Can't browse internet after enabling, then disabling RRAS.

Do you have a GPO that is pointing to that server as a proxy in any way?

I do have a group policy mostly just to enable RDP on the local workstations.  And I'm running Squid inside Cygwin on that same server which is also a DC with Exchange 2003..  But I doubt these have anything to do with the cause of this problem.

This problem started as soon as I configured RRAS for the first time on that server and even though I've since deleted it and disabled the service it won't enable internet connectivity to any workstations unless I enable and run the RRAS service.  Prior to all this, I've always had RRAS disabled.  I also can't remote in from the outside unless RRAS is running...something I've never had to do to RDP into the server or workstation remotely.

So, you added the RRAS role to your server and then later removed the RRAS role from your server.  Did you check and make sure your server is no longer listed in the RRAS management console?

Yes I checked that already and it's not showing it's listed as a RRAS server.

Are any other servers listed there?

No other servers.

It seems nobody can help.  Perhaps this can be cancelled?

I am sorry... I have been in training for the last 10 days and didn't have consistant access to a computer.  Can you give me an update on any troubleshooting steps you have taken?

No problem.

I haven't done much since nothing was changed except for enabling/disabling Routing & Remote Access for the very first time.  However, in order to have the same functionality as before I now have to leave the service running, though it isn't even configured.

Have you removed the Role from the Server in order to completely remove the service from the OS?

Role? You mean do I still have it installed via add/remove programs, just not configured?  No.  But it the role always existed...I just simply changed it from Automatic to disable and all was well.

If memory serves, and I am not in in front of a 2003 server at the moment to verify, one of the Roles from the Roles Wizard in Server Managment is "Remote Access / VPN server".  Is that a listed Role?  If so, can you remove it?

Listed where? If it's in the Wizard (and I think it's one of the options) then it'shardcoded into it isn't it?.  I don't get the wizard when I open the RRAS console.  I can only add the server and configure its options from there.  The wizard I got the first time I ran it so I don't get the wizard anymore, even though there is no server added or configured in RRAS.  The only thing listed there is Server Status and it doesn't show anything if I click on it.

Under server mgt I only have these options:

Backup
Shares (Local)
Users
Printers

I ran the rras/vpn wizard through Manage Your Server's Add/Remove role option and as I already said earlier, (Remote Access/VPN Server is listed but under the Configured column it says 'No' therefore it's not configured.

I think it's time this is cancelled and my pts refunded.

Since this is a DC, this problem may be DNS-related. Check your DNS zone to make sure that there is one and only one (correct) internal IP address listed for this server. Also check the PTR (rDNS) zone if you have one to make sure that has only correct IP addresses for this server. Then make sure the server is pointing to itself for DNS.  
When you enable RRAS on a DNS server, you may encounter problems that are caused by the RRAS virtual NICs being registered in DNS. If you want to use this server as a RRAS server, here's an article that will help you out on this:
http://support.microsoft.com/kb/292822/en-us

hypercat,
I was unaware of that KB.  Thanks for chiming in and helping.
Justin

I verified the DNS.  Nothing has changed and everything is correct.  What seems to be happening is that it remembers what last RRAS configuration I used.  This would explain why the RRAS dialup ports keep reappearing in DNS.  I always delete them but they come back after a while.  So I configured RRAS this time as NAT only (not VPN and NAT) and now it's not creating those rras ports in dns, but I still have to have RRAS enabled (though it's not configured and no servers are showing up in it) or my workstations lose internet connectivity.

What are your workstations using as their default gateway? Are you running a proxy server (ISA or something similar) on this server?

There are no proxy servers and the gateway on the workstations is set to the server's ip, which is the only server.  I could use the router but this router can't be configured with my own static dns so I use the server instead...besides, I want all traffic to go through the server.

Again, I repeat.  Nothing has changed.  All I did was enable RRAS and then removed it.  Yet I have to always leave the service running even if it's not configured or the workstations don't get internet anymore...before, RRAS would be disabled and they'd still have internet access.

You need to use your router as the gateway and your server as the DNS server.

@Andrew_Cz - the problem is that RRAS is a router (Routing and Remote Access) and therefore when you enable RRAS this causes a problem with the server 's ability to work as a default gateway.  This is really not a good configuration anyway, unless you have proxy server software running on the server. You should change the workstation default gateway to point to your Internet-facing router instead, and to point to your internal domain controller as the ONLY DNS server. It seems that you might have thought that the default gateway and DNS server IPs have to be the same - they don't and in a business networking situation most often are not the same.

This is how I've had it for years and it was never a problem.  Turning RRAS on and then off should return things back to normal but it hasn't.  Clearly this is the problem, not my decision to use the server as the gateway.

I do agree that this is not ideal but I want everything to go through the firewall on the server, not the router.  And as I said, the router is very limjited and I cannot set dns settings with it, therefore I wouldn't be able to point my workstations' dns to my server anyway.

And I do know that they don't have to be the same.  I have good networking knowledge and I know what I'm doing most of the time.

I'll repeat one more time that having rras disabled and using the server as the router, my workstations still always had internet access.  But now, in the same scenario they don't.  And nothing was changed except that I enabled rras and then disabled it.  Obviously disabling it does not return it to the same state as when it was never enabled before.

