Monthly Archives: March 2015

NPS and DHCP on Different Servers

Aside

I’m testing NAP with DHCP configurations and ran into a strange issue.  My first tests had the network policy server installed on the same server as the DHCP role, similar to every other guide I’ve seen.

When testing this with DHCP on a different server than NPS, the configuration didn’t work correctly at all.

The missing piece?  A connection request policy to send authentication requests to NPS (this would have been apparent had I read TechNet closely enough, see here: https://technet.microsoft.com/en-us/library/dd125315%28v=ws.10%29.aspx )

In any event, you want to create a connection request policy with the following settings:

  • Type of network access server: DHCP server
  • Conditions:  Can be anything, but the interface will make you specify something.  Since this was a test, I simply used “day and time restrictions” and set for 24/7.
  • Forward requests to the following remote RADIUS server group for authentication:  Select a configured group with the NPS server in it.

Again, a case of RTFM, but I did bang my head on the wall for about 30 minutes troubleshooting.  I’m not sold on Microsoft’s NAP overall, but that is a topic for a different post.

DNS Timeouts in Labs

Posted on by
Reply

I work frequently in lab/virtual environments to test things.  Recently, I noticed that in some Server 2012 setups, I was seeing DNS timeouts when trying to resolve domain controller names:

 

timeout1

What seemed odd is that the query did eventually work, as you can see in the screenshot.  After a lot of head scratching, disabling protocols (as an aside, you shouldn’t disable IPv6 to troubleshoot things, but I was desperate) I remembered that these servers are in completely private networks, with access to the other VMs, but no Internet access.

The domains I tried to resolve are .com domains.  Even though they are a domain that I own, they still were public.

Using Microsoft Message Analyzer, I did a trace of these queries, the results indicated that when I did a query for dc1.ad.domain.com  Windows was actually adding the default search suffix and querying for that, so the query was dc1.ad.domain.com.ad.domain.com

Since this server is not authoritative for domain.com, this query failed.

Next, it tried dc1.ad.domain.com.domain.com  This query also failed.

Finally, on the third attempt, DNS tried to resolve dc1.ad.domain.com, which finally succeeded.

There are three ways to solve this:

  1.  Query for dc1.domain.com.  (the trailing ‘.’ will cause Windows to not append the primary DNS suffix)
  2.  Query for ‘dc1’ and let DNS append the primary suffix.
  3.  Turn off recursion in DNS (this is in the ‘Advanced’ tab on the properties of the DNS server.

 

Of these, I prefer option 1 or option 3.  If you’re going to use the FQDN, the trailing ‘.’ really is part of the FQDN and should be added.  For a lab environment with no Internet access, turning off recursion works very well, but is likely not a long-term solution.