Hi, I've setup a P2S VPN and Custom DNS servers for my private DNS zone. DNS was working just fine over the VPN, but now it doesn't, and I don't know what it is I've changed. DNS works fine from VMs in Azure, so I know that works okay My vnet for the VPN has the DNS servers configured and is peered with the DNS vnet My Private DNS Zone has the P2S VPN Vnet linked When I download the VPN client, I can see the DNS servers are in the XML file When I check with ipconfig, I can see the DNS servers are correct When I try nslookup on a VM FQDN, it's trying to use the correct DNS server but fails When I RDP to the VM using IP address, that works fine. When I ping the DNS servers from a VM in Azure, that works fine When I ping the DNS servers from my laptop on the P2S VPN, the ping fails So my conclusion is that although the DNS config for the P2S VPN is correct and DNS is working, for some reason the DNS servers are not reachable from the P2S VPN. I'm sure it's something simple causing the issue, but I'm at a loss as to what and tearing my hair out trying to fix it!!! Thanks in advance, Jason

Hi Kapil, I have now managed to resolve this initial issue and get the laptop on our domain. I have also managed to enrol them in Windows Autopilot. The laptop now shows as connected to MDM and connected to the company AD domain. However, I've purchased Microsoft 365 E3 licences for all users and when I log into the laptop, it doesn't activate Windows 11 Enterprise. The Windows 11 Pro Product Key is activated and was supplied with the laptop in the BIOS. Product Key Channel is OEM:DM. I've tried adding my account as a Workplace/School account, which shouldn't be necessary, and Enterprise still doesn't activate. I'm trying to setup an Always On VPN Device Tunnel and understand that I need Enterprise in order for that to auto connect when the laptop is switched on. How can I get Enterprise activated on the laptops please? Regards, Jason

DNS not accessible from P2S VPN

Jason B 6

Hi,
I've setup a P2S VPN and Custom DNS servers for my private DNS zone.
DNS was working just fine over the VPN, but now it doesn't, and I don't know what it is I've changed.

DNS works fine from VMs in Azure, so I know that works okay
My vnet for the VPN has the DNS servers configured and is peered with the DNS vnet
My Private DNS Zone has the P2S VPN Vnet linked
When I download the VPN client, I can see the DNS servers are in the XML file
When I check with ipconfig, I can see the DNS servers are correct
When I try nslookup on a VM FQDN, it's trying to use the correct DNS server but fails
When I RDP to the VM using IP address, that works fine.
When I ping the DNS servers from a VM in Azure, that works fine
When I ping the DNS servers from my laptop on the P2S VPN, the ping fails

So my conclusion is that although the DNS config for the P2S VPN is correct and DNS is working, for some reason the DNS servers are not reachable from the P2S VPN.

I'm sure it's something simple causing the issue, but I'm at a loss as to what and tearing my hair out trying to fix it!!!

Thanks in advance,
Jason

Jason B 6 Reputation points

2022-11-20T10:01:41.723+00:00

I've found out how I broke it, I changed the Custom DNS from a VM to the actual Custom DNS servers for my private DNS zone. I vaguely remember setting up this server VM to make sure names resolved from the P2S VPN, but I can't remember how - arrrghhh!

Now for the reason why I changed it. I'm got a new laptop and it's domain joined, but it's still showing as in WORKGROUP. I want to change it to be a my-domain.com but I can't. I get an error every time.

I've managed to do this just fine on VMs in Azure, so I know everything is correct, but it seems the laptop can't join over the VPN.

Can anyone offer some advice please? I've spent days trying to get this to work and tried just about every recommendation I've found on various forums, none of which work - their instructions can't even be followed easily.

I've found that when creating Azure VMs, if you tick "Login with Azure AD" you then can't change WORKGROUP to my-domain.com, but if I create the VM with local creds I can then join my-domain.com. Is this the same for a laptop over a P2S VPN?

Hope I've explained all this clearly, my head's struggling with it all.
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2022-11-21T05:10:22.247+00:00
Hi @Jason B ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

From your question and the follow-up comment, I see that you have figured out the DNS part.
And now, you would like assistance with adding your laptop to your domain over P2S.

Is the above statement correct or are you still facing issues with DNS Resolution?

In case it's the former,

Are you trying to domain join your remote laptop to Azure AD or your own domain?

Trying to add it to your own domain via P2S is not a good idea, as, once joined, without P2S connection, user will not be able to sign-in to the remote device.

And P2S is not auto-dialed.

Kindly let me know if my understanding is correct.

Cheers,
Kapil
Jason B 6 Reputation points

2022-11-21T11:36:00.82+00:00

Hi Kapil,
Thanks for replying. Yes, you're statement is correct but let me add some more detail...

Our infrastructure is 100% Azure, we have no office locations (all work from home) and no on-premise infrastructure. So far, staff have been using their own machines with a P2S VPN I setup on a Basic Gateway. This has to be manually connected for them to do their work as they need connectivity to VMs in Azure to do their jobs.

I'm currently setting up company laptops for all staff and would like them all domain joined with Always On VPN so they can sign in successfully and have all the connectivity they need.

The laptops have Windows 11 Business, so I assume that would support this scenario.

Regards,
Jason
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2022-11-21T13:20:17.157+00:00

Hi @Jason B ,

If my understanding is correct, Always On VPN would require some sort of trigger, such as user login.
Or would require certificate-based authentication for device tunnel.
May I ask what trigger you are planning to use?

Also, when you try to add this remote machine to the domain, what error message are you getting?

Thanks,
Kapil

1 answer

Jason B 6 Reputation points

2022-11-24T19:44:18.23+00:00

Hi Kapil,

I have now managed to resolve this initial issue and get the laptop on our domain. I have also managed to enrol them in Windows Autopilot.

The laptop now shows as connected to MDM and connected to the company AD domain.

However, I've purchased Microsoft 365 E3 licences for all users and when I log into the laptop, it doesn't activate Windows 11 Enterprise. The Windows 11 Pro Product Key is activated and was supplied with the laptop in the BIOS. Product Key Channel is OEM:DM.

I've tried adding my account as a Workplace/School account, which shouldn't be necessary, and Enterprise still doesn't activate.

I'm trying to setup an Always On VPN Device Tunnel and understand that I need Enterprise in order for that to auto connect when the laptop is switched on.

How can I get Enterprise activated on the laptops please?

Regards,
Jason
Please sign in to rate this answer.

0 comments No comments
Sign in to comment