[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

VPN client cannot connect to domain through "my computer" properties.  What am I doing wrong?

Posted on 2004-10-25
22
Medium Priority
?
402 Views
Last Modified: 2010-04-10
W2k pro Client successfully connects to W2k VPN Server over the net using PPTP.  However, when we go to add the computer to the domain, it cannot find the domain.  It also cannot ping the domain controller when connected through the VPN.  We are entering the domain as abcxyz (no .com) as we usually do when directly connected on the lan.  No dice.  Any ideas?  I can give you any more info you need, thanks.
0
Comment
Question by:Sp0cky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 2
  • +4
22 Comments
 
LVL 7

Expert Comment

by:Focusyn
ID: 12401192
Check that your firewall is not blocking the the ports required for domain logon.  Whether or not that's possible will depend on your network architecture.  The VPN needs to bridge an external (WAN) segment and the internal LAN or else you're going to be subject to all firewall rules regulsating outside traffic.
0
 
LVL 7

Expert Comment

by:Focusyn
ID: 12401208
OK - now that I read tha tit looks kind of stupid, since bridging LAN and WAN is what VPN does,.  More specifically, I meant it needs to bridge to an unrestriceted LAN segment.
0
 
LVL 1

Expert Comment

by:UNS-Tech
ID: 12401306
the most commin error i found with VPN is DNS resolutions

edit the HOSTS file ( \windows\system32\drivers\etc - on winxp ) and add a line similar to

IP ADD                              servername

e.g.

10.0.0.2                       domainserver1

to the end, and try again

although adding to a domain remotely isn't really recommended

hope this helps

:o)
0
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12401324
Try adding a LMHOSTS file entry:

How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/support/kb/articles/Q180/0/94.ASP 


0
 
LVL 1

Expert Comment

by:dagger3d
ID: 12401829
Try loggin on to VPN before you logon to the Domain. When the CTRL-ALT-DEL option to login comes up, use the login using dial-up netowrking option and choose your VPN connection. THis way you will bo on the network before you login, then it will authenticate you on the domain.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12401870
dagger3d, very good point.
That assumes that the client PC has actually joined the domain at some point, and can actually find the domain controller with the proper WINS/DNS entries provided to the client...
... that appears to be the problem at this point...


0
 
LVL 2

Expert Comment

by:mrrickyjones
ID: 12401964
Are you trying to ping DC by name or by IP... I have seen lots of name resolution issues over vpn.  If you can ping the DC by IP, but not by name then this is the case.  A good place to start might be to take the .sam extension off of your lmhosts file and add the following entry:

x.x.x.x  domaincontroller #PRE  #DOM:domain  #PRE

replace x.x.x.x with ip address of your domain controller
replace domaincontroller with the name of your DC
replace domain with the name of your domain.

Also, add entries for anything else this machine is going to need to see by name on the inside of your network in similar format

x.x.x.x  machinename
0
 

Author Comment

by:Sp0cky
ID: 12402488
Thanks all
.  I am trying these options now.
0
 

Author Comment

by:Sp0cky
ID: 12402906
Darn did all these things and no dice.  
0
 

Author Comment

by:Sp0cky
ID: 12403012
I can ping the DC by IP now but thats it.
0
 

Author Comment

by:Sp0cky
ID: 12403098
Any services I should check on the VPN server?
0
 
LVL 2

Accepted Solution

by:
mrrickyjones earned 1500 total points
ID: 12403965
Usually, once you establish a vpn session, you are logically inside the network so the firewall is probably not blocking anything.  If you can only ping the dc by IP and not by name you definately have some name resolution problems going on and that is where I would start looking.  See if by adding entries to lmhosts and/or hosts you can get the machine to be able to ping DC by name.  Also, be sure the enable lmhosts lookup is enabled in properties > tcp/ip properties the connection you are using
0
 
LVL 2

Expert Comment

by:col_forbin13
ID: 12404798
What kind of connection are you using to connect to the VPN?  Can a machine already on the domain connect to all of the internal resources properly?  We've seen a lot of issues with DSL/PPPoE connections and VPN, and usually changing the MTU on the network connection helps resolve the issue.  
0
 

