Solved

VPN with a Windows server at each end

Posted on 2007-11-30
51
467 Views
Last Modified: 2013-11-05
I have a VPN between two offices. Main Office and Remote Office.
I have an SBS2003 at the main office which is a domain controller, exchange etc. I have a std 2003 server at the remote site. I also have a Linux box at the main site which handles file service.
The VPN is provided by two linksys routers. Each server has its local linksys router ip as its gateway.
At each end I can ping IP addresses at the other end but not netbios names. (except the Linux box. I can ping its name from the rremote office.) I can not connect to any resources (shared folders etc).
I think I am close, but need some help here.
0
Comment
Question by:hgj1357
  • 23
  • 15
  • 12
  • +1
51 Comments
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20383312
are they all members of teh same domain? or are they seperate domains with a trust relationship? you need to make sure that if they are members of the same domain DNS is running on servers on both ends and they they have each other as replication partners for DNS. That way new records on each side are sent to teh other side. And you should be using different subnets. What I do is use 192.168.1.xxx for one network and 192.168.2.xxx for the other.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20383466
NetBIOS names within a LAN primarily use NetBIOS broadcasts. Broadcasts are not routable, and therefore cannot be used over a VPN.
To "resolve" this there are a few options:
-Use an LMHosts file and add the NetBIOS names and IPs for the remote machines. If you need a hand with LMHosts, please advise
-Set up WINS on both servers
-Use DNS to resolve names. The catch is one of the very few limitations with SBS is it does nor support trust relationships.
----if no local DNS server, point the workstations to the SBS for DNS only, do not add ISP DNS configuration to the workstations
----You ca manually add Hosts records in the DNS management console for the remote machines
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 20383613
Hi, hgj1357.  As aramirezomni said, it matters whether they are on the same domain or not.  If they are, you can handle it the way he/she described.  If not, you can use conditional DNS forwarding to handle the name resolution.  

If you're not familiar with DNS forwarding, open your DNS mgmt. console and right-click on the server name.  Go to Properties and click on the Forwarders tab. In the DNS Domain box, you will probably see "All other DNS domains" and there may be forwarders already showing there, especially on the SBS server.  Whatever is already there, leave it as is and click the "New" button.  Enter the domain name of the domain at the office you're connecting TO, click OK. Then with that name highlighted, add the IP address of the DNS server at that office to the "Selected domain's forwarder" list.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20396074
The SBS at the main office is the domain controller. The W2003 server at he second office is part of the same domain, but I was unable to install AD on the W2003. I get a message saying the  forest is not prepared for installing. Use Adrep to prepare both the forest and the tree.

I don't know how to do this.

I'd like to have the W2003 server sync with the SBS so that users in the second office can login to the domain on that local server (W2003).

I may have to bring that server back to the main office to set it up correctly.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20396144
You will need to run adprep for fores and domain. An outline can be found here:
http://www.petri.co.il/windows_2003_adprep.htm
Note If server 2003 R2 you need to use the adprep in the support tools of the second install CD
You should be able to do so over the VPN, but you must have the server point only to the SBS for DNS, and best if only 1 network card is enabled while doing so.
You say the server is already part of the domain but really where you have SBS the computer account should be first created on the SBS using the wizard: Server Management | Server Computers | Set up Server Computers
The server is joined by using the wizard in a browser  http://SBSName/connectcomputer.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20396219
PS I am familiar with using the HOSTS file. I use it to block unwanted web sites:

127.0.0.1 1.adbrite.com  # etc etc

Is this the file I would use to direct traffic?

192.168.123.123  SVR5  #  etc

0
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20396241
You don't want to use a host file. The smartest thing to do is to setup the DNS service on that other server and make it a domain controller. Follow teh adprep instructions above. Also you will need to change your DHCP servers on both sides to feed each IP as a DNS server.

