Connecting to DC using VPN changes IP address for LAN clients

Hi there

I've got a windows 2003 server machine as domain controller and several
windows XP pro clients all of which connect via a Linksys router. The DC has
routing and remote access configured. The Win2003 server has a static IP
address and the clients are DHCP assigned by the router. Server and clients
all have NetBios enabled over TCP/IP.

Before a VPN connection is made everything works fine on the LAN - I ping
the server by name (not IP address) from a workstation and it uses the
server's fixed IP address correctly. Then someone connects to the VPN and the
server gets a new IP address for the "PPP adapter RAS Server (Dial In)
Interface" as well. Now when I ping the server from a LAN workstation, it
incorrectly uses the new IP address and gets 4 x "request timed out".

This behaviour causes some problems: the network becomes very slow and
occasionally the clients can't access server resources.

I would like the LAN client's server access to be unaffected by VPN access
to the server. Can anyone *please* tell me how to go about this?

Thanks,

Jools
--
take out the trash to email me


Jools

"Jools" <(E-Mail Removed)> wrote in message
newsA86C8A8-5298-4289-8B3E-(E-Mail Removed)...
> Before a VPN connection is made everything works fine on the LAN - I ping
> the server by name (not IP address) from a workstation and it uses the
> server's fixed IP address correctly. Then someone connects to the VPN and
> the
> server gets a new IP address for the "PPP adapter RAS Server (Dial In)
> Interface" as well. Now when I ping the server from a LAN workstation, it
> incorrectly uses the new IP address and gets 4 x "request timed out".


1. Properties of Network Places
2. Advanced from the menu at the top
3. Advanced Settings... from the dropdown menu
4. In the upper box that shows up use the side-arrows to move the main LAN
Nic to the top of the List. Any other LAN nics need to be below that. Any
other types of adapters (like dialup) need to be at the bottom.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Hi Phillip,

Many thanks for replying. I checked the network properties on the server and
found that the lan adapter is already the top one and the dial in one is
already bottom. is there anything else it could be? I'm wondering whether it
would make a differnce if the domain controller handled DHCP rather than the
router ... but i want to refrain from uninformed hacking. Any ideas anyone?
--
take out the trash to email me


"Phillip Windell" wrote:

**snip snip snipitty snip**
>
>
> 1. Properties of Network Places
> 2. Advanced from the menu at the top
> 3. Advanced Settings... from the dropdown menu
> 4. In the upper box that shows up use the side-arrows to move the main LAN
> Nic to the top of the List. Any other LAN nics need to be below that. Any
> other types of adapters (like dialup) need to be at the bottom.
>
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed are my own (as annoying as they are), and not those of
> my employer or anyone else associated with me.
> -----------------------------------------------------
>
>
>
>

Hmmm,....is this a single nic Server?

RRAS VPN Servers were intended to be duel homed. The Server would
physically replace your existing "router" (actually a NAT box) with itself
rather than be behind it with a single nic.

I think it can be done with a single nic, but there are special
considerations to be dealt with. I know there is an MS article out there
somewhere for configuring a "single-homed" RRAS/VPN box but I have been
unable to find it. Maybe someone else in the group has the link to it.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------



"Jools" <(E-Mail Removed)> wrote in message
news:8E43489B-E218-4521-B7F7-(E-Mail Removed)...
> Hi Phillip,
>
> Many thanks for replying. I checked the network properties on the server
> and
> found that the lan adapter is already the top one and the dial in one is
> already bottom. is there anything else it could be? I'm wondering whether
> it
> would make a differnce if the domain controller handled DHCP rather than
> the
> router ... but i want to refrain from uninformed hacking. Any ideas
> anyone?
> --
> take out the trash to email me
>
>
> "Phillip Windell" wrote:
>
> **snip snip snipitty snip**
>>
>>
>> 1. Properties of Network Places
>> 2. Advanced from the menu at the top
>> 3. Advanced Settings... from the dropdown menu
>> 4. In the upper box that shows up use the side-arrows to move the main
>> LAN
>> Nic to the top of the List. Any other LAN nics need to be below that.
>> Any
>> other types of adapters (like dialup) need to be at the bottom.
>>
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> The views expressed are my own (as annoying as they are), and not those
>> of
>> my employer or anyone else associated with me.
>> -----------------------------------------------------
>>
>>
>>
>>

