Windows 2008 2003 Site to site RRAS problems

1) Both domain controllers have their own DNS servers which work properly. I do not try to ping with hostnames anyway but by entering IP adresses.
 What I think is that the routes are fubared somehow. So to reiterate, everyone on the 2008 domain can ping all computers (and connect to different services) on the 2003 domain, all computers on the 2003 domain EXCEPT the 2003 server itself can ping all computers (and connect to different services) on the 2008 domain. Very strange.

I use two way RRAS connections, so both servers actively connect to the other server.

2) I did what you suggested and disabled that option. It works, the server does not hang at boot. However, this is just mitigating the symptoms. The server still does not manage to auto connect to the 2003 server, but hangs on "connecting" until i press disconnect manually which forces it to retry and eventually succeed. Maybe this is linked to the first problem.

It could be linked, yes.

As for DNS - are both of these servers in different domains and forests or are they all part of the same domain?

Whether or not each server has its own DNS is irrelevent if the two servers don't know about each other.  Pinging by IP just tells you that routing is working - it doesn't tell you that name resolution (the ability to "find" each other) is working.

Let me know about about the domain/forest question and I can steer you better.

They are DC on the same domain. I get domain error messages like active directory "cannot replicate" because the other machine cannot be found.

2008 machine gets auto registered in 2003 dns when it connects, the 2003 does not get registered in the 2008 dns when it connects. I manually added it (192.168.0.2).

Here's the topology

2008 LAN (192.168.101.0) ---- 2008 lancard(192.168.101.1) -- 2008 WAN card (external.2008.ip) ---- internet ------ 2003 domain FW (external.2003.ip) --- 2003 FW LAN card (192.168.100.1) ---- 2003 Server LAN card (192.168.100.2) and LAN (192.168.100.0)

The incoming VPN connection passes through the FW by port forwarding straight to the 2003 server.

I added a route on the FW (192.168.100.1) like so :
address : 192.168.101.0  
mask :  255.255.255.0    
gateway : 192.168.100.2  
interface : 192.168.100.1      
metric : 3

so that all LAN computers on the 2003 domain when trying to reach anything on 192.168.101.0 using their default gateway of 192.168.100.1, end up in 192.168.100.2, the 2003 server. This traffic reaches the 2008 domain fine so they can access resources without a problem.
But as I mentioned, when the 2003 server itself tries to ping anything there, it fails miserably, but both nets can ping and access resources on the 2003 server.

lovely

The 2003 WAN address and LAN address cannot be on the same network.  It must route through the server and it can't if both interfaces are on the same network.

If both DNS servers are on DCs in the same domain then all the zones should replicate once you get all the proper routes setup in RRAS.  I see no valid reason the 2003 server needs 2 NICs unless the firewall is on this box.  A DC that has multiple NICs on the same subnet needs careful configuration.

In DNS, the Forward Lookup Zone for your domain should contain the SRV records of both servers and ALL of the client computers from both sites.  Since the servers are peers and you should have DNS Active Directory integrated then replication should converge all zones.

Make sure you have 2 Reverse Lookup zones (one for each site) and they should be also scoped to domain and AD Integrated.

I see 2 issues here - one of routing and the other of DNS (which should sort itself easy enough once the network is properly setup).

It was hard to make a fork in ascii art, trying from top to bottom on the 2003 net as follows :

internet
2003 domain FW (gateway computer) WAN card(external.2003.ip)
2003 domain FW (gateway computer) LAN card (192.168.100.1)  
and then heres the internal lan (192.168.100.0)  with all computers and the 2003 Server (192.168.100.2)  

So the wan address is not on the lan network.

I totally agree its a routing issue but I do not understand the routing that I pasted up there, need help with that for sure!

LOL - I agree he ascii drawings are sometimes not so easy.

Ok, so your firewall is a separate box and your DC is internal.

So, then if I assume correctly, the RRAS setup is on the firewall boxes?   If not, I would imagine that point-to-point VPN would likely be way easier to setup between sites and forget about RRAS for this.

I may be able to remote in and look should you need to go that far.

No the dual RRAS link is between the domaincontrollers. The RRAS port is open and redirects to 2003 internal IP on the FW computer and simply open on the 2008 server.

Ill have to think about remoting because of security issues. Maybe if I sat by the console, but please take a look at the routing pasted up there first.

The firewall should not have the route on it.

Each RRAS box should be the gateway for your clients - it then knows how to route traffic.  RRAS should decide if it's traffic for the tunnel or to the internet.