OK... So, you have a server you want to use as your internal gateway.  Technically, my understanding of Windows Server lends me to think you must have RRAS running to do so.  What methodology do you use for that, or do you just turn on Internet sharing on the server with some kind of multiple NIC configuration?
It seems as though you are doing this for the purposes of firwall.  If that is the case, does your network topology look like this: demark --> Router --> Server --> Switch --> rest of network?  If so, have you verified that the two NICs in your server are still properly configured in the right order for pass through?  A much better idea would be demark --> router --> firewall --> switch --> server (running dhcp and dns) as a part of the network as a whole.
Now, if you mean proxy rather than firewall, that would be different.

I'm not questioning your knowledge, merely the reason for the decision.  It sounds like you are using your router for DHCP which again is not an ideal configuration. I am not going to argue with you if you are determined to do things that way. I'm merely commenting that this is not the best way to do things. And also that if you are using some other sort of routing (i.e. dual NICs as mentioned by DrUltima) to make this work, then RRAS will interfere with that. Even if it is currently disabled, it may have changed your routing table in such a way as to interfere with the previous routing setup you had.  I agree with DrUtilma's comments as to the ideal configuration for your network.

I've never used RRAS and still had the same setup and internet worked fine on all workstations without any internet sharing.  Only now I must have the "service" running, yet it's not even configured.  Please read my original question again.  I've always had the service disabled and my workstations had internet.  And no, they weren't using the router as the gateway.

And I'm not using DHCP on the router.  The server takes care of DHCP.  My topology is more like: Router -> Switch -> Server/Firewall -> Workstations.  And that's because I do not have a hardware firewall....the router is more of a modem so I don't consider it a hardware firewall.  I do not use the 2nd nic.  It's installed but disabled.

As far as I can tell, my Win'2K still thinks I have RRAS configured.  When I first configured it I used NAT/VPN.  It gave me like 20 vpn connections (preconfigured) after that.  When I deleted the server from RRAS and turned off the RRAS service they were left behind.  So I deleted them manually.  Next day I'd notice those same deleted vpn connections were back.  So I'd delete them again but this continued daily.  To remedy this, I had to enable and configure RRAS and use NAT only (no vpn).  I then deleted the rras configuration.  However, I still must leave the rras service running or no internet on workstations.  Once again, this was never the case before as I NEVER had the rras service running so that workstations would have internet access.

I'm not sure, as I've never used this configuration, but I think it must be the NAT piece of the RRAS installation that is causing your problem. Did you run Server Manager and remove the Routing and Remote Access role? That should remove any components of RRAS and NAT left behind and hopefully would resolve your problem.

I think I've already answered that at least once...it's been removed completely yet the service MUST be running now whereas before I always had it disabled.  I'm confident it's a registry fix/workaround but I've no idea which one.  Too bad I don't have a registry snapshot of before enabling rras for the first time and after so I could compare or revert back to.

I apologize - it's hard sometimes in a very long thread to keep track of what has and hasn't been asked and answered.
It appears to me that NAT must still be enabled on this server. Unfortunately, I haven't been able to find a way to remove it outside of re-enabling RRAS, then removing the NAT routing protocol and then re-disabling RRAS.  Have you tried doing this?

Wait a minute - you said you want this server to act as a firewall, so you have to have NAT enabled. So forget what I just said above.  
At this point, I would just leave RRAS running and set to automatic. Is there a reason for not doing this?

A suggestion for some point in future time would be to get an inexpensive firewall router and put it inbetween your Internet modem and your internal switch. That way, you would have a hardware firewall/gateway and could remove NAT completely from your server.

You were right originally and that's pretty much what I said last time.  It's "as if" NAT is still enabled, but it's not.  Yes, I've already enabled and disabled rras.  I repeat again.  NAT has never been enabled before yet my workstations had internet access by going through the server.  The server is using dns from the router and the router gets its dns from the ISP.  My RRAS is NOT configured.

And the only reason why I want my workstations to go through the server is my favourite firewall on it.  My modem has a very basic and ugly firewall so I want to use the firewall on my server.

Hmmm - does that mean you have a 3rd party firewall running on your server?  I wonder if this has somehow hooked into RRAS/NAT so that it has to be running for your firewall to work properly.

That's what I believe has happened and I can't find a way to undo it.  No, I don't use any other 3rd party firewall.

What is that firewall on your server?

It doesn't have anything to do with the problem, but ok...it's an old and rather basic firewall called Sygate.  I believe Symantec bought them a while back.  But I have it customized nicely and I love the way the logs are displayed.  Ever since using it I've hated every other firewall software I've tried.

You could try uninstalling Sygate, stopping the RRAS service and then reinstalling Sygate to see if it makes any difference.  Sounds like a lot of work, though, IMO.
I'm at the point that I would say just to leave the RRAS service running. There's really no downside to doing that, as long as you (a) don't configure (remove) any dial-in ports, or (b) configure a RRAS policy that prevents anyone from logging on using a VPN connection. It seems like a waste of time to worry about trying to fix this if it's not interfering in any other way with the operation of your network.