You may be unable to access the network when name resolution is performed through a VPN connection on a Windows XP-based or on a Windows Server 2003-based client computer

On a Windows XP-based or on a Windows Server 2003-based client computer, you try to connect to a virtual private network (VPN) server. The connection is successful. However, when name resolution is performed through the VPN connection, you may be unable to access the network.

This problem may occur randomly if the following conditions are true:

• You update the routing table of the VPN client.
• When you update the routing table, you configure the scope of the Dynamic Host Configuration Protocol (DHCP) server to use option 249 in the network environment.

This problem occurs because of a timing issue in which the DNS Suffix Search List of the client computer is not updated by using the DNS suffix of the VPN adapter.

When the VPN client connects to the VPN server, the VPN client correctly receives the following addresses:

• Client IP address
• IP address of the Domain Name System (DNS) server
• IP address of the Windows Internet Name Service (WINS) server

After the VPN connection is connected, the VPN client sends DHCP inform packets to ask for DHCP scope options. If the DHCP server includes scope option 249 (Option 249 enables static routes to the VPN client), the VPN client will update its network configuration information with the static routes that the scope options provides. As soon as the DNS Client service receives the notification of the new Point-to-Point Protocol (PPP) adapter, the DNS Client service will invalidate the existing information. Then, the DNS Client service tries to build a new list

However, the DNS Client service first looks for a route that can be used to connect to the DNS server on the VPN adapter. Then, the DNS Client service can determine whether the DNS server on the VPN adapter can be reached.

However, if the DHCP server does not update the client routing table before the DNS Client service validates the DNS server on the VPN adapter, the DNS Client service assumes that the current DNS server on the VPN adapter cannot be reached. Then, the DNS Client service removes the DNS suffix from the VPN adapter on the DNS Suffix Search List. Therefore, the DNS queries are never sent to the DNS server that is present on the VPN adapter, and clients cannot resolve any names on the corporate network.

To work around this issue, use one of the following methods.

Method 1

Disable Split Tunneling on the VPN adapter. To do this, follow these steps:

1. Double-click Control Panel, and then click the Network Connections.
2. Right-click the VPN connection that you want to change, and then click Properties.
3. Under This connection uses the following items in the Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced, click to select the Use default gateway on remote network check box, and then click OK.

Method 2

Turn off the DNS client screening feature. For more information about how to turn off the DNS client screening feature, click the following article number to view the article in the Microsoft Knowledge Base:

Method 3

Put the DNS servers on the same subnet as the VPN clients.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about how to configure a domain suffix search list on the Domain Name System clients, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to configure DNS client settings, visit the following Microsoft Web site: