help understanding this behaviour

A client of mine had a PC that was so full of spyware and garbage that the
easiest solution was to wipe the HDD and restore the OS. So i took it to my
home workshop and re-installed Windows XP Pro on it. I wanted the machine to
be ready to go when I plugged it in back at their office so i decided to use
VPN to rejoin it to their domain, and I ran into something that I don't
understand.

1. I created a VPN connection to their server and connected to it. No problem.
2. I went through the process of joining the PC to the domain. I would get
to the point where i was asked for credentials that were allowed to join the
machine, and I would provide this.
3. The PC would try for a moment and then return a message that a domain
controller for the domain could not be contacted.
4. After trying this several times I noticed that the VPN connection would
die almost as soon as I clicked the OK button after entering my admin
credentials.
5. I checked the event viewer and found an event stating "Host at
<mac-address-of-PC-NIC> received NACK from DHCP server at address 10.1.1.5.
The IP was my gateway router at home-office. This made no sense to me since I
knew that the NIC already had a good IP address and would have no reason to
obtain a new address.
6. I tried joining the PC to domain again and noticed that the VPN
connection icon changed to the "obtaining IP address icon" as soon as I would
click the OK button, and DHCP on my router was immediately returning a NACK
response and breaking the VPN connection.
7. I assigned the PC a static IP on my local subnet and disabled DHCP on my
router.
8. I restarted, connected to the VPN link and was able to join the machine
to the domain with no problem.

Problem solved, yes, but WHY? I'm sure there was a misconfiguration here on
my part, but I can't figure out what it is. I have joined PC's to domains via
VPN before and not seen this. The VPN server runs Windows 2003 SBS, my router
is just a Linksys BEFW54. It looked like the PPTP adapter was rebroadcasting
for a new IP and receiving the NACK response from my router because that NIC
already had an IP address. Can anyone school me here? Thanks!

The DHCP Service on these "home user" boxes isn't that great. I would not
be too surprised at anything "stupid" that they might do.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"SeriousSam" <(E-Mail Removed)> wrote in message
newsC4251B4-B7F5-4FEF-BD6A-(E-Mail Removed)...
>A client of mine had a PC that was so full of spyware and garbage that the
> easiest solution was to wipe the HDD and restore the OS. So i took it to
> my
> home workshop and re-installed Windows XP Pro on it. I wanted the machine
> to
> be ready to go when I plugged it in back at their office so i decided to
> use
> VPN to rejoin it to their domain, and I ran into something that I don't
> understand.
>
> 1. I created a VPN connection to their server and connected to it. No
> problem.
> 2. I went through the process of joining the PC to the domain. I would get
> to the point where i was asked for credentials that were allowed to join
> the
> machine, and I would provide this.
> 3. The PC would try for a moment and then return a message that a domain
> controller for the domain could not be contacted.
> 4. After trying this several times I noticed that the VPN connection would
> die almost as soon as I clicked the OK button after entering my admin
> credentials.
> 5. I checked the event viewer and found an event stating "Host at
> <mac-address-of-PC-NIC> received NACK from DHCP server at address
> 10.1.1.5.
> The IP was my gateway router at home-office. This made no sense to me
> since I
> knew that the NIC already had a good IP address and would have no reason
> to
> obtain a new address.
> 6. I tried joining the PC to domain again and noticed that the VPN
> connection icon changed to the "obtaining IP address icon" as soon as I
> would
> click the OK button, and DHCP on my router was immediately returning a
> NACK
> response and breaking the VPN connection.
> 7. I assigned the PC a static IP on my local subnet and disabled DHCP on
> my
> router.
> 8. I restarted, connected to the VPN link and was able to join the machine
> to the domain with no problem.
>
> Problem solved, yes, but WHY? I'm sure there was a misconfiguration here
> on
> my part, but I can't figure out what it is. I have joined PC's to domains
> via
> VPN before and not seen this. The VPN server runs Windows 2003 SBS, my
> router
> is just a Linksys BEFW54. It looked like the PPTP adapter was
> rebroadcasting
> for a new IP and receiving the NACK response from my router because that
> NIC
> already had an IP address. Can anyone school me here? Thanks!

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> The DHCP Service on these "home user" boxes isn't that great. I would not
> be too surprised at anything "stupid" that they might do.

If you happen to have a Domain Controller on your LAN because you are
running a Windows Domain,...then always, always, always, disable the DHCP on
the "home user" box and run the DHCP Service on the Server instead. It is a
thousand times better.

If you don't have a Domain (and hence no Domain Controller) and are just
running a Workgroup but still have a machine with the Windows Server OS,...
there is still a way to run a DHCP Server on the Windows Server OS without
the normally required DHCP Authorization to let the DHCP Service work. I
don't have any links but you should be able to hunt it down on MS's site
fairly easy or just find details about it on the general Internet.

Then of course there is always Linux.

Me personally, on my home network, the Linksys box gets me by. I don't fool
around or get very "creative" that much on my home LAN,...It is just there
so I can have a couple PCs and my TiVO box on the Internet. I do my
creative stuff in Virtual PC on the Laptop or at work in the shop.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

I actually do have a local domain with a multihomed Win2K SBS, but it's
offline right now because I opened a big hole in ISA screwing around with
ventrilo and left it open and it got owned. That actually would explain why I
didnt have the problem before, although I wasnt thinking about that.. I
should have! I was just surprised that any DHCP server would respond to a
PPTP request through an already established tunnel. Thanks for the reply!