Author Comment

by:Sp0cky
ID: 12405036
"Usually, once you establish a vpn session, you are logically inside the network so the firewall is probably not blocking anything." - mrrickyjones

Yes.  I just tested a dial up connection that got in just fine.  It is a DSL connection in fact we are having trouble with.  Please explain MTU?  Thanks.
0
 
LVL 2

Expert Comment

by:col_forbin13
ID: 12406151
Check out this FAQ from DSL Reports:

http://www.dslreports.com/faq/7801

I've noticed that a lot of times for SBC here in the Chicago area, 1350 is a good MTU that works.  As the FAQ suggests, it's probably best to check with your ISP to see what is the optimum MTU for your connection if 1350 doesn't work for you.
0
 

Author Comment

by:Sp0cky
ID: 12413183
Thanks guys.  We are still having trouble getting those 2 guys to even ping the server by ip address once connected Via VPN.  This is weird.
0
 

Author Comment

by:Sp0cky
ID: 12438867
Looks like the one location ISP is blocking protocols completely.  Can anyone suggest another VPN option ?  MS mentioned something like a UDP packet option...Not sure..Anyone?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12439299
If you can establish the VPN connection and can Ping across it, then the ISP can't see anything at all that is going on inside that VPN tunnel. You can't block what you can't see.
0
 

Author Comment

by:Sp0cky
ID: 12439940
"If you can establish the VPN connection and can Ping across it, then the ISP can't see anything at all that is going on inside that VPN tunnel. You can't block what you can't see."

?Does not compute?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12444210
I guess I jumped the gun on that... you can't ping, can you?
What I meant was, if you can establishe the VPN, then that means that both TCP port 1723 and GRE are permitted through the ISP. TCp port 1723 is used simply to setup the dedicated, encrypted, tunnel between the server and the client using GRE. All traffic between this server and the client is encapsulated within that GRE stream. The ISP cannot see what is inside that tunnel. If the ISP can't see the ports/protocols inside that tunnel, they can't block any either. Even if they block, say UDP port 138, it doesn't matter because all any of their equipment sees is the GRE stream. They can block all the ports they want, but as long as GRE is permitted, and you can establish a GRE tunnel between the server and a client, then you can do whatever you want within that tunnel, including icmp pings.

Here's an example. I have a VPN tunnel open to my office, and my ISP blocks ICMP, yet I can still ping "through" my tunnel to my office, and the ISP can't stop it:

C:\WINDOWS>ping www.cisco.com

Pinging www.cisco.com [198.133.219.25] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 198.133.219.25:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\WINDOWS>ping bingo   <== my server

Pinging BINGO [229.35.x47.74] with 32 bytes of data:

Reply from 229.35.x47.74: bytes=32 time=34ms TTL=127
Reply from 229.35.x47.74: bytes=32 time=37ms TTL=127
Reply from 229.35.x47.74: bytes=32 time=36ms TTL=127
Reply from 229.35.x47.74: bytes=32 time=36ms TTL=127

Ping statistics for 229.35.x47.74:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 34ms, Maximum = 37ms, Average = 35ms

C:\WINDOWS>

If you can't ping by either name or IP address, then you have a separate issue. Can you possibly have the same IP subnet on the LAN at both ends?
If you could ping by IP but not by name, then you have a Microsoft name resolution problem.
If you can ping by IP and by name, but can't map drives, then you have a Netbios name resolution/ domain permissions problem
0
 

Author Comment

by:Sp0cky
ID: 12528653
Thanks much for your input Lrmoore.  It took adding the user to the admins group to allow him permission to logon to the domain interestingly enough.  I also found that adding the internal DNS server to the VPN connection solved some of the problems.  LAst of all, there was a conflict of internal ip's as the client netwrok had the same addresses as my remote.  It just so happens that my exchange server is on a domain controller.  I wonder if I would have to demote that machine in order to not require them to have admin permissions to access resources?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12667338
Sp0cky, are you still working on this? Can you close out this question before the cleanup crew comes by?

Thanks!

0

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question