Win XP cannot locate domain controller over VPN

Hello all,

I hope somebody here can help me out. I've been researching and
struggling with this trouble for 5+ months now.

I have a simple VPN set up:
Win2k (SP4) -> Linksys -> Internet -> Linksys -> WinXP (SP1)

The Linksys equipment on both ends is the same: BEFVP41. The equipment
works great and has no trouble at all with Win98 clients. In fact, the
WinXP clients work too but only after disconnecting the NIC cable,
logging in, and then reconnecting the cable.

I thought the trouble was due to ping requests being blocked by the
Linksys router. So I followed others instructions to set
GroupPolicyMinTransferRate to zero. That didn't seem to fix the trouble
100% but it did cause other error messages to appear. All the errors I
recieve have to do with the domain controller and Group Policies.

Can anyone give me some new pointers or things to try out?
I'll be happy to offer more info about the server configuration as
needed.

Thanks,
Jason Morrill
IT Manager
Child & Family Agency

XP is "DNS-based". They won't find the DNS Server if they aren't pointed to
the right DNS Server in their network settings.

Win98 is "Netbios-based", it will do fine if pointed to the right WINS
Server.

Just for clarity, what you have is this:

(a Site-to-Site VPN, aka Router-to-Router VPN)
Linksys VPN -> Internet -> Linksys VPN

Whatever machines and SPs are on each end are irrelevant to the
functionality of the VPN connection.
--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"CFA IT Manager" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hello all,
>
> I hope somebody here can help me out. I've been researching and
> struggling with this trouble for 5+ months now.
>
> I have a simple VPN set up:
> Win2k (SP4) -> Linksys -> Internet -> Linksys -> WinXP (SP1)
>
> The Linksys equipment on both ends is the same: BEFVP41. The equipment
> works great and has no trouble at all with Win98 clients. In fact, the
> WinXP clients work too but only after disconnecting the NIC cable,
> logging in, and then reconnecting the cable.
>
> I thought the trouble was due to ping requests being blocked by the
> Linksys router. So I followed others instructions to set
> GroupPolicyMinTransferRate to zero. That didn't seem to fix the trouble
> 100% but it did cause other error messages to appear. All the errors I
> recieve have to do with the domain controller and Group Policies.
>
> Can anyone give me some new pointers or things to try out?
> I'll be happy to offer more info about the server configuration as
> needed.
>
> Thanks,
> Jason Morrill
> IT Manager
> Child & Family Agency
>

Is one or both of the Internet connection a DSL or ADSL connection ?
I've seen similar issues, which had to do with TCP packet
fragmentation,
caused by the smaller TCP windowsize on these connections.
You can try simulating with ping -l commands from the clients
if ping -l 1400 works and ping -l 1500 doesn't, it's probably a simular
issue.
If so you can try fixing this on the Linksys devices if possible (I
don't know these devices),
alternatively you can change the TCP windowsize on the Win XP registry
(see MS KB for the regkeys)

Alex,

Thank you for the response. I did a quick ping test and BEHOLD the ping
at 1500bytes failed to return. At 1400bytes it comes back without any
trouble at all. After a few more tests it turns out that 1410 bytes is
the maximum that will go across the DSL VPN connection in a single
ping.

After some research I've been reading that a setting this low
(1400bytes) is not acceptable for a broadband connection. Though I have
to admit skepticism here since clearly a packet larger just gets
dropped.

I think Alex nailed it for me but can anyone offer any tweaking
suggestions?

Thanks,
Jason

Set the MTU in the registry on the server to 1410 bytes.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

Todd,

If I were to set my server registry to 1410 bytes for the MTU that will
also affect all computers on the LAN side. I'm not certain if that
would be deterimental to a 100Mbps LAN. I suppose the only way to know
is to try it out.

Thanks for the suggestion.

Jason

As a follow up to this trouble I have been experiencing I thought I
should include a few things that *HAVE* worked.

1) Eliminate the Slow Link Detection during log-in

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"GroupPolicyMinTransferRate"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"GroupPolicyMinTransferRate"=dword:00000000

2) Set Kerberos to authenticate over TCP instead of UDP

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001

And finally my remote system would log in properly. Now I'm
experiencing a delay during the log out process which is directly
related to the packet size allowed on the DSL VPN solution we have.

I believe that adjusting the TCP Window Size may help. After further
investigation I will post my final results here.

Jason

The final solution for me was to do two things:

1) Set the MTU for the client network adapter to 1428. Look in the
registry and add the MTU dword value for the specific adpater. Be sure
to substitute your Adpater ID in the string below.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Tcpip\Parameters\
Interfaces\[Adapter ID]]
"MTU"=dword:00000594

2) Set Kerberos to work over TCP instead of UDP.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001

After those two settings are applied to my client machines at the
remote offices the computers have no trouble reaching our Win 2k server
over the DSL VPN.

Jason