Remove From My Forums

Direct Access NRPT

Question
0

Sign in to vote
Hello!

20417 textbook ("Upgrade Your Skills to MCSA Windows Server 2012".), page 197:

1) "Some names need to be treated differently with regards to name resolution; these name should not be resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers specified in the client's TCP/IP settings, you must add them as NRPT exemptions."

- so 1) NRPT exemptions = names that SHOULD NOT be resolved by using intranet DNS servers

2) 20417 textbook, page 199:

"How DirectAccess Works for Internal Clients

...

1. The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the NLS URL.

Because the FQDN of the NLS URL corresponds to an exemption rule in the NRPT, the DirectAccess client instead sends the DNS query to a locally-configured DNS server (an intranet-based DNS server). The intranet DNS server resolves the name."

-so 2) according to the page 199 the name of the NLS server SHOULD be resolved by intranet DNS server because it corresponds to an exemption rule.

As far as I understand 1) and 2) can not be correct simultaneously - where is the mistake?

And the second question: if the name being resolved does not match the rule in an NRPT rule it will be resolved by theDNS servers specified in the client's TCP/IP settings (NOT intranet servers). In this case why do we have to use NRPT exemptions to direct the name resolution process to INTERNET DNS servers (as discussed in 1)?

Thank you in advance,

Michael
- Edited by MF47 Thursday, January 31, 2013 7:13 AM
Wednesday, January 30, 2013 2:21 PM

Answers

0

Sign in to vote
Hi Michael,

You have understood the NRPT exemptions correctly based on your first highlighted text.

The important part is that in your second text (regarding the NLS) it refers to a LOCALLY-CONFIGURED DNS server.
(This WILL actually be an intranet-based DNS server when the client is on LAN, I guess this is the reason the author added that comment)

Regarding your second question, the reason exemptions exists is that there are situations where *.mydomain.com is supposed to be resolved through the corporate DNS but a specific dnsrecord (daentrypoint01.mydomain.com) should NOT.

Other places where exemptions is often needed is when you have DA and Lync setup where the Lync clients cannot talk IPv6 and therefore need to connect to the external DNS, even though they will try (and manage) to resolve certain dns urls through the corporate dnsservers.

I hope this clarified it for you.

Best wishes,
Jonas Blom
Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Thursday, January 31, 2013 3:10 PM
- Marked as answer by Aiden_CaoMicrosoft community contributor, Moderator Monday, February 4, 2013 6:22 AM
Thursday, January 31, 2013 3:10 PM
0

Sign in to vote
Hi again,

I guess the quotation is wrong.

What happens is that when the client IS EXTERNALLY connected, it uses the locally configured DNS servers to try and resolve the NLS hostname.
The external DNS server is not able to resolve the NLS hostname, that is totally correct.

But like you stated, the client can not determine if it is local or not, hence it will try to resolve the NLS hostname.

Based on your comments and questions I would say that you don't have to worry about this part. Atleast in my eyes it looks like you have gotten your head around DirectAccess in a good way :)

Best wishes,
Jonas Blom

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Friday, February 1, 2013 10:24 AM
- Marked as answer by Aiden_CaoMicrosoft community contributor, Moderator Monday, February 4, 2013 6:22 AM
Friday, February 1, 2013 10:24 AM
0

Sign in to vote
Hi again,

An example to try and explain it:

1) The client starts (called XXX)
2) The service (called YYY) that determines if the client is on "CorpNet" or "External" starts
3) YYY tries to access the URL configured for NLS (https://nls.mydomain.com is used as an example)
4) The underlying OS checks to see if there is any NRPT rules that matches the domainname (nls.mydomain.com)
5) The domainname matches a rule (*.mydomain.com) that is configured to send the DNS request to the DNS64 service on DASERVER01 but there is also an exemption added for "nls.mydomain.com" that says it should use the clients currently configured DNS servers (called ZZZ).
6) The DNS request is sent to ZZZ which is unable to find a DNS record for nls.mydomain.com
7) The client is unable to reach the NLS and therefore considers itself to be externally connected.

