Windows 2003 interation between DNS and VPN

I just setup Window 2003 SP2. It is configured as a domain
controller, DNS server, and VPN server. DCHP is on there too, but
I've disabled it. A LinkSys NAT/DSL router is providing DHCP for
now. I used mostly default setting when installing. In addition,
the server has 2 NICs for the VPN. One NIC is goes into the LinkSys
router (but is not assigned an IP by the router; it has a static IP on
the internal LAN: 192.168.1.200) and the other has an external static
IP.

There is an interaction between DNS and the VPN that is preventing
things from working. Here is what I am observing.

1) I configured both NICs with gateway addresses initially. The
warning, "Multiple gateways are intended to provide redundancy to a
network..." appeared. If I disregard that warning, I can connect to
the VPN, but DNS doesn't work. DNS fails both internal to the LAN
and also to the VPN client.

2) If I leave the gateway blank on the external NIC, I can't can't
connect to the VPN at all. The VPN client just times out.

What don't I understand?

Thanks,
Mike

Hello (E-Mail Removed),

A Domain controller shouldn't provide RRAS services, security reason, better
use a separat machine for this. If you configure RRAS and will use VPN you
need ip addresses from the server to the VPN, which is normally done with
DHCP. You're router will not be able to provide ip addresses for this as
far as i know. So get rid of the router DHCP which can also not update the
DNS records on the server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I just setup Window 2003 SP2. It is configured as a domain
> controller, DNS server, and VPN server. DCHP is on there too, but
> I've disabled it. A LinkSys NAT/DSL router is providing DHCP for
> now. I used mostly default setting when installing. In addition,
> the server has 2 NICs for the VPN. One NIC is goes into the LinkSys
> router (but is not assigned an IP by the router; it has a static IP on
> the internal LAN: 192.168.1.200) and the other has an external static
> IP.
> There is an interaction between DNS and the VPN that is preventing
> things from working. Here is what I am observing.
>
> 1) I configured both NICs with gateway addresses initially. The
> warning, "Multiple gateways are intended to provide redundancy to a
> network..." appeared. If I disregard that warning, I can connect to
> the VPN, but DNS doesn't work. DNS fails both internal to the LAN
> and also to the VPN client.
>
> 2) If I leave the gateway blank on the external NIC, I can't can't
> connect to the VPN at all. The VPN client just times out.
>
> What don't I understand?
>
> Thanks,
> Mik

On Jun 27, 1:49 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
> Hello mdichiapp...@gmail.com,
>
> A Domain controller shouldn't provide RRAS services, security reason, better
> use a separat machine for this. If you configure RRAS and will use VPN you
> need ip addresses from the server to the VPN, which is normally done with
> DHCP. You're router will not be able to provide ip addresses for this as
> far as i know. So get rid of the router DHCP which can also not update the
> DNS records on the server.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > I just setup Window 2003 SP2. It is configured as a domain
> > controller, DNS server, and VPN server. DCHP is on there too, but
> > I've disabled it. A LinkSys NAT/DSL router is providing DHCP for
> > now. I used mostly default setting when installing. In addition,
> > the server has 2 NICs for the VPN. One NIC is goes into the LinkSys
> > router (but is not assigned an IP by the router; it has a static IP on
> > the internal LAN: 192.168.1.200) and the other has an external static
> > IP.
> > There is an interaction between DNS and the VPN that is preventing
> > things from working. Here is what I am observing.
>
> > 1) I configured both NICs with gateway addresses initially. The
> > warning, "Multiple gateways are intended to provide redundancy to a
> > network..." appeared. If I disregard that warning, I can connect to
> > the VPN, but DNS doesn't work. DNS fails both internal to the LAN
> > and also to the VPN client.
>
> > 2) If I leave the gateway blank on the external NIC, I can't can't
> > connect to the VPN at all. The VPN client just times out.
>
> > What don't I understand?
>
> > Thanks,
> > Mike

I've configured VPN (RRAS) to provide IP addresses from a pool. The
range of IP addresses is mutually exclusive from those addresses
provided by the router.

1. Domain Controllers should not be multi-homed
2. Being a VPN Server and even simply running RRAS makes it multi-homed.
3. DNS,..even just all by itself, is better on a single homed machine.
4. Domain Controllers with the PDF Role are automatically Domain Master
Browser. Master Browsers should not be multi-homed

272294 - Active Directory Communication Fails on Multihomed Domain
Controllers
http://support.microsoft.com/default...b;en-us;272294

191611 - Symptoms of Multihomed Browsers
http://support.microsoft.com/default...b;EN-US;191611


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


<(E-Mail Removed)> wrote in message
news:7f4b19fc-1f2a-4ddd-ae5d-(E-Mail Removed)...
>I just setup Window 2003 SP2. It is configured as a domain
> controller, DNS server, and VPN server. DCHP is on there too, but
> I've disabled it. A LinkSys NAT/DSL router is providing DHCP for
> now. I used mostly default setting when installing. In addition,
> the server has 2 NICs for the VPN. One NIC is goes into the LinkSys
> router (but is not assigned an IP by the router; it has a static IP on
> the internal LAN: 192.168.1.200) and the other has an external static
> IP.
>
> There is an interaction between DNS and the VPN that is preventing
> things from working. Here is what I am observing.
>
> 1) I configured both NICs with gateway addresses initially. The
> warning, "Multiple gateways are intended to provide redundancy to a
> network..." appeared. If I disregard that warning, I can connect to
> the VPN, but DNS doesn't work. DNS fails both internal to the LAN
> and also to the VPN client.
>
> 2) If I leave the gateway blank on the external NIC, I can't can't
> connect to the VPN at all. The VPN client just times out.
>
> What don't I understand?
>
> Thanks,
> Mike