You should try setting up a workstation/laptop on the LAN using a static address with the gateway being the RRAS machine.  Normally, the RRAS box will have 2 NICs (one for the LAN and one to the FW) and therefore traffic must pass through the box, however this is problematic on a DC.

When you installed RRAS for VPN did you select the Custom Configuration option?

The firewall does only route packages destined for 192.168.101.0 to the 2003 server. This route works as previously mentioned.

I did select custom option and selected most of the options. I have two different RRAS users autocreated, one for each server.

Eh ok.
I had time to do some experimenting today and reinstalled the RRAS config on the 2003 server by disabling/enabling  RAS.

Both AD's have user A and B that were auto created when I used the RRAS wizard the first time. During my experimening, I exchanged user A and B between the sites and suddenly the servers could communicate with each other. However, the 2003 and 2008 nets could not.
What gives?
I have now switched back the users and the behaviour is back as it was before. So if this is a user issue, how can I see the specific settings for RRAS in the user itself? I can not see any difference between these auto created users and any normal user.

I'm going to involve a friend of mine who may be able to explain this far better than I can.  Hang tight.

The credentials entered on the Deman Dial interface for Dial out are the ones from the other site.  You need to give the dial out interface from each server the credentials created on the other.

As for why the internal clients don't work, this may be a function of not setting up the RRAS using Custom Configuration - all other options assume there are 2 NICs and configure themselves accordingly.

Using the new config - point a client to the RRAS server as the gateway rather than the FW.  See if it can get to the other site.

About the users, both users have right credentials to log in of course as they both connect but the other rights? Why did the connections suddenly differ when I exchange them? Both have same password and were created with the wizard.

I have now made it so that I can access both servers without them running RAS. So if you could tell me exactly how I should do this step by step, I could delete everything and start from scratch!

I did that from my laptop, it failed

route add 192.168.101.0 MASK 255.255.255.0 192.168.100.2
ping 2008server
Pinging 2008server.mydomain.local [192.168.101.1] with 32 bytes of data:

Request timed out.

You don't need to add a route from your laptop - simply change the default gateway to the RRAS server's IP address.

Oops - I missed a step.

After you select Custom Configuration then hit Next, the next screen you see is where you will select Demand Dial Connections.

Then follow the rest.

I did it step by step on both servers at the same time, not even including NAT and the other stuff they need.
End result, same as first post.
Then I thought I'd try it once with a reboot between, but the 2003 server failed to restart, will have to fix it
tomorrow with a crowbar.
<3 Microsoft

That's definitely not a good thing.  I wish you well with getting it back up.

Keep me posted and I'll see what I can do.

Had to take the train to the main office to reset the bios cause it got stuck on detecting some array. Forgot crowbar.

Until today I had not considered buying hardware solution as software should be able to do the same simple job of shuttling packets. But apparently its not that simple.... Do you have a suggestion on a good cheap solution?

Not using NAT on the 2003 server as its not on the perimiter, but on the 2008 it is used.

The top and bottom of those routes are probably VPN dial-in connections, and the middle pertains to the site to site one.

During yesterdays activities the servers exchanged data and today they work as before with the added problem that anyone on the 2008 net trying to access the file system on the 2003 server gets an error.
Logon failure: The target account name is incorrect.

Also after one hour boottime the 2008 server starts acting sluggishly on gui and filetransfers, without any process hogging cpu.

What to do? Remove AD on 2008?

Sluggish behaviour is normally caused by a DNS issue.

Rob should be able to steer you correctly for a hardware solution - which IMHO is a lot easier and better to manage.

I'll keep following the thread and comment if I can be of use.

>>Do you have a suggestion on a good cheap solution?"
How about economical :-)
-My first choice assuming these sites have less than 50 users each would be a Cisco ASA5500 series for each site. Hard to beat Cisco fro dependability and support though they are more expensive. I believe they now start at less than $500 US each. Pricing is dependent on how many user licenses and VPN tunnels you require.
-As far as a dependable affordable device my favorite is the Linksys/Cisco RV042. There are no licensing fees, they are very stable, and easy to set up. I don't like their software VPN client (QuickVPN) which is not an issue here where you are doing site to site, but you can use other vendor clients or the Windows PPTP client (latter limited to 5 simultaneous connections) if you have need of that service. I have installed a couple of dozen of these and the only issue over 4 years is 2 failed A/C adapters. They run a little less than $200 US each
-If you really want to go low end, there is the Linksys/Cisco BEFVP41 and the Netgear FVS318, both of which work well but do not offer as many additional features. The Netgear also requires licensing fees for software clients, but no fees for site to site tunnels. They both run about $150 US each.