So as an example


DNS 1: 192.168.123.123 (server in location 1)
DNS 2: 192.168.100.100 (server in location 2)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20396257
Windows servers and active directory rely totally on DNS, so you definitely do not want to be dependent on a host file as aramirezomni stated.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20396697
OK. What's first?

Do I need to set up the DNS forwarding? Or do I not need that step until I've done the adprep?

What should I expect from adprerp. Will it interfere with exchange on the SBS?
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20396709
More importantly, I guess, do I need to get the W2003 server back into this office while I do this?
0
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20396741
You shouldn't need to get the 2003 server back into your office.

Before running AD Prep you may need to edit the host file to include the name of the server at your location.

So the new server would have

192.168.1.100 domaincontroler.yourdomain.local

in it's host file

where the IP is the address of the current domain controller and the rest is that domain controllers fully qualified domain name

then you run ADPrep.

You won't need to do anything with DNS other than enable it. Once you've run ADPrep and the server is a domain controller on your domain you just install DNS. The installation will run you through creating a DNS server in an existing domain. So on and so forth.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20396750
Another odd thing.

My workstation at the main office can ping the IP of the W2003 server at the second office, however, the SBS can not ping this IP.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20396840
aramirezomni:,  The second office is 40 mins away. Should I drive there and add the comment to the HOSTS file before running adrep?

0
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20396842
DNS will fix all of that. I promise.
0
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20396848
You should be running ADPrep according to the instructions above. I believe you first have to run it on the computer that is already a DC. Then you can DCPromo the other machine. So first run ADPrep then go to the other office add teh host file entry and DCPromo.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20396870
Road trip!
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20396903
Now, I don't want to flog a dead horse, but, just so I'm 100% clear. I run ADPrep /forestprep AND
ADPrep /domainprep on the SBS-2003 at the main office.

It is a small bus server with SP2 installed,  NOT a std 2003 server. Do I run ADREP at the command line, or from a CD?
0
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20396923
It's ALWAYS good to be sure. Don't feel bad for asking. The website below has very detailed step by step instructions for exactly what you are trying to do.

http://www.smallbizserver.net/tabid/266/articleType/ArticleView/articleId/221/Default.aspx

Any more questions you just let me know.
0
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20396929
You're actually only running Forestprep according to those instructions. Domain prep is run automatically on the new server.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20396997
How much disruption will this likely cause to the SBS?
0
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20397008
I can't remember for sure to be honest. But I have to think you'll need to restart.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20397103
Though it doesn't hurt you actually shouldn't have to run adprep if both machines are the same vintage. The message that you got would imply the SBS is newer than the 2003 std? Is the SBS R2 (not SP2). If so it needs to be the R2 CD run on the older machine. The concept is the two have to be the same. So if one were 2003 and one 2000 you would have to run adprep on the 2000 machine. Which is newer of your two.

Also you should be able to do this remotely if you want. So long as you can get there if it causes problems on the remote server.

SBS is very fussy about how machines were joined to the domain. Was the remote machine done with the SBS wizards?
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20397399
No. I always forget to use the wizards.

The SBS is an R1 SP2

ADREP has been run. (I had to copy adrep to the c: drive in order to get it to run) but it apparantly ran OK.

I will now add the W2003 server with the SBS wizard.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20397485
>>"I will now add the W2003 server with the SBS wizard."
You can only do so if it is not already a member of the domain.
Also the computer account as mentioned earlier has to be created first. If you are going to remove from the domain and re-join you must name the server a new name.

Should always use the Wizards with SBS. Most true techs will tell you, my self included, we made a mess of our first SBS installs because we thought we knew more than the wizards. SBS has so many integrated component (Sharepoint, Exchange, RWW, Monitoring, WSUS) that it is not possible to have them all work as they should doing things manually. They also automate many repetitive tasks such as configuring the user on their new PC.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20397488
I did add DNS forwarding. I put the remote server IP in the SBS.

The W2003 remote server is already listed in the SBS servers list. I installed W2003 at the main office before moving it to the remote office.

Should I remove it?