<(E-Mail Removed)> wrote in message
news:ac583454-94f9-4d31-8e03-(E-Mail Removed)...
> On Jun 27, 1:49 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>> Hello mdichiapp...@gmail.com,
>>
>> A Domain controller shouldn't provide RRAS services, security reason,
>> better
>> use a separat machine for this. If you configure RRAS and will use VPN
>> you
>> need ip addresses from the server to the VPN, which is normally done with
>> DHCP. You're router will not be able to provide ip addresses for this as
>> far as i know. So get rid of the router DHCP which can also not update
>> the
>> DNS records on the server.
>
> I've configured VPN (RRAS) to provide IP addresses from a pool. The
> range of IP addresses is mutually exclusive from those addresses
> provided by the router.

That is only a small part of the problems you are going to create for
yourself with this setup.

See my other post.
The only exception to my other post would be with Small Business Server
which has been specially engineered to function with everything on one box
in a multi-homed configuration.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

OK, it looks like concensus is that putting VPN on the PDC is a bad
idea. I'll have to find another machine. I was trying to test it out
with just one machine.

Thanks.

If this is only a testing situation you can load Virtual Server on the
machine and load another copy of Server2003 on it as a Virtual Machine to do
the other machine. I would recommend the VM to be the Domain Controller
because it would be easier to keep the DC with a single Nic while the
Physical Server would have the two nics.

You could also keep the physical machine as "nothing" with a bare OS install
and Virtual Server Installed and do both the DC and the VPN servers as VMs.

You could do the same using Virtual PC running on a reasonably good XP PC.
Create the two VMs in it. Using VMs in Virtual PC is more visually pleasing
than Virtual Server and (at least to me) seems more "real" when building
test labs.

Both Virtual Server and Virtual PC are free products downloadable from MS.
Get to know them, you can do a lot with them once you know your way around
them.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------



<(E-Mail Removed)> wrote in message
news:5147cd6f-b6fd-45d5-aa58-(E-Mail Removed)...
> OK, it looks like concensus is that putting VPN on the PDC is a bad
> idea. I'll have to find another machine. I was trying to test it out
> with just one machine.
>
> Thanks.

OK, so I tried the VPN server on a completely separate machine. It is
part of the domain and has 2 NICs - one internal and one external.
Same OS - Windows 2003 Server with SP2. In essence, the machine is
configured just like a domain client, except it has two network cards
and RRAS.

I am having the same problem I had when RRAS was on the DC. The
external IP is simply not accessable. Can't ping and therefore no
clients from outside can get to it. It is accessable from the LAN
though.

Any ideas?

The internal card has the gateway and dns settings for the DSL router
(LinkSys). The external card has no gateway and the DNS of the ISP.

On Jun 29, 3:05 pm, mdichiapp...@gmail.com wrote:
> OK, so I tried the VPN server on a completely separate machine. It is
> part of the domain and has 2 NICs - one internal and one external.
> Same OS - Windows 2003 Server with SP2. In essence, the machine is
> configured just like a domain client, except it has two network cards
> and RRAS.
>
> I am having the same problem I had when RRAS was on the DC. The
> external IP is simply not accessable. Can't ping and therefore no
> clients from outside can get to it. It is accessable from the LAN
> though.
>
> Any ideas?
>
> The internal card has the gateway and dns settings for the DSL router
> (LinkSys). The external card has no gateway and the DNS of the ISP.

One thing that got me a little closer is to leave the internal NICs
gateway blank and set the external gateway to the ISP. Now I can
establish a VPN.

Only problem now is that I can't access any resources on the internal
network.

On Jun 29, 11:36 pm, mdichiapp...@gmail.com wrote:
> On Jun 29, 3:05 pm, mdichiapp...@gmail.com wrote:
>
> > OK, so I tried the VPN server on a completely separate machine. It is
> > part of the domain and has 2 NICs - one internal and one external.
> > Same OS - Windows 2003 Server with SP2. In essence, the machine is
> > configured just like a domain client, except it has two network cards
> > and RRAS.
>
> > I am having the same problem I had when RRAS was on the DC. The
> > external IP is simply not accessable. Can't ping and therefore no
> > clients from outside can get to it. It is accessable from the LAN
> > though.
>
> > Any ideas?
>
> > The internal card has the gateway and dns settings for the DSL router
> > (LinkSys). The external card has no gateway and the DNS of the ISP.
>
> One thing that got me a little closer is to leave the internal NICs
> gateway blank and set the external gateway to the ISP. Now I can
> establish a VPN.
>
> Only problem now is that I can't access any resources on the internal
> network.

Finally, got it working. The last problem was that the subnet at the
work and home locations was the same. Had to change one to
192.168.1.x and the other to 192.168.2.x.