Ok this one started easily enough... I was working with some GPO's in Active Directory, and I must have set the DNS client to force some of our DNS servers. I disabled that setting, but because I forced internal (10.x.x.x) IP's, when a member computer is offsite, they are unable to contact the DNS servers unless they initiate a VPN back to the office. I've checked all the settings I can think of, and ipconfig/all on the clients show correct DNS settings. This is happening on (so far) 6 computers. They work fine while onsite, but once offsite, they must be looking to the wrong DNS, because IP traffic works fine, but they are unable to resolve names. Any ideas?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
GPO forced DNS client settings
- Thread starter blazeking
- Start date
Define "correct DNS settings" when offsite. What are they using for a DNS server?
If ipconfig shows the DNS properly for the adapter they are using, it should work, as long as it is the correct DNS for external use (use something like www.opendns.org )
If ipconfig shows the DNS properly for the adapter they are using, it should work, as long as it is the correct DNS for external use (use something like www.opendns.org )
"Correct DNS settings", as in they dynamically are assigned whatever IP/DNS settings from the network they're on (Cable/DSL, Hotel, etc.) But every offsite Active Directory member computer acts like they have an "internal work" DNS server (10.x.x.x) set, since they are unable to successfully query DNS.
Why are you assigning this with group policy? Why not use the option on your DHCP server to assign DNS? That way when they're offsite they still pick up the correct DNS server from their isp/whatever and don't have entries for your internal dns. When they're in the office they'll pick up your DHCP supplied DCs and have no entries from the outside.
Yeah that's the plan, but I must've done something screwy. I do set DNS through DHCP... I think I was just testing a setting or something. Now the policy is stuck or something.
Is there a way I can see settings changed through GPO for a given AD member computer?
gpresult will tell you which policies are applying.
rsop will give you a full accounting of the combined effects of all applied GPOs.
if they're stuck offsite with an old policy, you need to get them back on site and they should resync. if not, you might get it over the vpn and run gpupdate /force /boot.
rsop will give you a full accounting of the combined effects of all applied GPOs.
if they're stuck offsite with an old policy, you need to get them back on site and they should resync. if not, you might get it over the vpn and run gpupdate /force /boot.
bobdole369
Gawd
- Joined
- Jun 27, 2004
- Messages
- 856
Please tell me this got fixed. I'm dealing with exactly the same issue.
New laptops get set up, go offsite, and suddenly cannot resolve names. the cpu doesn't even try. I can vpn or browse, but only using ip addresses.
New laptops get set up, go offsite, and suddenly cannot resolve names. the cpu doesn't even try. I can vpn or browse, but only using ip addresses.
What shows up on the laptop when you do an ipconfig/all? Is it still your DNS servers even when offsite? If so, can you go into TCP/IP and change them back to dynamic?
For me, ipconfig/all showed the DNS settings of the local LAN, but it never actually used them.
I wanted to also post an update to this problem: The computers that were added after this problem started are able to browse without a problem. I believe there was some update or policy that I forced that I can't "unforce", even after deleting/re-creating the GPO's.
Yes, I ran gpupdate /force and rebooted or whatever it asked for after every change on both AD servers and the client.
Removing it and re-adding it to the domain seemed to work. It'll be a pain to do that for all the affected users, but better than not even working. Thanks for the suggestion!
Yeah, atleast it worked, kinda sucks you have to do all that work though. You should be able to script the unjoin and join, then maybe the users can run it themselves or you can run it remotely.
I have no idea how to script that, but I'm about to Google it to success.
bobdole369
Gawd
- Joined
- Jun 27, 2004
- Messages
- 856
Same here, Wireshark shows no dns requests when browsing. The DNS addresses are whatever the offsite router provides, but like I said, the computer doesn't try to use them.
I'm going to unjoin the computers from the domain.
bobdole369
Gawd
- Joined
- Jun 27, 2004
- Messages
- 856
Well unjoining/joining did not fix it, but forcing a DNS address, then reverting to DHCP did. I used any old address. WTF...