"Phillip Windell" wrote:

>
> "Phillip Windell" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > The DHCP Service on these "home user" boxes isn't that great. I would not
> > be too surprised at anything "stupid" that they might do.
>
> If you happen to have a Domain Controller on your LAN because you are
> running a Windows Domain,...then always, always, always, disable the DHCP on
> the "home user" box and run the DHCP Service on the Server instead. It is a
> thousand times better.
>
> If you don't have a Domain (and hence no Domain Controller) and are just
> running a Workgroup but still have a machine with the Windows Server OS,...
> there is still a way to run a DHCP Server on the Windows Server OS without
> the normally required DHCP Authorization to let the DHCP Service work. I
> don't have any links but you should be able to hunt it down on MS's site
> fairly easy or just find details about it on the general Internet.
>
> Then of course there is always Linux.
>
> Me personally, on my home network, the Linksys box gets me by. I don't fool
> around or get very "creative" that much on my home LAN,...It is just there
> so I can have a couple PCs and my TiVO box on the Internet. I do my
> creative stuff in Virtual PC on the Laptop or at work in the shop.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
>
>
>

"SeriousSam" <(E-Mail Removed)> wrote in message
news:44EAC40D-4839-4FDE-98CC-(E-Mail Removed)...
>I actually do have a local domain with a multihomed Win2K SBS, but it's
> offline right now because I opened a big hole in ISA screwing around with
> ventrilo and left it open and it got owned. That actually would explain
> why I
> didnt have the problem before, although I wasnt thinking about that.. I
> should have! I was just surprised that any DHCP server would respond to a
> PPTP request through an already established tunnel. Thanks for the reply!

I would expect the DHCP to work,...I would not expect it to fail over the
Tunnel.

The DHCP wouldn't know a PPTP connection if it tripped over it. DHCP is
"blind",...all it does is respond to a DHCP Query and answers it according
to its database and what the database information tells it that it can do.
If the DHCP server did not receive a DHCP Query through the Tunnel, the
Client would not recieve a valid TCP/IP Config and the connection would just
fail right from the beginning (Remote Access VPN),..so it is supposed to
recieve and reply to Querys from over the Tunnel, that is how it is all
supposed to work. There is a difference between Site-to-site VPN and Remove
Access VPN, but DHCP is still supposed to work over them.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Ok, so if I have a VPN link established through a router, that link is a
"tunnel" sort of encapsulated between the endpoints (the client and the VPN
server). I would not expect a device that the tunnel passes through to be
able to interpret a dhcp request, because (in my understanding) the
encapsulation of the link would prevent that. This is not so? Thanks :-)

"Phillip Windell" wrote:

>
> "SeriousSam" <(E-Mail Removed)> wrote in message
> news:44EAC40D-4839-4FDE-98CC-(E-Mail Removed)...
> >I actually do have a local domain with a multihomed Win2K SBS, but it's
> > offline right now because I opened a big hole in ISA screwing around with
> > ventrilo and left it open and it got owned. That actually would explain
> > why I
> > didnt have the problem before, although I wasnt thinking about that.. I
> > should have! I was just surprised that any DHCP server would respond to a
> > PPTP request through an already established tunnel. Thanks for the reply!
>
> I would expect the DHCP to work,...I would not expect it to fail over the
> Tunnel.
>
> The DHCP wouldn't know a PPTP connection if it tripped over it. DHCP is
> "blind",...all it does is respond to a DHCP Query and answers it according
> to its database and what the database information tells it that it can do.
> If the DHCP server did not receive a DHCP Query through the Tunnel, the
> Client would not recieve a valid TCP/IP Config and the connection would just
> fail right from the beginning (Remote Access VPN),..so it is supposed to
> recieve and reply to Querys from over the Tunnel, that is how it is all
> supposed to work. There is a difference between Site-to-site VPN and Remove
> Access VPN, but DHCP is still supposed to work over them.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"SeriousSam" <(E-Mail Removed)> wrote in message
news98DE598-5985-431A-916D-(E-Mail Removed)...
> Ok, so if I have a VPN link established through a router, that link is a
> "tunnel" sort of encapsulated between the endpoints (the client and the
> VPN
> server). I would not expect a device that the tunnel passes through to be
> able to interpret a dhcp request, because (in my understanding) the
> encapsulation of the link would prevent that. This is not so? Thanks :-)

This depends.
"through a router",...or "through routers",...not the same thing.
That is the distinction between Remote Access VPN and a Site-to-Site VPN.

If you had 2 networks,...one in one room and one in another room.
You have a Router on each network.
You drag a big long cable between the two routers and connect them with one
of the unused interfaces and configure them properly.
You enable the DHCP Helper addresses on the Router from the side that has no
DHCP Server, and have a Scope on the DHCP that matches the subnets used.
You betcha the DHCP would repsond and give a config to the Client on the
"other side", as long as it has a Scope that matched the address used on the
"other side".

The VPN Tunnel is just a glorified "big long cable between the rooms". The
only thing the encapsulation does is prevent evesdroping on the traffic from
somewhere "between" the end points,...nothing more. It would be like
running the "big long cable" through a steel tube to protect it so no one
could plant a "tap" on the line somewhere in the middle,...but the steel
pipe does not have any effect on the data moving through the cable.

Now if the comment at the beginning was "though a router", then that would
be Remote Access VPN because it only uses one router. The Client connecting
in will get a Config from DHCP as the connection is established,...if it
doesn't then the whole thing would fall apart and it would fail. So the
DHCP also works in that type of VPN as well.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------