Always On VPN Tunnel - Clients gettoing teh wrong DNS Servers Despite XML Profile Setting

Hello, 

We are working on implementing Always On VPN.  Everything seems to be working EXCEPT, clients are npot getting the proper DNS server setting for the VPN Virtual NIC.

The VPN Server is in the DMZ, with an NPS server on the intranet. So far what's happening is the VPN Client is getting the DNS Server IP configured on the VPN Server NIC, and therefore, can't find the internal DNS Server, and hence resources. 

Here's the XML:

<VPNProfile>
  <DnsSuffix>abc-123.nl</DnsSuffix>
  <NativeProfile>
<Servers>vpn.abc-123.nl</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
  <UserMethod>Eap</UserMethod>
  <Eap>
   <Configuration>
 <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames>NPS-SRV.xyz.local</ServerNames><TrustedRootCA>df 50 82 4a 43 05 77 96 86 35 53 68 4d 15 f7 cc 35 2b e5 d1 </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames>NPS-SRV.xyz.local</ServerNames><TrustedRootCA>df 50 82 4a 43 05 77 96 86 35 53 68 4d 15 f7 cc 35 2b e5 d1 </TrustedRootCA></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig>
   </Configuration>
  </Eap>
</Authentication>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
  </NativeProfile>
<AlwaysOn>false</AlwaysOn>
<RememberCredentials>true</RememberCredentials>
<TrustedNetworkDetection>abc-123.nl</TrustedNetworkDetection>
  <DomainNameInformation>
<DomainName>.abc-123.nl</DomainName>
<DnsServers>172.23.2.1</DnsServers>
</DomainNameInformation>
</VPNProfile>

I know that's a bit ugly and I did open the underacted file on Visual studio code, and it is formatted correctly as far as I can see. 

Does anyone have any ideas why the configured DNS server address (172.23.2.1) is not being assigned to clients?

Thanks, 

Doug