I think the part that you are missing is that it is not something related to a certain program that is configured to look in the NRPT.. if you have a random program found out on the internet (An example could be PuTTY) it would "follow" the information listed in the NRPT table.

So if I use PuTTY on my DACLIENT01 and try to connect to myserver.mydomain.com that DNS request would be forwarded to the DNS64 service on DASERVER01 since there is a NRPT rule for *.mydomain.com

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Tuesday, February 12, 2013 8:53 PM
- Marked as answer by MF47 Friday, August 30, 2013 1:46 PM
Wednesday, February 6, 2013 7:26 PM

All replies

0

Sign in to vote
Hi Michael,

You have understood the NRPT exemptions correctly based on your first highlighted text.

The important part is that in your second text (regarding the NLS) it refers to a LOCALLY-CONFIGURED DNS server.
(This WILL actually be an intranet-based DNS server when the client is on LAN, I guess this is the reason the author added that comment)

Regarding your second question, the reason exemptions exists is that there are situations where *.mydomain.com is supposed to be resolved through the corporate DNS but a specific dnsrecord (daentrypoint01.mydomain.com) should NOT.

Other places where exemptions is often needed is when you have DA and Lync setup where the Lync clients cannot talk IPv6 and therefore need to connect to the external DNS, even though they will try (and manage) to resolve certain dns urls through the corporate dnsservers.

I hope this clarified it for you.

Best wishes,
Jonas Blom
Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Thursday, January 31, 2013 3:10 PM
- Marked as answer by Aiden_CaoMicrosoft community contributor, Moderator Monday, February 4, 2013 6:22 AM
Thursday, January 31, 2013 3:10 PM
0

Sign in to vote
Hi Jonas,

Thank you very much for your clarification! I completely fogot that it is an an INTERNAL client we're talking about - I thought it is a remote one.

The same page (199) contains the paragraph regarding the access from external clients (word-for-word) that I don't fully understand:

"How DirectAccess works for External Client Computers

The DirectAccess client attempts to access the NLS as follows:

1) The client tries to resolve the FQDN of NLS URL. Because the FQDN of NLS URL corresponds to an exemption rule in the NRPT, the DirectAccess client does not send the DNS query to a locally-configured DNS server (an Internet-based DNS server). An eternal (I think "external") Internet-based DNS server would not be able to resolve the name."

So if the client is INTERNAL we have the following:

"Because the FQDN of the NLS URL corresponds to an exemption rule in the NRPT, the DirectAccess client instead sends the DNS query to a locally-configured DNS server (an intranet-based DNS server). The intranet DNS server resolves the name."

...and if the client is EXTERNAL:

" Because the FQDN of NLS URL corresponds to an exemption rule in the NRPT, the DirectAccess client does not send the DNS query to a locally-configured DNS server (an Internet-based DNS server)."

So what DNS server should resolve NLS-name when the client is external?

Maybe I'm missing something but how two opposite actions can be based on the same condition?

How and when the client know if it is internal or external?

If the first step in resolving the FQDN of the NLS server is ALWAYS to look up the NRPT then I don't know how the client may distinguish between these two states...

Best regards,

Michael
- Edited by MF47 Friday, February 1, 2013 7:18 AM
Friday, February 1, 2013 7:07 AM
0

Sign in to vote
Hi again,

I guess the quotation is wrong.

What happens is that when the client IS EXTERNALLY connected, it uses the locally configured DNS servers to try and resolve the NLS hostname.
The external DNS server is not able to resolve the NLS hostname, that is totally correct.

But like you stated, the client can not determine if it is local or not, hence it will try to resolve the NLS hostname.

Based on your comments and questions I would say that you don't have to worry about this part. Atleast in my eyes it looks like you have gotten your head around DirectAccess in a good way :)

Best wishes,
Jonas Blom

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Friday, February 1, 2013 10:24 AM
- Marked as answer by Aiden_CaoMicrosoft community contributor, Moderator Monday, February 4, 2013 6:22 AM
Friday, February 1, 2013 10:24 AM
0

Sign in to vote
Jonas, thank you so much once again!

I did think this "the DirectAccess client does not send the DNS query to a locally-configured DNS server (an Internet-based DNS server)." can't be correct, but it's always hard for me to admit that the MS official guide (in this case, for the course 20417) can contain such blunders. I don't like to do any practical tests (or implement new technologies on my company's net) until I have a complete understanding of the theory on wich the practice should be based. So...when I don't understand something after reading a textbook I ask questions :)

Thank you!

Best regards,

Michael Firsov
- Edited by MF47 Friday, February 1, 2013 10:59 AM
Friday, February 1, 2013 10:58 AM
0

Sign in to vote

Hi again,

No problem, asking questions is always a good way to learn :)

Jonas Blom | Relevo AB | http://blog.nrpt.se

Friday, February 1, 2013 2:40 PM
0

Sign in to vote

Hi Jonas,

Tell me please am I correct buiding this "client's logical chain":

1) A client starts

2) It looks into its NRPT

3) It finds there two rules: one regular rule for the corporate domain name space and one exemption rule for the NLS domain name (pointing to it's LOCAL address)

4) Because of the exemption rule the client tries to resolve the NLS name with its interface-configured DNS server (ISP DNS or corporate DNS).

5a) If it succeeds it tries to access the url of the NLS and (if the connection succeeds too?) concludes it's on the LOCAL network.

5b) It it fails it can't access the the url of the NLS and concludes it is on the INTERNET.

?

Thank you in advance,

Michael

Tuesday, February 5, 2013 2:01 PM
0

Sign in to vote

Hi again,

Move 4 so it is the second step, then you have a correct chain of events.

The client has a DNS name configured for the NLS, this is then compared to the various entries in the NRPT to determine where the dnsquery should be sent..

Jonas Blom | Relevo AB | http://blog.nrpt.se

Tuesday, February 5, 2013 8:15 PM
0

Sign in to vote

Hi Jonas,

"Move 4 so it is the second step" - but how the client will know that the exemption rule exists if it does not look into the NRPT (in wich this exemption rule contains)??? I don't understand... :(

Wednesday, February 6, 2013 7:30 AM
0

Sign in to vote
Hi again,

An example to try and explain it:

1) The client starts (called XXX)
2) The service (called YYY) that determines if the client is on "CorpNet" or "External" starts
3) YYY tries to access the URL configured for NLS (https://nls.mydomain.com is used as an example)
4) The underlying OS checks to see if there is any NRPT rules that matches the domainname (nls.mydomain.com)
5) The domainname matches a rule (*.mydomain.com) that is configured to send the DNS request to the DNS64 service on DASERVER01 but there is also an exemption added for "nls.mydomain.com" that says it should use the clients currently configured DNS servers (called ZZZ).
6) The DNS request is sent to ZZZ which is unable to find a DNS record for nls.mydomain.com
7) The client is unable to reach the NLS and therefore considers itself to be externally connected.

I think the part that you are missing is that it is not something related to a certain program that is configured to look in the NRPT.. if you have a random program found out on the internet (An example could be PuTTY) it would "follow" the information listed in the NRPT table.

So if I use PuTTY on my DACLIENT01 and try to connect to myserver.mydomain.com that DNS request would be forwarded to the DNS64 service on DASERVER01 since there is a NRPT rule for *.mydomain.com

Jonas Blom | Relevo AB | http://blog.nrpt.se
- Proposed as answer by Jonas Blom Tuesday, February 12, 2013 8:53 PM
- Marked as answer by MF47 Friday, August 30, 2013 1:46 PM
Wednesday, February 6, 2013 7:26 PM
0

Sign in to vote
Hi Jonas,

Your 7-step example explained me more about DA client's behaviour than the whole DA chapter from MS 20417 textbook!!!

Thank you so much!!!

Best regards,

Michael Firsov
- Edited by MF47 Thursday, February 7, 2013 8:41 AM
Thursday, February 7, 2013 7:03 AM
0

Sign in to vote

Thank you :)
Jonas Blom | Relevo AB | http://blog.nrpt.se

Tuesday, February 12, 2013 8:53 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Direct Access NRPT

Question

Answers

All replies