Running DHCP on the DC is fine. You will have a lot more flexabilty with a
full featured DHCP Server then what the dumb NAT Box will give you. But I
don't think it will make any difference with your problem.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------


"Jools" <(E-Mail Removed)> wrote in message
news:8E43489B-E218-4521-B7F7-(E-Mail Removed)...
> Hi Phillip,
>
> Many thanks for replying. I checked the network properties on the server
> and
> found that the lan adapter is already the top one and the dial in one is
> already bottom. is there anything else it could be? I'm wondering whether
> it
> would make a differnce if the domain controller handled DHCP rather than
> the
> router ... but i want to refrain from uninformed hacking. Any ideas
> anyone?
> --
> take out the trash to email me
>
>
> "Phillip Windell" wrote:
>
> **snip snip snipitty snip**
>>
>>
>> 1. Properties of Network Places
>> 2. Advanced from the menu at the top
>> 3. Advanced Settings... from the dropdown menu
>> 4. In the upper box that shows up use the side-arrows to move the main
>> LAN
>> Nic to the top of the List. Any other LAN nics need to be below that.
>> Any
>> other types of adapters (like dialup) need to be at the bottom.
>>
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> The views expressed are my own (as annoying as they are), and not those
>> of
>> my employer or anyone else associated with me.
>> -----------------------------------------------------
>>
>>
>>
>>

What you have here is the old NT multihomed PDC problem in a new form.
As soon as a remote user connects, your DC is multihomed (because RRAS
acquires an IP for ther internal interface). Microsoft recommends that you
do not multihome a DC. SBS is the only exception.

You can prevent the RRAS "internal" interface from registering its
Netbios name by disabling Netbios over TCP/IP on it. This requires a
registry edit (see KB 292822 near the end). This can cause other problems,
depending on your client machines. Older clients may have problems without
Netbios over TCP/IP. The current recommended fix is to put the remotes in
their own IP subnet. See KB 830063 . If you use this method you have to
route between the LAN subnet and the remote subnet through the RRAS server.

You will also see in KB 292822 that you may get DNS problems as well as
Netbios problems because of dynamic DNS registering two IP addresses for the
server's name.

"Jools" <(E-Mail Removed)> wrote in message
news:8E43489B-E218-4521-B7F7-(E-Mail Removed)...
> Hi Phillip,
>
> Many thanks for replying. I checked the network properties on the server
> and
> found that the lan adapter is already the top one and the dial in one is
> already bottom. is there anything else it could be? I'm wondering whether
> it
> would make a differnce if the domain controller handled DHCP rather than
> the
> router ... but i want to refrain from uninformed hacking. Any ideas
> anyone?
> --
> take out the trash to email me
>
>
> "Phillip Windell" wrote:
>
> **snip snip snipitty snip**
>>
>>
>> 1. Properties of Network Places
>> 2. Advanced from the menu at the top
>> 3. Advanced Settings... from the dropdown menu
>> 4. In the upper box that shows up use the side-arrows to move the main
>> LAN
>> Nic to the top of the List. Any other LAN nics need to be below that.
>> Any
>> other types of adapters (like dialup) need to be at the bottom.
>>
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> The views expressed are my own (as annoying as they are), and not those
>> of
>> my employer or anyone else associated with me.
>> -----------------------------------------------------
>>
>>
>>
>>

In other words,...forget it and do it on a different server using 2 nics
that replaces the existing NAT device. :-)
At least that is what I think about it anyway.
I wouldn't consider all that greif to be worth it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

