Solved

Win 7 clients cannot connect to SBS 2003 domain via VPN

Posted on 2011-03-11
32
851 Views
Last Modified: 2012-08-30
Any help is welcome.

We have an office with a SBS 2003 server domain with windows XP and windows 7 clients connected to the domain, about 8 clients in all.

We have just setup an office in another city/town (location) which just has internet/broadband and no servers.

The problems I have is that I have moved two of the Windows 7 computers from the main office with the domain to the new office and setup VPN connections (which connect ok) to the main office SBS 2003 server.
I cannot get any of the domain stuff like network shares, a connection to exchange or the intranet (companyweb).

I have also gone into the network id  on the Win 7 PC’s and tried joining the domain and I get the following error, please see attached word doc.

Please note that I have no problems when I connect windows XP to the SBS 2003 domain via VPN from the same office.

Any help would be gratefully received.

Thanks
Mark

 
error.doc
0
Comment
Question by:Drumbeat1966
  • 12
  • 10
  • 4
  • +3
32 Comments
 
LVL 10

Expert Comment

by:akhalighi
ID: 35111415
- do you have static IPs set on these machines ? or they are dynamic ?
- what happens if you ping domain DNS name from windows 7 box ?
0
 
LVL 10

Expert Comment

by:pjasnos
ID: 35111448
What VPN do you use?
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35111459
the windows 7 firewall is far better than the windows xp could the windows 7 firewall be stopping it
0
 

Author Comment

by:Drumbeat1966
ID: 35111662
I have also tried joining the domain without the .local and get a slightly different error message (attached).

Thanks.
Mark


error2.doc
0
 

Author Comment

by:Drumbeat1966
ID: 35111747
Hi

IP's are Dynamic, tried pinging the server name and get ping request could not find host. Tried pinging Google thats ok.

I am using software VPN, not hardware VPN routers.

Thanks
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35111816
0
 
LVL 7

Expert Comment

by:droyden
ID: 35112004
Do you use certificates for authentication aswell as username/password?
0
 

Author Comment

by:Drumbeat1966
ID: 35112051
Hi IanTh

I looked at the firewall and I could disable all the connections (home, public and work) but it would not let me disable the domain connection, it was greyed out even though I am loged on as administrator. The next thing I did was to remove the computer from the domain (it was joined to the domain in the main office on the local LAN, not over VPN) and try to join the domain over the VPN connection again, this removed the greyed out domain firewall entry. So now with all firewall connections disabled I am still unable to join the domain over the VPN connection. A new error message is attached.

Thanks
0
 

Author Comment

by:Drumbeat1966
ID: 35112103
Hi Droyden

Not as far as I know. When a user connects to the RWW via office.mydomain.com they are just asked for a username and password.

Thanks
0
 

Author Comment

by:Drumbeat1966
ID: 35112126
Hi IanTh

I looked at the firewall and I could disable all the connections (home, public and work) but it would not let me disable the domain connection, it was greyed out even though I am loged on as administrator. The next thing I did was to remove the computer from the domain (it was joined to the domain in the main office on the local LAN, not over VPN) and try to join the domain over the VPN connection again, this removed the greyed out domain firewall entry. So now with all firewall connections disabled I am still unable to join the domain over the VPN connection. A new error message is attached.

Thanks

sorry file missing from above.
error3.doc
0
 
LVL 10

Expert Comment

by:akhalighi
ID: 35112202
If you cannot ping domain DNS name , it's impossible to join or use resources on that domain . first of all the connection to DNS server whould be fixed.
0
 

Author Comment

by:Drumbeat1966
ID: 35112359
Hi
akhaliqhi

I understand that if I cannot ping the DNS name it won't work but what is doing my head in is that a Windows XP computer in the same office is connected via VPN (i got this going the other day) and can connect to the domain network shares on the SBS 2003 server, can veiw the intranet and connect to the SBS 2003 exchange server via outlook.

Sorry I try to be but I am not very good when it comes to this stuff but is the domain DNS name same as the name that appears under when I right click my computer (system properties), computer name tab, full computer name as follows.

NOVUS-DC01.Novus-Rail.local

thanks
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35112595
so your domain is novus-rail that is not a proper domain name so no wonder you are having problems
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35112611
so you are trying to connect a remote pc via vpn to novus-rail.local how will that work as the remote pc's isp doesn't know about it
0
 
LVL 10

Expert Comment

by:akhalighi
ID: 35112664

I still say , it is DNS . that's all . let's troubleshoot that .

1-Are you sure that your windows 7 box gets the same DNS server as the XP machines ?

try ipconfig /all on a XP box and windows 7 and paste the results .

2- Sometimes windows 7 is unable to resolve addresses where XP can . I have the same issue here . one of the DNS name under an old OU is not getting resolved by windows XP machines.

edit the host file on windows 7 machine and add your domain DNS name with it's ip . then you should be able to ping it and join them to domain.

go under C:\Windows\System32\drivers\etc
edit hosts file with notepad

# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost
#      ::1             localhost
<IP address>       FQDN of your domain controller
<IP address>          FQDN of your Domain DNS name

save the file and ping again. if it responds , then join it to domain.

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Drumbeat1966
ID: 35112880
Hi akhaliqhi

As reqested please find the ipconfig/all from both machines.

