?
Solved

Problem with Domain Security Policy and Remote Access/VPN server

Posted on 2007-07-22
7
Medium Priority
?
208 Views
Last Modified: 2013-11-21
Scenario: I'm have two servers; server1 is the PDC, and also runs DNS, WINS, IIS, and a VPN. server 2 is just a terminal server. These are the only two computers/servers on the domain for now.

Problem: While the remote access/VPN module is running on server1, server2 is unable to synchronize the domain security policy with the PDC. It gives me an error in the Application event log that says:
Source: Userenv
Event ID: 1030
Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

I can't find anything else in the logs that seem to point out a problem. Disabling the remote access server solved the problem, but I would like to have that running. Basically what I want from the VPN is just for users to be able to connect to the server and access network resources, as well as be able to use the internet connection. I have a Cisco router, so I don't need the computer to act as another router (at least I don't think). Can anyone explain how the remote access server should be set up so this will work?
I'm also having another problem which may or may not be related. I usually use remote desktop connection to connect to the servers and administer them. One of my computers run Windows XP, and can connect to both servers fine. My other computer, which runs Vista Ultimate, can connect to server2 fine, but when connected to server1 has very high latency or something. In other words, everything just takes about 10 seconds to appear on the client computer. The configuration of both computers network wise is the same besides the OS.
If you need any more info feel free to ask.
0
Comment
Question by:VenomSnake
  • 4
  • 3
7 Comments
 
LVL 23

Expert Comment

by:TheCleaner
ID: 19544950
See here for possible resolution:  http://support.microsoft.com/kb/908370

Ideally you shouldn't use your DC as a RRAS server if you can avoid it...either use another server or ISA or if you have a firewall that has VPN support use it.
0
 
LVL 3

Author Comment

by:VenomSnake
ID: 19545018
That article didn't really help besides telling me to disable RRAS, which I already did...
Getting another server to run RRAS isn't really an option. I guess I could run it on my terminal server, but that server is far less powerful than the PDC, so getting it to work in the PDC would be a much better solution. I really just need someone to help me configure RRAS so it doesn't interfere with the domain controller services.
0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 2000 total points
ID: 19547005
This article here:  http://support.microsoft.com/kb/243374/en-us  explains that when you run the RRAS wizard for the first time (I'm assuming that's what you used) and choose VPN server, when RRAS is running that interface only allows PPTP and L2TP traffic through it.

Is the server a dual homed server (2 NICs, 1 internal, 1 external)?  If so you can use the external nic as your RRAS/VPN server and the internal one will be for internal traffic (other DCs in this example) to use.

http://support.microsoft.com/kb/323441/

See that ^^ article for how to properly setup a VPN server in W2k3.

Hope that helps.

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 3

Author Comment

by:VenomSnake
ID: 19547096
Ok. My server does have dual NICs, however I only have one external IP address for use. Can I just run two CAT5s from my PDC to my router, have it get to different internal IP adresses, and then set up the NAT rules such that http and all the other stuff go to one connection, and RRAS uses the other ip address. I don't see why this wouldn't work, but I want to double check before I run the wires, etc.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 19547507
Yes you can...but if you can configure your router, you should setup another subnet and use that for the 2nd NIC so that you truly segment the traffic off.

If you can't, then just 2 NICs with 2 different internal IP addresses should work ok, just make sure the 1st NIC is higher in the binding order in the Network Connections so that it is the one that other internal clients use to connect with, and the 2nd is your VPN NIC.
0
 
LVL 3

Author Comment

by:VenomSnake
ID: 19548694
I do have full access to the router, so I can do anything I need to do in terms of router config, however I'm not sure how I would go about creating another subnet on the router. The router is a Cisco 871w, which runs IOS 12.4(2)T. I usually use SDM to do all the router configurations, as I'm not that savy when it comes to Cisco CLI stuff. Would I need to create another VLAN on the router in order to create another subnet? Should I just open another question on a networking zone for this one?
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 19550248
Yes, you'd need a new VLAN to route traffic correctly.   I'm not a Cisco guy, so I wouldn't be the guy to ask on that side of things though.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question