I still can not ping the remote server from the SBS. I still can ping it from my workstation.

It is possible that the remote server does not yet have DNS services running. Is it time to head out to the remote office?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Expert Comment

by:aramirezomni
ID: 20397506
you don't add that IP as a forwarder.

You will need to install DNS on the w2003 server. Then it will find the SBS server and deal with requests. You may need to add that IP address in the network settings DNS server. (A very different thing than forwarders) forwarders should only be external IP's. If you have an internal IP in the forwarders of your DNS Server settings you will create all kinds of havoc.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20397527
I will remove the remote W2003 IP from the SBS forwarder, even though havoc is my middle name
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20397692
Unless I hear different I will head to the remote office in 15-20 mins
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20397916
The proper thing to do is remove the server from the SBS domain and rejoin it, however, you really should have a plan. Doing so may make a total mess of your remote site. I would think carefully before doing so if you have multiple machines there.
To be honest it should work pretty well without doing re-joining however some things such as adding it to remote web workplace, and and automatically placing it in the appropriate OU for group policy will not happen.

What do you have at the remote site for serves, printers, workstations, and services?
DNS in itself is not really risky, but when you start re-joining the domain and affecting things like workstation memberships and DHCP servers you have to be careful.

The fact that the SBS cannot ping the other server is interesting. Does the SBS have 1 or 2 NIC's?

Sorry I am back and forth to my computer  so replies are not as quick as I would like to be able to do so.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20398020
SBS has two nics. It also has two gateways which it warned me about. One nic is made public via IPmapping, and this is used by exchange. the other nic sits with the other workstations behind a router which is doing the VPNing.

The remote site has one w2003 server and a couple of workstations. There isn't anything here that I can't be re-configured.
0
 
LVL 6

Assisted Solution

by:aramirezomni
aramirezomni earned 150 total points
ID: 20398082
your internal nic needs to be highest in the order.

Please read the link below and make sure your nics are completely configured correctly.

http://www.experts-exchange.com/Networking/Misc/Q_21714634.html
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20398290
How do I set a nic to be of a higher order than another nic?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20398292
You cannot have 2 gateways on a Windows box. Generally on a server, the external has the gateway and the internal does not. Likely why you cannot ping the remote site, the traffic is being routed through the other gateway and not the VPN. This will add to DNS problems if it is the case.

On the SBS did you run the CEICW (Configure E-mail and Internet Connection Wizard) when you set up the networking? It's located in Server Management | Internet and E-Mail | Connect to the Internet.
Most important thing you can do on an SBS.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20398321
You can do it in: control panel | net work connections | on the tool bar choose advanced | advanced settings | adapters and bindings

This is done as part of the CEICW, automatically.
0
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20398335
This is aramirezomni and I wholeheartedly endorse RobWills last two comments. You're super close man. But before you do anything at the remote site you need to get this right at your current site.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20398602
Yes I did, (the internet, email wizard) however, after I set up the router based VPN I added the gateway to the SBS nic that connects to the VPN router.

Maybe a summary is in order!

Main Office (SBS-2003 server with exchange)

Public  IP 076.067.222.001-010  DSL Modem/router (Netopia Cayman)
Private IP 192.168.001.110  DSL Modem/router (Netopia Cayman)

Private IP 192.168.001.001  SBS Server NIC(1) IP mapping makes this public; Exchange and remote email login occur on this NIC. (File sharing is turned off) Gateway is the private IP of the modem (192.168.001.110)

Public(ish) IP 192.168.001.002  Linksys VPN Router
Private     IP 192.168.002.002  Linksys VPN Router

Private IP 192.168.002.001 SBS Server NIC(2)(File sharing is turned on) Gateway is the private IP of the linksys (192.168.002.002 )
Private IP 192.168.002.001 - 254 all other workstations. Workstations use 192.168.002.002 (Linksys) as gateway & 192.168.002.001 (SBS) for DNS
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20399912
>>"Yes I did, (the internet, email wizard)"
Excellent !

