Solved

VPN/DFS issue

Posted on 2011-03-24
25
558 Views
Last Modified: 2012-05-11
Hello Experts,

I have a network consisting of a Headquarters Site (SBS2008 STD - AD) & Remote Branch Office (WIN2003 replicated AD).  Previously the setup used SBS2003 in the same fashion, but with SBS2008 I cannot maintain a consistent DFS replication between the 2 sites.

The VPN connection on the Remote Branch Office(RBO) connects fine and I can map drives to the Headquarters(HQ) side using any variety of methods (e.g. - \\server\share, \\server.domain.tld\share or even numerically xxx.xxx.xxx.xxx\share).

However, I cannot ping the RBO from HQ using the servername. I cannot map a drive using either \\server\share -or- \\server.domain.tld\share. I can use the numerical method xxx.xxx.xxx.xxx\share without any problems.

What am I overlooking? I do have the appropriate ports on both firewalls (1723) and it connects fine but without being able to use the servername\share the DFS won't update

Any advice would be greatly appreciated.
0
Comment
Question by:Phosphor
  • 14
  • 9
25 Comments
 
LVL 7

Expert Comment

by:TheTull
ID: 35208155
Have you addressed this at the DNS level first?  It sounds like from your HQ you can't resolve the server name via DNS or (or WINS for that matter).  What happens when you try pinging the server name, does it say host not found or does it just timeout to some incorrect IP address?

Do you have a proper record for that server in your DNS forward lookup zone?
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35208340
Looking in my forward lookup ones in DNS snap-in, Yes it does have an "A" record for both.

Sever (VPN client IPAdd) 192.168.16.14
Server (BRO net) 192.168.17.70
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35208381
Also in DNS snap-in there is a PTR record for the server showing the VPN client at 192.168.16.14 -  server.domain.local
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35208390
Whoops...

Also in DNS snap-in Reverse Lookup Zone there is a PTR record for the server showing the VPN client at 192.168.16.14 -  server.domain.local
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35208443
I'm confused about the way you said you have records for "both", do you mean you have two records for the same server, or are you referring to a server located on your HQ net and one for your remote net?
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35208481
when I ping <server> it shows up as "pinging server.domain.local [192.168.17.70] with 32 bytes of data".

I deleted the A record showing the other nets address (192.168.17.xx) and even after deleting it still pings that address "pinging server.domain.local [192.168.17.70] with 32 bytes of data"
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35208493
Shouldn't it really only see the VPN client address of 192.168.16.xx ?
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35208628
Well, it should only have the actual IP address of the server in the DNS zone.  The server will update the DNS zone with whatever IP address it has configured on it.  

As far as deleting the record, it may still be cached both on the DNS server and on the machine you are pinging from.  Try restarting the DNS service and run this command on your machine: ipconfig /flushdns
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35208674
Well, it should only have the actual IP address of the server in the DNS zone.

HQ side actual (VPN client IPadd) xx.xx.16.xx

or

BRO side actual (xx.xx.17.xx)

sorry, never had to do this before...
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35208771
All right, so it sounds to me like the server is getting resolved as a .17 address when you need it to get resolved as a .16 address because from the HQ network you communicate with it on the .16 address right?

0
 
LVL 1

Author Comment

by:Phosphor
ID: 35208775
I believe so... yes
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35208969
Hmm, well this is tricky because we are dealing with domain controllers.  The remote DC is going to want to register whatever IP addresses it has in your DNS zone, and I myself would prefer not to interfere with what it's doing.

What type of VPN are you using here?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:Phosphor
ID: 35209069
I am using the native RRAS dialog to create the VPN connection on BRO using the FQDN of the SBS2008 box. I have not added any DNS settings in the VPN properties>TC/IP Properties>Advanced TCP/IP settings for the connection. Using all automatic settings have always worked for this connection back when I originally set it up with the SBS2003Box.

I am not using dhcp or dns on the BRO Server2003 replicated AD box. There's a firewall router that handles dhcp, though the actual server uses a static .17.70 address...
 I never used DNS services on this box either.

Anything else you need to know?
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35209130
Some other really weird thing happens with RRAS in SBS2008 as opposed to my old SBS2003 setup, whenever a terminal server user logs off and kills their VPN session it kicks all the others off. I don't really know why yet, just wondering if you ever heard such a thing.
Just that alone is keeping me from really messing with any settings till 1800 EDST...
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35209290
A simple thing to try would be to add a static route in the 2008 server's routing table so that it knows how to get to the 192.168.17.70 address via the VPN address.  