"Bill Grant" <not.available@online> wrote in message
news:uybqQ8$(E-Mail Removed)...
> What you have here is the old NT multihomed PDC problem in a new form.
> As soon as a remote user connects, your DC is multihomed (because RRAS
> acquires an IP for ther internal interface). Microsoft recommends that you
> do not multihome a DC. SBS is the only exception.
>
> You can prevent the RRAS "internal" interface from registering its
> Netbios name by disabling Netbios over TCP/IP on it. This requires a
> registry edit (see KB 292822 near the end). This can cause other problems,
> depending on your client machines. Older clients may have problems without
> Netbios over TCP/IP. The current recommended fix is to put the remotes in
> their own IP subnet. See KB 830063 . If you use this method you have to
> route between the LAN subnet and the remote subnet through the RRAS
> server.
>
> You will also see in KB 292822 that you may get DNS problems as well as
> Netbios problems because of dynamic DNS registering two IP addresses for
> the server's name.
>
> "Jools" <(E-Mail Removed)> wrote in message
> news:8E43489B-E218-4521-B7F7-(E-Mail Removed)...
>> Hi Phillip,
>>
>> Many thanks for replying. I checked the network properties on the server
>> and
>> found that the lan adapter is already the top one and the dial in one is
>> already bottom. is there anything else it could be? I'm wondering whether
>> it
>> would make a differnce if the domain controller handled DHCP rather than
>> the
>> router ... but i want to refrain from uninformed hacking. Any ideas
>> anyone?
>> --
>> take out the trash to email me
>>
>>
>> "Phillip Windell" wrote:
>>
>> **snip snip snipitty snip**
>>>
>>>
>>> 1. Properties of Network Places
>>> 2. Advanced from the menu at the top
>>> 3. Advanced Settings... from the dropdown menu
>>> 4. In the upper box that shows up use the side-arrows to move the main
>>> LAN
>>> Nic to the top of the List. Any other LAN nics need to be below that.
>>> Any
>>> other types of adapters (like dialup) need to be at the bottom.
>>>
>>>
>>> --
>>> Phillip Windell [MCP, MVP, CCNA]
>>> www.wandtv.com
>>>
>>> The views expressed are my own (as annoying as they are), and not those
>>> of
>>> my employer or anyone else associated with me.
>>> -----------------------------------------------------
>>>
>>>
>>>
>>>
>
>

That's pretty much my opinion too (unless you have SBS to do it all for
you).

My advice in general terms is leave a DC to be a DC. Don't make it a
router or a remote access server.