>>"however, after I set up the router based VPN I added the gateway to the SBS nic that connects to the VPN router."
OK, except the duel gateways on the SBS. This is why it cannot ping the other server. Addressed below.

Note: you may want to ask the moderators to remove your complete public IP's for security reasons...the 076.067.x.x -x

To confirm in a more graphical way, your configuration is as follows:  

Remote site using LAN subnet 192.168.xyz.1 to 192.168.xyz.254
(server 2003 location)
             ||
        Internet
             ||
   076.067.x.x - 076.067.y.y  
   Netopia modem/router
   192.168.001.110
             ||
    ===============
    ||                            ||
192.168.1.1         192.168.1.2
SBS server           Linksys VPN router
192.168.2.1         192.168.2.2
     ||                           ||
     =====switch=====
                   ||
  workstations 192.168.2.3-192.168.2.254

All is good, though it could be done with a single NIC, but you need to remove the default gateway from the LAN/Private NIC of the SBS, and you will need to add a route for the remote site subnet (assume 192.168.xyz.1 to 192.168.xyz.254). To do so on the SBS at a command line enter the following:

route -p add 192.168.xyz.0  mask  255.255.255.0  192.168.2.2

This will route all 192.168.xyz.1 to 192.168.xyz.254 traffic, to the remote site, through the VPN (192.168.2.2). The -p makes it permanent should the server be rebooted. The '0' in 192.168.xyz.0 means entire subnet.
Should you need to remove the route use:
route delete 192.168.xyz.0
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20400171
IPs were changed to protect the innocent!

Does this mean that the SBS will be handling the VPN, or will the Linksys VPN/Routers be handling the VPN?  I don't know why I care, other than I bought those routers just for this task.

I am currently at the remote site. So I will do this tomorrow.

Is there anything I need to take care of here? Presumabley I need to wait until the VPN is functioning and then use the \\SBS\connectcomputer wizard.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20400199
Something I do not understand.

The Netopia at the Main office is IPmapping a public IP directly to the Linsys VPN. (A different IP is mapped to the SBS for mail service). Why do I need to route the remote IP range to the private side of the linksys using the SBS? Shouldn't that IP range already be going to the public side of the linksys?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 350 total points
ID: 20400269
>>"Does this mean that the SBS will be handling the VPN, or will the Linksys VPN/Routers be handling the VPN?"
Routers will be handling the VPN still. The problem now is the workstations are using the VPN but the SBS is not. It is routing the traffic directly to the Netopia (the default gateway it has chosen) and the packets are lost. That is why it cannot ping the other server.
By the way, site to site VPN should be done with routers not the server, so that was a good decision.

>>"Is there anything I need to take care of here? Presumabley I need to wait until the VPN is functioning and then use the \\SBS\connectcomputer wizard."
Yes the VPN will have to work before the remote site can properly join the domain and enable DNS.

>>"Why do I need to route the remote IP range to the private side of the linksys using the SBS? Shouldn't that IP range already be going to the public side of the linksys?"
The only way for the SBS to use the VPN is from the 192.168.2.x subnet. Its other NIC is connected to the WAN side of the Linksys and is blocked by the Linksys own firewall.
If that doesn't make sense let me know. I am slightly "verbally impaired". <G>
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20400279
Actually it is all very clear. It is simply that I don't want to mung it all up. And if I can learn something as well...then even better!!

Thanks for everyone's patient help!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20400317
Glad to help. Just do it one step at a time and make sure everything is still working, then it's easy to go backward. Problems happen when you change 10 things at once, then you don't know what caused the problem.
And, always BackUp, BackUp, BackUp <G>
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20404380
I added the route comment at he SBS (route -p add 192.168.xyz.0  mask  255.255.255.0  192.168.2.2 )

I will need to go back to the remote office to attach that server to the SBS (\\SBS\connectcomputer wizard)

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20404664
>>"I added the route"
Did you also remove the default gateway on the SBS LAN adapter?
Test that you can ping the remote 2003 server before heading out.

