VPN on W2k3 does not work reliably

Hi,

our customer has 5 W2k3 SP2 servers organized in one subnet, together with
30 XP stations. One server is an SBS2k3, another acts as secondary DC. VPN
was installed on one W2k3 server and worked fine. SOHO users could access the
office LAN, network shares and Exchange through either VPN and VNC or remote
desktop. When this server crashed we used the RRAS wizard to turn another DC
into the VPN server. This server has two NICs. One is connected to the DSL
router, the other to the internal LAN. VPN from the client works, we can
always access the VPN server via VNC right away.

What does not work reliably is accessing the office LAN locally, accessing
the network shares and accessing servers and workstations with VNC. When we
ping servers and clients from the VPN client, is sometimes works and
sometimes doesn't. For replies we often get one success and three timeouts.
Then again there are times when we get 4 successes and a bit later 4 timeouts
or the other way round. If we wait a while the situation often gets better.
The system acts as if the routing table takes up to an hour or more to get
established correctly, but sometimes it doesn't at all or brakes down again.
Not really logical, I know. I don't need to describe how the customer feels
:<(.

Remote desktop does not work at all ("server not found").

Port forwarding in the router is set correctly, as are the in/outbound
filters of the external interface in RAS. The LAN together with DHCP and
DNS/WINS/AD replication has been checked out by a Microsoft tech support
engineer last week.

We went through the complete RAS description in technet but didn't find
anything that would fit our situation. A colleague on the German MS list told
us of similar experiences in a large VPN environment he is just setting up,
but didn't have a solution.

We'd be grateful for any ideas that would help us fix that issue.

It is not recommended to enable VPN on DC. This search result may help,

Name resolution on VPNConnection issues on DC, ISA, DNS and WINS server as
VPN server How to assign DNS and WINS on VPN client manually Name resolution
Issue in a VPN client ...
http://www.chicagotech.net/nameresolutionpnvpn.htm


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"w.haunzwickl" <(E-Mail Removed)> wrote in message
news:B0C629B2-67EA-4336-B1DB-(E-Mail Removed)...
> Hi,
>
> our customer has 5 W2k3 SP2 servers organized in one subnet, together with
> 30 XP stations. One server is an SBS2k3, another acts as secondary DC.
> VPN
> was installed on one W2k3 server and worked fine. SOHO users could access
> the
> office LAN, network shares and Exchange through either VPN and VNC or
> remote
> desktop. When this server crashed we used the RRAS wizard to turn another
> DC
> into the VPN server. This server has two NICs. One is connected to the DSL
> router, the other to the internal LAN. VPN from the client works, we can
> always access the VPN server via VNC right away.
>
> What does not work reliably is accessing the office LAN locally, accessing
> the network shares and accessing servers and workstations with VNC. When
> we
> ping servers and clients from the VPN client, is sometimes works and
> sometimes doesn't. For replies we often get one success and three
> timeouts.
> Then again there are times when we get 4 successes and a bit later 4
> timeouts
> or the other way round. If we wait a while the situation often gets
> better.
> The system acts as if the routing table takes up to an hour or more to get
> established correctly, but sometimes it doesn't at all or brakes down
> again.
> Not really logical, I know. I don't need to describe how the customer
> feels
> :<(.
>
> Remote desktop does not work at all ("server not found").
>
> Port forwarding in the router is set correctly, as are the in/outbound
> filters of the external interface in RAS. The LAN together with DHCP and
> DNS/WINS/AD replication has been checked out by a Microsoft tech support
> engineer last week.
>
> We went through the complete RAS description in technet but didn't find
> anything that would fit our situation. A colleague on the German MS list
> told
> us of similar experiences in a large VPN environment he is just setting
> up,
> but didn't have a solution.
>
> We'd be grateful for any ideas that would help us fix that issue.
>

Thank you. We will install a seperate VPN server tonight and hope his will
cure the issues.