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> In other words,...forget it and do it on a different server using 2 nics
> that replaces the existing NAT device. :-)
> At least that is what I think about it anyway.
> I wouldn't consider all that greif to be worth it.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed are my own (as annoying as they are), and not those of
> my employer or anyone else associated with me.
> -----------------------------------------------------
>
> "Bill Grant" <not.available@online> wrote in message
> news:uybqQ8$(E-Mail Removed)...
>> What you have here is the old NT multihomed PDC problem in a new form.
>> As soon as a remote user connects, your DC is multihomed (because RRAS
>> acquires an IP for ther internal interface). Microsoft recommends that
>> you do not multihome a DC. SBS is the only exception.
>>
>> You can prevent the RRAS "internal" interface from registering its
>> Netbios name by disabling Netbios over TCP/IP on it. This requires a
>> registry edit (see KB 292822 near the end). This can cause other
>> problems, depending on your client machines. Older clients may have
>> problems without Netbios over TCP/IP. The current recommended fix is to
>> put the remotes in their own IP subnet. See KB 830063 . If you use this
>> method you have to route between the LAN subnet and the remote subnet
>> through the RRAS server.
>>
>> You will also see in KB 292822 that you may get DNS problems as well
>> as Netbios problems because of dynamic DNS registering two IP addresses
>> for the server's name.
>>
>> "Jools" <(E-Mail Removed)> wrote in message
>> news:8E43489B-E218-4521-B7F7-(E-Mail Removed)...
>>> Hi Phillip,
>>>
>>> Many thanks for replying. I checked the network properties on the server
>>> and
>>> found that the lan adapter is already the top one and the dial in one is
>>> already bottom. is there anything else it could be? I'm wondering
>>> whether it
>>> would make a differnce if the domain controller handled DHCP rather than
>>> the
>>> router ... but i want to refrain from uninformed hacking. Any ideas
>>> anyone?
>>> --
>>> take out the trash to email me
>>>
>>>
>>> "Phillip Windell" wrote:
>>>
>>> **snip snip snipitty snip**
>>>>
>>>>
>>>> 1. Properties of Network Places
>>>> 2. Advanced from the menu at the top
>>>> 3. Advanced Settings... from the dropdown menu
>>>> 4. In the upper box that shows up use the side-arrows to move the main
>>>> LAN
>>>> Nic to the top of the List. Any other LAN nics need to be below that.
>>>> Any
>>>> other types of adapters (like dialup) need to be at the bottom.
>>>>
>>>>
>>>> --
>>>> Phillip Windell [MCP, MVP, CCNA]
>>>> www.wandtv.com
>>>>
>>>> The views expressed are my own (as annoying as they are), and not those
>>>> of
>>>> my employer or anyone else associated with me.
>>>> -----------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>
>>
>
>

Jools explained :
> Hi there

> I've got a windows 2003 server machine as domain controller and several
> windows XP pro clients all of which connect via a Linksys router. The DC has
> routing and remote access configured. The Win2003 server has a static IP
> address and the clients are DHCP assigned by the router. Server and clients
> all have NetBios enabled over TCP/IP.

> Before a VPN connection is made everything works fine on the LAN - I ping
> the server by name (not IP address) from a workstation and it uses the
> server's fixed IP address correctly. Then someone connects to the VPN and the
> server gets a new IP address for the "PPP adapter RAS Server (Dial In)
> Interface" as well. Now when I ping the server from a LAN workstation, it
> incorrectly uses the new IP address and gets 4 x "request timed out".

> This behaviour causes some problems: the network becomes very slow and
> occasionally the clients can't access server resources.

> I would like the LAN client's server access to be unaffected by VPN access
> to the server. Can anyone *please* tell me how to go about this?

> Thanks,

> Jools

I believe you can avoid DNS registering by turning it off for that
adapter or network connection
don't know where and how anymore though, sorry

grtz

That would be true if we were talking about a physical NIC. But in this
case we are talking about the internal interface in RRAS.

"chriske911" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Jools explained :
>> Hi there
>
>> I've got a windows 2003 server machine as domain controller and several
>> windows XP pro clients all of which connect via a Linksys router. The DC
>> has routing and remote access configured. The Win2003 server has a static
>> IP address and the clients are DHCP assigned by the router. Server and
>> clients all have NetBios enabled over TCP/IP.
>
>> Before a VPN connection is made everything works fine on the LAN - I ping
>> the server by name (not IP address) from a workstation and it uses the
>> server's fixed IP address correctly. Then someone connects to the VPN and
>> the server gets a new IP address for the "PPP adapter RAS Server (Dial
>> In) Interface" as well. Now when I ping the server from a LAN
>> workstation, it incorrectly uses the new IP address and gets 4 x "request
>> timed out".
>
>> This behaviour causes some problems: the network becomes very slow and
>> occasionally the clients can't access server resources.
>
>> I would like the LAN client's server access to be unaffected by VPN
>> access to the server. Can anyone *please* tell me how to go about this?
>
>> Thanks,
>
>> Jools
>
> I believe you can avoid DNS registering by turning it off for that adapter
> or network connection
> don't know where and how anymore though, sorry
>
> grtz
>
>