I wanted to post an update on my latest progress... I may have spoken too soon with regard to the add/remove from the directory fix. I tried it on another computer, and still the problem persisted. I even deleted the computer object out of AD, and when it was re-created upon re-joining the domain, I left it in the default Computer OU. Still the problem persists. Here's some logging that doesn't make sense to me, but it may help explain the problem further:
I'm noticing the DNS Suffix Search List order has the domain's DNS entries that nslookup picks up, but I can't figure out why. There are no GPO's (at least not anymore) that force that setting.
I'm noticing the DNS Suffix Search List order has the domain's DNS entries that nslookup picks up, but I can't figure out why. There are no GPO's (at least not anymore) that force that setting.
bobdole369
Gawd
- Joined
- Jun 27, 2004
- Messages
- 856
These are my results as well. I used Wireshark to monitor the NIC activity.
Example:
In-house DNS is 192.168.101.31 and 192.168.101.32
Comcast DNS is 68.87.97.115 and 68.87.97.105
When in house everything is peachy, onsite using Comcast - ipconfig /all shows 68.87.97.115, et al.
However when resolving names - the DNS request goes out to 192.168.101.31 or 32. This isn't the computer looking for the domain either - its an A record query for the site I'm pinging.
What gives?
Blaze - can you tell me what GPO forced your troubles so I might look for it here?
Example:
In-house DNS is 192.168.101.31 and 192.168.101.32
Comcast DNS is 68.87.97.115 and 68.87.97.105
When in house everything is peachy, onsite using Comcast - ipconfig /all shows 68.87.97.115, et al.
However when resolving names - the DNS request goes out to 192.168.101.31 or 32. This isn't the computer looking for the domain either - its an A record query for the site I'm pinging.
What gives?
Blaze - can you tell me what GPO forced your troubles so I might look for it here?
The GPO that caused this was custom (we set it up to control Windows Firewall) and it applied to a large part of the organization. It had been working fine for years. I enabled configuration of DNS servers under this area:
GPO->Computer Configuration->Administrative Templates->Network->DNS Client->DNS Servers
After I realized that was a very bad idea, I changed it back to "Not configured". And I'm noticing that this GPO is not "Enforced". Should it be? There are no GPO's under this one that affect DNS, so I left the enforcement off.
GPO->Computer Configuration->Administrative Templates->Network->DNS Client->DNS Servers
After I realized that was a very bad idea, I changed it back to "Not configured". And I'm noticing that this GPO is not "Enforced". Should it be? There are no GPO's under this one that affect DNS, so I left the enforcement off.
bobdole369
Gawd
- Joined
- Jun 27, 2004
- Messages
- 856
I found my GP to include my companies DNS. Now I understand why this isn't a good idea. The intent was to always have an up to date DNS list, and always have registered records. We have a single level domain so we have updatetopleveldomainzone enabled as well.
Removed and forced update. Lets see what happens.
Removed and forced update. Lets see what happens.
So when you look at the TCP/IP properties for the lan connection (or wireless) is it statically set to a DNS entry? It sounds to me like you just need to script it to switch that setting back to auto and for off site teach them how to click on network connections and go to properties and set this back. Hope that helps.
No, the TCP/IP properties for my wireless connection are all dynamic, and it obtains "off-site" DNS settings dynamically.
bobdole369
Gawd
- Joined
- Jun 27, 2004
- Messages
- 856
It's not that the settings are being changed in the properties window. Everything appears fine. Even ipconfig /all shows the proper DNS settings, but the computer is not actually using them.
Ok I believed I solved this issue (again! ha!). I found a registry setting under:
HKEY_LOCAL_MACHINE\Software\Polices\Microsoft\Windows NT\DNSClient
It pointed to the "internal work" DNS servers. I deleted it, and now nslookup polls the correct server (my dynamically obtained DNS server). All DNS functionality has returned to normal. Hopefully this can help you out bobdole369.
HKEY_LOCAL_MACHINE\Software\Polices\Microsoft\Windows NT\DNSClient
It pointed to the "internal work" DNS servers. I deleted it, and now nslookup polls the correct server (my dynamically obtained DNS server). All DNS functionality has returned to normal. Hopefully this can help you out bobdole369.