"MSNews" wrote:

> It is not recommended to enable VPN on DC. This search result may help,
>
> Name resolution on VPNConnection issues on DC, ISA, DNS and WINS server as
> VPN server How to assign DNS and WINS on VPN client manually Name resolution
> Issue in a VPN client ...
> http://www.chicagotech.net/nameresolutionpnvpn.htm
>
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "w.haunzwickl" <(E-Mail Removed)> wrote in message
> news:B0C629B2-67EA-4336-B1DB-(E-Mail Removed)...
> > Hi,
> >
> > our customer has 5 W2k3 SP2 servers organized in one subnet, together with
> > 30 XP stations. One server is an SBS2k3, another acts as secondary DC.
> > VPN
> > was installed on one W2k3 server and worked fine. SOHO users could access
> > the
> > office LAN, network shares and Exchange through either VPN and VNC or
> > remote
> > desktop. When this server crashed we used the RRAS wizard to turn another
> > DC
> > into the VPN server. This server has two NICs. One is connected to the DSL
> > router, the other to the internal LAN. VPN from the client works, we can
> > always access the VPN server via VNC right away.
> >
> > What does not work reliably is accessing the office LAN locally, accessing
> > the network shares and accessing servers and workstations with VNC. When
> > we
> > ping servers and clients from the VPN client, is sometimes works and
> > sometimes doesn't. For replies we often get one success and three
> > timeouts.
> > Then again there are times when we get 4 successes and a bit later 4
> > timeouts
> > or the other way round. If we wait a while the situation often gets
> > better.
> > The system acts as if the routing table takes up to an hour or more to get
> > established correctly, but sometimes it doesn't at all or brakes down
> > again.
> > Not really logical, I know. I don't need to describe how the customer
> > feels
> > :<(.
> >
> > Remote desktop does not work at all ("server not found").
> >
> > Port forwarding in the router is set correctly, as are the in/outbound
> > filters of the external interface in RAS. The LAN together with DHCP and
> > DNS/WINS/AD replication has been checked out by a Microsoft tech support
> > engineer last week.
> >
> > We went through the complete RAS description in technet but didn't find
> > anything that would fit our situation. A colleague on the German MS list
> > told
> > us of similar experiences in a large VPN environment he is just setting
> > up,
> > but didn't have a solution.
> >
> > We'd be grateful for any ideas that would help us fix that issue.
> >
>
>
>

Thank you! We followed the advice in the mentioned articles but none fixed
the issues. So we will install a seperate server tonight and hope that this
will solve the problems.

"MSNews" wrote:

> It is not recommended to enable VPN on DC. This search result may help,
>
> Name resolution on VPNConnection issues on DC, ISA, DNS and WINS server as
> VPN server How to assign DNS and WINS on VPN client manually Name resolution
> Issue in a VPN client ...
> http://www.chicagotech.net/nameresolutionpnvpn.htm
>
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "w.haunzwickl" <(E-Mail Removed)> wrote in message
> news:B0C629B2-67EA-4336-B1DB-(E-Mail Removed)...
> > Hi,
> >
> > our customer has 5 W2k3 SP2 servers organized in one subnet, together with
> > 30 XP stations. One server is an SBS2k3, another acts as secondary DC.
> > VPN
> > was installed on one W2k3 server and worked fine. SOHO users could access
> > the
> > office LAN, network shares and Exchange through either VPN and VNC or
> > remote
> > desktop. When this server crashed we used the RRAS wizard to turn another
> > DC
> > into the VPN server. This server has two NICs. One is connected to the DSL
> > router, the other to the internal LAN. VPN from the client works, we can
> > always access the VPN server via VNC right away.
> >
> > What does not work reliably is accessing the office LAN locally, accessing
> > the network shares and accessing servers and workstations with VNC. When
> > we
> > ping servers and clients from the VPN client, is sometimes works and
> > sometimes doesn't. For replies we often get one success and three
> > timeouts.
> > Then again there are times when we get 4 successes and a bit later 4
> > timeouts
> > or the other way round. If we wait a while the situation often gets
> > better.
> > The system acts as if the routing table takes up to an hour or more to get
> > established correctly, but sometimes it doesn't at all or brakes down
> > again.
> > Not really logical, I know. I don't need to describe how the customer
> > feels
> > :<(.
> >
> > Remote desktop does not work at all ("server not found").
> >
> > Port forwarding in the router is set correctly, as are the in/outbound
> > filters of the external interface in RAS. The LAN together with DHCP and
> > DNS/WINS/AD replication has been checked out by a Microsoft tech support
> > engineer last week.
> >
> > We went through the complete RAS description in technet but didn't find
> > anything that would fit our situation. A colleague on the German MS list
> > told
> > us of similar experiences in a large VPN environment he is just setting
> > up,
> > but didn't have a solution.
> >
> > We'd be grateful for any ideas that would help us fix that issue.
> >
>
>
>