>>"I will need to go back to the remote office to attach that server to the SBS (\\SBS\connectcomputer wizard)"
Remember to create a new server/computer account as per instructions above on the SBS server first.
At the remote site remove the computer from the domain. You should then remove the old computer account from the SBS server if possible.
Then from the remote site when you use the Http://SBSName/connectcomputer it will show a list of available names (server/computer accounts), choose your new one and it will rename the server during the process.
Do you have remote management of the servers enabled? If you do you should be able to do all of this from either site without road trips. If not and you need a hand let us know. Easy to configure, especially where you have a VPN.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20405912
Yes I removed the def gateway on the SBS.

I can ping the W2003 server by IP, not by name.

I removed the W2003 computer from the SBS.

I created a new server on the SBS.

NEW STUFF>>
So DO I create a workgroup and add the W2003 to it, then join the SBS domain? Do I join the domain or run SBS/connectcomputer?

I do not have remote mngt enabled.

Once the W2003 is joined to the domain, will workstations at the remote site log on to the domain by authenticating to the remote W2003 server?
0
 
LVL 6

Expert Comment

by:aramirezomni
ID: 20406144
when you create the workgroup you're in effect disjoining the domain. The you just rejoin. Yes remote management is great. It's just terminal services but for only two people at a time.

yes. They will authenticate to their closest server. But not once you join it to the domain. it's once you DCPromo it up to being a DC
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20406185
I realize joining the worgroup disjoins the W2003 from the SBS domain. Do I then join that domain again by changing the W2003 name. Or do I run the \\SBS/connectcomputer?

DCPromo is pretty straight forward, isn't it?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20406351
>>"I can ping the W2003 server by IP, not by name."
That is normal until DNS is working between the sites.

>>"So DO I create a workgroup and add the W2003 to it"
More or less, you don't really create a workgroup, but just in the properties of my computer on the remote 2003 server (not the SBS) choose join a workgroup and make it anything such as tempwkgroup. DNS is not configured on this server at this point right?

>>" then join the SBS domain? Do I join the domain or run SBS/connectcomputer?""
Use the connectcomputer wizard. Effectively the same thing but ti will place it in the right OU, add it to remote web workplace, apply the appropriate group policies and a "bunch of other stuff".

>>"I do not have remote mngt enabled."
Would save a lot of running back and forth.

>>"Once the W2003 is joined to the domain, will workstations at the remote site log on to the domain by authenticating to the remote W2003 server?"
They can join the domain over the VPN without the second server. Just point them to the SBS for DNS only. Once your remote server is configured with DNS (I would also enable active directory in integrated mode), thy can use local DNS.

>>"It's just terminal services but for only two people at a time."
That is why only 2 users it's remote management as opposed to a full blown terminal server.

>>"when you create the workgroup you're in effect dis-joining the domain. The you just rejoin."
Correct.

>>"Do I then join that domain again by changing the W2003 name. Or do I run the \\SBS/connectcomputer?"
Make sure DNS points only to the SBS for DNS (the LAN IP of the SBS). If two network adapters disable the second (WAN) at least temporarily. You only need 1 anyway. Run the wizard by opening a web browser and entering  http://SBSserverName/connectcomputer. There will be a blue hyperlink to connect to the network, and follow the bouncing ball. One option is to choose the computer/server account, and the new one you chose will be visible. Choose that ant it will change the computer name as it joins the domain.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20406358
>>"DCPromo is pretty straight forward, isn't it?"
Yes.
0
 
LVL 2

Author Comment

by:hgj1357
ID: 20474344
Well well well! It works!

There was one additional thing, which I didn't ask for but I add as a note to others. I added the remote office subnet to the "ALLOW HOSTS" line in the samba conf file for the linux file server at the main office.

Thanks for the help chaps!!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20474397
Glad to hear. Thanks hgj1357.
Cheers !
--Rob
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now