Solved

L2TP VPN over the internet

Posted on 2011-02-17
12
1,167 Views
Last Modified: 2012-05-11
Ok, I have a client who is dead set on running their domain controller out of a datacenter across the internet (not a very good idea, I'm aware).  I have set up the datacenter server (Server 2008) with all the services required - DHCP, AD Domain Services, AD Cert Services, Routing and Remote Access (via the Network Policy and Access role), and File Services.

However, I need some guidance for the rest of things -

I want to use L2TP for the VPN.  Their clients are XP so SSTP is out, but they move medical data so PPTP is not an option due to insecurity.  However, I can't create a L2TP connection without installing a certificate from the client (by joining the datacenter server's domain), but I can't join the domain without creating the VPN so it's a catch 22.  My idea was to try to log in using PPTP, join the domain, and then switch to L2TP, but the datacenter server won't verify my credentials.  When I try to log in it just says 'Verifying username and password...' for a minute then times out with 'Error 721: The remote computer did not respond'.  I tried temporarily (VERY temporarily) disabling the remote server's firewall but still couldn't connect.

Client setup - Should I just point the client machine's DNS settings to the public IP of the datacenter server, pull it off their current domain, and join it to the new one?  This seems too easy, honestly.

Any thoughts on migrating their active directory data?  Can I just dump it out as .csv from their local DC (Server 2003) and import it to their new remote DC?  I'm not sure exactly how to do this, any tools y'all are aware of would help.

Any help would be appreciated.  I realize trying to run a DC over the internet is probably a bad idea, but the client had already signed a 3 year contract on the remote servers before I even got here.
0
Comment
Question by:siliconrockstar
  • 7
  • 5
12 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
Comment Utility
You need to use a Router-to-Router VPN,...not a Remote Access VPN.

Creating a Remote Access VPN causes the DC to become "multi-homed" which is begging, pleading, praying for disaster (maybe throw in a rain-dance in there too).  Do not have DCs run multi-homed!!

Buy a couple devices that can act as VPN Routers and setup the VPN between them.  Once up they are just treated as normal WAN Routers with a WAN Link between the DC and the Clients,...the fact that it is really a VPN is irrelevant.  You don't have to shoot for the moon on those device,...you should be able to find something for a few hundred dollars each.

If you tell me that they won't buy them,...then I am bailing out here.  I'm not about to get involved in creating a Remote Access VPN from the DC itself,...it is THAT BAD,...and I am just not even going to go there.

Migrating AD Data?  There is no such thing.  You just simply get the WAN connection working,...build the Server up and join it to the existing Domain.  Add the AD Roles (2008) and run DCPromo to promote it to a DC then change it's TCP/IP Specs to point to itself for DNS.  If the old DC is to remain then leave it there and properly configure AD Sites & Services for that arrangment,...if in is not then run DCPromo and demote it to a Member Server then do what you want with it from there.  Remove all entries for it in DNS, WINS, ADUC, and where ever else it is found.

If the old DC is removed then re-point the DNS Settings in the TCP/IP Specs of all equipment on the Domain to point to the new DC.  If DHCP is used the correct the "router" Option at either the Server Level or the Scope Level (it really should be at the Server Level).
0
 

Author Comment

by:siliconrockstar
Comment Utility
'Buy a couple devices that can act as VPN Routers and setup the VPN between them'

That's what I was afraid of.  The new servers are HyperV virtual machines.  Not only is there no budget for hardware, there's no place to put it.

'Migrating AD Data?  There is no such thing.'

Obviously the standard procedure is to join the new DC to the domain and run dcpromo to promote new DC/demote old DC, but with no hardware-based VPN in between the two DCs that's not really an option :(

'I'm not about to get involved in creating a Remote Access VPN from the DC itself,...it is THAT BAD,...and I am just not even going to go there.'

Well as much as I'd like to not get involved, it's a little late for me :(
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
That's what I was afraid of.  The new servers are HyperV virtual machines.  Not only is there no budget for hardware, there's no place to put it.

Then you have to "make a place",...it isn't like it takes a lot of room to put something that is smaller than a bottle of soda,... and they have to adjust their budget.  A budget is just a budget,...it is a best guess at what it takes to accomplish something.  If they underestimated the cost then they just have to spend more than they expected,..it is just that simple.  I don't play that game with people when I am doing projects,...it costs what it costs and they have to deal with it. Of course by the same token I don't let someone else who doesn't know what is required do the estimating either,....and then expect me to stay within it.

Obviously the standard procedure is to join the new DC to the domain and run dcpromo to promote new DC/demote old DC, but with no hardware-based VPN in between the two DCs that's not really an option :(

Sure you can.  Start with the new DC in the physical location with the old one,...then move it afterwards.  Even if the new one is a VM that doesn't change the principle.  At worst you have to create a temp box Hyper-V box and store the VM on an external USB drive then move it to the new location.  If you can't create a temp Hyper-V then use Virtual Server or VirtualPC and then convert it from that to Hyper-V afterwards.   If the old DC is going to be removed then forget creating a new DC and just run a Physical-to-Virtual Converter (P2V converter) to convert the Physical machine to a VM and transport the VM to the new location.