Win XP:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS>ipconfig/all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : andycarey-pc
        Primary Dns Suffix  . . . . . . . : Novus-Rail.local
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : Novus-Rail.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connec
on
        Physical Address. . . . . . . . . : 00-0F-FE-AC-78-4C
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.19.56
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.19.1
        DNS Servers . . . . . . . . . . . : 192.168.19.1

PPP adapter {DCBDA41B-6BD5-4C1E-BE1A-185015F40EEF}:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 169.254.233.19
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 169.254.233.19
        DNS Servers . . . . . . . . . . . : 192.168.16.2

C:\WINDOWS>

Win 7:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>ipconfig/all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : BRANCH-WKS01
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

PPP adapter NovusMainOffice:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : NovusMainOffice
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 169.254.44.116(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 1C-6F-65-5C-33-E5
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::74d4:e630:fe1a:635b%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.19.44(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.19.1
   DHCPv6 IAID . . . . . . . . . . . : 236744549
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-FF-6B-6E-1C-6F-65-5C-33-E

   DNS Servers . . . . . . . . . . . : 192.168.19.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{364B6574-4D76-4E69-9E4A-465CB75ADC75}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:3037:3fa6:5601:d38b(Pre
erred)
   Link-local IPv6 Address . . . . . : fe80::3037:3fa6:5601:d38b%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{842E88D8-BB5E-4304-8D34-DFD4C778981A}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Windows\system32>

Mean while I will try the localhost.

Thanks
Mark
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35112939
you not listening its a dns issue how can any pc join the domain if its dns cannot resolve the domain name and your domain name is Novus-Rail.local so how will the windowsw 7 machine know about Novus-Rail.local unless as pointed out above has a host entry

0
 

Author Comment

by:Drumbeat1966
ID: 35113149
Hi

I have tried the host file with no luck.

Are these:

<IP address>       FQDN of your domain controller
<IP address>          FQDN of your Domain DNS name

How do I find out the FQDN of my domian controller and the FQDN Domain DNS name. Is the IP address of my domian controller and DNS name the public IP address my isp gave me and how do i check with the ping command.

Thanks
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35115941
if your domain does not have a domain name and nuvus-rail.local isn't how are you trying to connect the windows 7 machines to the public ip address the isp gave you if so is your router blocking the vpn

Like I said the windows 7 firewall needs configuring for vpn and as your using a software vpn client then is that application configuured in the windows 7 firewall

also if the remote router configured
0
 

Author Comment

by:Drumbeat1966
ID: 35116883
Hi IanTh

I am grateful for your input but as I said before I am not very good when it comes to this type of problem so your input is not shedding any light on what I am supposed to be doing.

I can get a VPN connection to the server no problem using win 7 or win xp (I am connected to the SBS 2003 server) so in answer to your question the remote router and SBS 2003 server is ok and setup otherwise I would not be able to connect.

On the windows xp machine I connected to the remote SBS 2003 server via VPN (connection authorised and connected) then I went to the network ID properties and connected the windows xp machine to the SBS 2003 domain remotely, works great no problems.

On the windows 7 machines I do exactly the same, I connect to the remote SBS 2003 server via VPN (connection authorised and connected) but when I go into the network ID properties on the Windows 7 machine that when I get the problem it will not work and I get the errors listed above.

Why is the windows xp machine ok but the windows 7 machines says no I am not playing? You say it maybe the firewall of which I have turned off on the windows 7 machine.

You are firing things at me but not giving me any solutions. Please do not take it the wrong way I am grateful for your input.

If it’s the firewall,  its great you are telling me, but what do I do about it.

Thanks
Mark
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35121997
Mark,
After you have tried to rejoin, you provided the wrong domain name. You need to use the full domain name, NOVUS-RAIL.LOCAL, not only NOVUS-RAIL . But since you cannot contact the registered domain controller, joining the domain cannot succeed.

After all the changes it is unclear what the actual state is.

You should have the full domain name in your IP DNS settings - if not, add them manually.
Try a   nslookup -d2 -v novus-dc01.novus-rail.local    in a command prompt to see if the name can be resolved. If you know the domain DNS server's IP (it should be 192.168.16.2), add that as an additional argument to the nslookup, if it not succeeds without.
If nslookup gives you a valid IP, try pinging that address.
Post back with the results, please.
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35122308
the error points to a dns error nuvus-rail.local please tell us how, nuvus-rail.local is the domain controller but it isn't a proper domain name so how in the external client do connect to the sbs 2003


0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35122319
NOVUS-RAIL.LOCAL is a valid Domain Name. It is not valid in NetBIOS terms, but those restrictions have gone long ago with implementing Domain Services via DNS.
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35122390
if it was a valid domain name I should be able to ping it and I cant the error pointrs to a dns error wth novus-rail.local
0
 

Author Comment

by:Drumbeat1966
ID: 35123381
Hi Qlemo

Setting up my VPN network connection with the DNS (192.168.16.2) was the solution I needed and works great, I am now connected to the domain over the VPN connection with network shares, Exchange outlook, but no intranet (companyweb)? I will sort out later.

Fantastic, thanks.

Mark.
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35123673
so it was dns then wasn't it
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35123684
oh heck so how does the .local work in dns I have always thought it wasn't a routable domain my dc is called mhn.local
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35123948
IanTh,

.local is a convention used for "non-routable" domains, that much is true. But like private IPs are unroutable on the Internet, .local is unroutable in public DNS. Using the DNS suffix .local is a valid and very good means to avoid private and public DNS collisions.
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35123975
yes I understand that my domains dns suffix is .local but how did the asker get his problem working if .local is not routable as his error pointed to a novus-rail.local error which it would as .local is not routable
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35124061
You are reading something wrong. LDAP was accessible using that domain name. This has been shown in the first error.doc. Further, the domain controller name has been found in DNS, else we would know it.

Don't stick on that "routable" part - if your DNS server is local, or you have created a forwarding entry for that zone, it is "routable" in the sense of well-known. Whenever you have to use local names you need to have a local (= non-public) DNS server as your primary DNS server.
0
 
LVL 30

Expert Comment

by:IanTh
ID: 35124426
ok I alway though setting up a dc you use .local if you dont have a domain name for the dc
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now