>>"Not using NAT on the 2003 server as its not on the perimeter"
I was referring to NAT by the router itself.
Are you using NAT on the 2008 server within RRAS? If so i can see why the 2003 server might not connect to the PC's on the 2008 site, but cannot understand why the PC's can connect.

>>"During yesterdays activities the servers exchanged data and today they work as before with the added problem that anyone on the 2008 net trying to access the file system on the 2003 server gets an error."
Do you mean you can now ping but not access shares? Thought yesterday the issue was 203 => 2008, and 2008=> 2003 was OK?
Regardless it sounds to me like multiple issues, both routing and DNS configuration.

>>"What to do? Remove AD on 2008?"
I certainly wouldn't but that is Netman66's specialty.

Thanks for the information. I found RV042 (with dual WAN) good for one site and the FVS318G (G version is newer it seems) better for the other site (2008). We have about 20 users in total and the first site has dual adsl connections and the other has a single highspeed one.
Can you even make a vpn tunnel between these two or are you better off with two of the same type/manufacturer?

2008 is running NAT on its internet card, yes.

I can ping like before, that is everyone can ping everything except 2003 server to 2008 net.
Heres the trace you asked for (from 192.168.100.1)

  1   <10 ms   <10 ms   <10 ms  192.168.100.2
  2     9 ms     9 ms     9 ms  192.168.100.10
  3     8 ms     8 ms     9 ms  192.168.101.104

Now the file share of 2003 server is unaccessible from everyone on 2008 net like this:
net use \\2003server
System error 1396 has occurred.

Logon Failure: The target account name is incorrect..

Tried removing the 2008 AD cause I got fed up, but it refuses because it cant contact the main DC, and when I connect them, it refuses because "Logon failure: The target account name is incorrect.". Thats some funny stuff!

System error 1396 is related to DNS.  You're attempting to use a NetBIOS name to open a UNC share and DNS is returning a different name.  Have you created any CNAME entries manually?

We need to get the site-to-site connectivity to 100% before we can properly troubleshoot this problem.  I believe that once the sites are connected properly and the servers have time to replicate then this secondary problem will go away.

I have not created any entries, think they got replicated when the servers had a moment of clarity. Anyhoo, I deleted a crapload of entries on both sides and now its working again with the added benefit that the sluggishness vanished. =)

I have ordered two FVS318G. Should be able to install them on Tuesday.

With this I'm gonna close this question. Wish I could reward more points than 500, because you guys have been of great help! Thanks alot and keep your eyes peeled on Tuesday afternoon hehehe.

Ill leave this open for a few hours in case there's any extra info you want to add.

Awesome.  You can post to this Q even if it's closed - so keep us in the loop!

NM

Good to hear.

>>" you guys have been of great help!"
Please, if awarding points, none to me. I had a look but added nothing of value. Very interesting question though.

To address the earlier question, you can connect a VPN to mis-matched routers but it can be a frustrating experience, very difficult to get support (2 companies involved), and you end up comparing differently formated logs. The matching FVS318G's should work well for you.

A tip on the Netgear routers: they don't like heat. i.e. don't put them in the middle of a stack of modems, routers, and switches.

Cheers all!
--Rob

The tip of buying hardware VPN instead of thinking software is easy is definetly worth its points. I have spent lots of hours with this and I dont want to know what it translates into money.

I mistyped, I ordered two CISCO RV042 (for the dual wan ports).

Thanks again!

Personally I like the RV042 better and it has more features, but I have several of the Netgears in the field as well and they do work well.

On the points your call, so long as Netman66 is happy.
I'll buy him a drink next time we get together to compensate :-)

Following link may be of some help with the set up. Shows one with dynamic IP and one with static, but helps to outline the configuration.
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=1705&p_created=1094687137&p_sid=U6Top31i&p_accessibility=0&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTAzJnBfcHJvZHM9MCZwX2NhdHM9JnBfcHY9JnBfY3Y9JnBfc

Cheers!

I think you'll be much happier with the hardware solution - especially the Cisco product.  

Don't fret the point split, Rob and I are good friends and I value his professional and personal advice.

Glad to have helped.

I made the hardware router tunnel last Tuesday as planned, no problems at all. And yesterday I repromoted the 2008 server and replication is working (so far) flawlessly!

Thanks again guys!

Excellent. Glad to hear.
--Rob