Here's an example Windows command to accomplish that (I'm not sure if 2008 changed this command, but it should work as-is):

route add 192.168.17.0 MASK 255.255.255.0 192.168.16.14
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35209309
As for the other issue where all users get kicked off, it sounds like they are NATing when going over the VPN and the destination server is killing off all connections from the source address period when a user logs off, as opposed to just the source address and port.  I could be wrong, but it sounds like that kind of issue.
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35209506
I did add that route and HQ is still not talking to RBO using FQDN
RBO can still reach HQ using FQDN

I added the staic route using RRAS snap-in>ipv4>static routes and it still isn't talking
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35209920
Thanks for your help so far.

I really can't do anything until a bit later tonight. I'll be bringing that server to the main office tonight (thank god for 4-10's :) for the weekend to test and rebuild my DFS. I don't know if it tombstoned on me (doubt it. nothing in the logs to suggest that). Maybe something crashed and I need to restart the Main DC. It was working ok a few days ago...

Please monitor this thread through at least Monday 3/28
0
 
LVL 7

Expert Comment

by:TheTull
ID: 35210018
No problem, I'll keep my eye on it until the question is closed.  If you find any more info that could be helpful, please post it here.  

You may want to run some network captures and so forth to see what the traffic is doing, just as a suggestion.
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35216582
Ok, I brought the server home and connected to the HQ network to synchronize AD & DFS Shares. Brought the FVS318v1 router home from RBO and configured it to use a different IP add, connected the RBO server as usual and connected to the HQ remotely with the VPN client. Still broken.

Starting to think it is a router issue now of some sort. I upgraded the RBO router firmware to the latest but still encounter the problem.
HQ router is a Linksys WRT54GX4
RBO router is a Netgear FVS318v1

So I considered trying by going the other way, Connect HQ to RBO...
I  set up the RBO server as DHCP & RRAS server, configured it and it appears it would work but port 1723 can only have one hole. It looked that way in the logs anyway. The hole is opened on xx.xx.17.70 and the RRAS was trying to push xx.xx.17.45 as the client.

So after all that I configured one of the NICs for a direct connection to the cable modem. Got that up and working, connected to HQ with the VPN client and now I can browse using the \\server\share without any problems. DFS shares should update now as well normally with this VPN connection.
They haven't yet though all tests with the DFS snap-in look good with no errors.

Naturally, I can't use this setup without a firewall. I figure the problem is the Linksys WRT54GX4
 router on the SBS2008 side. That is the only new device on the network. Previously my old SBS2003
 network was setup with 2 nics and all routing was done through the outside pointing nic.

Any thoughts?
0
 
LVL 1

Author Comment

by:Phosphor
ID: 35222866
Hello again:

Now I am just dispirited. So I go out and get a second FVS318(v3) router. Set it up as a box-to-box VPN, connect successfully and now the problem is still there just reversed.
Now I can browse the network <\\server\share> from the the HQ side but not the other way. I have been chasing my tail on this and cannot find any workable answers yet. Nothing but blind alleys and try this settings morass...

I have found this item http://www.chicagotech.net/netforums/viewtopic.php?t=5005 but am a little bothered by its implications. I don't want to apply it and break something in the process.

0
 
LVL 7

Expert Comment

by:TheTull
ID: 35233074
OK, so now that you have a box-to-box VPN setup, you should be just about there.  I bet the issue is fairly simple and straight forward.  Are all your remote office devices using the FVS318 router as the default gateway, and can they at least ping devices on your HQ net via an IP address?  
0
 
LVL 1

Accepted Solution

by:
Phosphor earned 0 total points
ID: 35282646
I tried the box-to-box and didn't like the results. I did notice that that for some reason on the HQ NIC the NetBIOS wasn't defaulted to enabled. I enabled it and made sure all others were too.

It still didn't work and as I remember what happened next was all kinds of DNS problems. I took the server offline,  This server has 2 NICs in it so I changed the IPaddress to something else, disabled the one I was using and configured the other one to use the original settings. Ran the "Fix my network" from the console, then disabled that one and reconfigured the other back, Ran the "Fix my network"  again and everything was kosher. It's rock solid now. Actually better than the old 2003 setup as far as connection consistancy.

I can't prove it but I believe something was wrong with the whole setup from the start that did not show itself for a few days after I deployed the whole network. I had a console error about 3 days after deployment and all the UserRoles were in the Users pane in the console. It may have been because I did not know that you need to do all your AD editing in the SBS console for all things Users & Groups.

Thanks for your help
0
 
LVL 6

Expert Comment

by:jaredr80
ID: 37485269
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now