reversed and causes these issues, so I came up with a working solution that does not require any Registry hacking:
To fix this issue with Windows 7 VPN clients do the following:
1/ Create additional (secondary) IP address on DNS server
2/ Set Scope Options in DHCP to list put new IP address as first DNS entry (the entries will be SBS secondary IP, SBS Primary and then Router IP),
Now the DHCP will offer the SBS DNS server as the first two IP addresses with the Router DNS as the last for LAN DHCP leases, and for a VPN connection the DHCP list becomes SBS, Router, SBS so local DNS lookups now work correctly despite this bug.
This solution also assumes you are using DHCP Relay for the LAN and Localhost in the RRAS settings.