'I'm not about to get involved in creating a Remote Access VPN from the DC itself,...it is THAT BAD,...and I am just not even going to go there.'

Well as much as I'd like to not get involved, it's a little late for me :(


Well I'll get the coffin ready so when you shoot yourself in the head we have a place where we can stick ya  :-)
0
 

Author Comment

by:siliconrockstar
Comment Utility
' I don't let someone else who doesn't know what is required do the estimating either,'

Yeah I got the short stick on this one.  Guy who sold them the VMs already told them a price and then didn't tell me the full extent of the project.  It was my understanding that someone else was handling all the sticky networking issues and I'd just have to migrate to the new DC.

'Start with the new DC in the physical location with the old one'

Old DC is running Server 2003, no HyperV.  New remote DC is running Server 2008 and since it's a VM it has no HyperV capabilities.  Their LAN is in Little Rock AR, and I'm near the datacenter north of Dallas, Texas, so I don't have physical access to either location.  Imaging their current server wouldn't be of any use as they are dead set on migrating to Server 2008.

Pretty sure they're hosed with their current config.  I'm getting in touch with the VM hosting company to see if they can provide a point to point VPN solution.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Here's one scenaio:
1. In Little Rock run a P2V Converter to convert the old DC to a VM.  It is a non-destructive process, the old DC is not damaged by it.
2. Ship the VM to Texas on an external Hard Drive
3. Run the VM in Texas in an isolated environment and introduce the new 2008 VM to it.
4. Run the ForestPrep, DomainPrep on the "old" DC (VM)
5. Do the normal process with DCPromo of Promote...Replicate....demote the old
6. Now you have VM of a 2008 DC that has the Domain replicated to it.
7. You still have to add a pair of VPN Devices to create a Router-to-Router VPN to join the Little Rock Location to the Texas location.  You're not going to get around that,..you're just going to have to face that,...and so are they.  The "pain" is simply the result of their bad planning (or lack of),...it is the way it is

Of course if you get the Router-to-Router VPN up in advanced then you can do a more traditional DCPromo,....Promote,...Replicate,...Demote process by doing it over the VPN..
0
 

Author Comment

by:siliconrockstar
Comment Utility
@ pwindell - I've been reading the docs for their firewall and I think I can set up a p2p IPsec VPN using their FireBox x20e and the remote Server 2008 machine.  If I could just get the damn cloud navigated this whole project would be wrapped up in half a day.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Yea, in the past when we were owned by a different parent company we connected over a dozen TV Stations together with Site-to-Site VPNs using a bunch of Firebox-X's.  It spanned the whole US plus a few in Puerto Rico.  But you still can't use the DC,...it has to be a different machine if you are going to turn a "PC" into a VPN Server.  The DC has to be single-homed with a single "identity" (IP#).  Fireboxs are not that expensive, if you have to buy one then buy one,..put it on the opposite end from the one you already have and go with it.
0
 

Author Comment

by:siliconrockstar
Comment Utility
@ pwindell - Would be a great idea except that the DC is a hosted virtual machine and there's no way to put any hardware in front of it :(

So basically you're telling me the DC must be single homed, so this idea won't work either.  And I have a technical guy at the company hosting the VMs telling me the whole thing is a piece of cake and forwarding semi-relevant TechNet articles lol!
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Then why are you posting here?  Why aren't you just "doing it".
My "exactly relevant" articles trump his "semi-relevant" ones.
I've run web servers the way you propose,...but would never do a DC,...completely different thing.

The last one below lists all the crap you have to go through to try to make a DC work as mulit-homed, if you're lucky
Do what you want, but I'm wouldn't have anything to do with it, would never go near it.
I'm done with this thread.

272294 - Active Directory Communication Fails on Multihomed Domain Controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

191611 - Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

Multihomed DCs with DNS, RRAS, multiple IPs, and/or PPPoE adapters
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
@ pwindell - Would be a great idea except that the DC is a hosted virtual machine and there's no way to put any hardware in front of it :(

Of course there is a way to have hardware in front of it,...that is silly.  I run virtulized Servers,...I'm not just making this stuff up.
0
 

Author Comment

by:siliconrockstar
Comment Utility
@ pwindell - I don't doubt that you're completely right.  And I should have been more precise - the hosting company does not ALLOW any hardware to be put in front of their VMs, for whatever reason.  

I'm pretty sure what's going on is the hosting company doesn't want to admit they messed up and sold my client a system that is useless.  I opened a support ticket and requested complete, detailed instructions on how to set everything up using the client's 1 hour of support they get per month.  We'll see what they say.

Thanks for all your help.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
(OMG!)
Yea,...sounds like that is about all you can do.  I'd put the moneky on the back of the hosting company.  Do what they ask you to do whatever way they ask you to do it,...then if it fails make sure it is clearly them that failed and not you.  Don't let the blame of their disaster get dumped on you.

If it works by some miracle in the end, then fine, but leave the success or failure of it in their hands, not yours.
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now