Windows 7 VPN to Windows 2008 SBS
Hi all,
I have a weird problem,
I have users VPN'ing in to Windows server 2008 SBS. The problem started that their offline documents was not syncing when connected to the Windows VPN (RAS)
When I log on to the remote user to troubleshoot, I can resolve server name over VPN, do nslookup on IP address of server, and ping server FQDN over VPN, all works fine!
When I \\server, I only see the user's offline files (the one that is cashed on the client computer that VPN's)
When I \\192.168.255.5 (the server IP) then it tells me after like 10 seconds cant connect to that IP. But that same IP I can ping, nslookup and resolve the server name to that IP, all works fine.
When I VPN in to the server, and do an ipconfig /all, the following routes are in place:
Before the VPN is formed:
IPv4 Route Table
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.27 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.27 281
192.168.1.27 255.255.255.255 On-link 192.168.1.27 281
192.168.1.255 255.255.255.255 On-link 192.168.1.27 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.27 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.27 281
==========================
Persistent Routes:
None
AFTER the VPN is formed:
IPv4 Route Table
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.27 25
123.123.123.123 255.255.255.255 192.168.1.1 192.168.1.27 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.27 281
192.168.1.27 255.255.255.255 On-link 192.168.1.27 281
192.168.1.255 255.255.255.255 On-link 192.168.1.27 281
192.168.255.0 255.255.255.0 192.168.255.28 192.168.255.16 26
192.168.255.16 255.255.255.255 On-link 192.168.255.16 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.27 281
224.0.0.0 240.0.0.0 On-link 192.168.255.16 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.27 281
255.255.255.255 255.255.255.255 On-link 192.168.255.16 281
==========================
Persistent Routes:
None
IPconfig Information:
PPP adapter VPN - test:
Connection-specific DNS Suffix . : domain.local
Description . . . . . . . . . . . : VPN - test
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.255.16(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.255.5
NetBIOS over Tcpip. . . . . . . . : Enabled
I cant \\server or \\serverIP and I know this is the reason the filesync is not working. I can do everything else, nslookup on the server ip, ping the server, tracert the server name and IP and resolve the server name. But I just cant brows file shares on the server by IP or server name. There are two servers on the remote VPN site, and both servers gives me the same conclusion as above. I just cant brows share names on any of the remote servers over the VPN.
I have ipconfig /flushdns and restarted the computer many times, nothing!
I have even in the network location changed the order of the network cards so dialup is above all (first) in order to use to try and resolve names. I have used the administrator credentials for the VPN and the users own credentials, still nothing. (Both these credentials works from my PC at the office) so it is not a file share permission problem.
When I try and do it from another computer (My work PC) it works, I can \\server and \\server IP address over the VPN.
Any assistance would be appreciated!
Scrooge
I have a weird problem,
I have users VPN'ing in to Windows server 2008 SBS. The problem started that their offline documents was not syncing when connected to the Windows VPN (RAS)
When I log on to the remote user to troubleshoot, I can resolve server name over VPN, do nslookup on IP address of server, and ping server FQDN over VPN, all works fine!
When I \\server, I only see the user's offline files (the one that is cashed on the client computer that VPN's)
When I \\192.168.255.5 (the server IP) then it tells me after like 10 seconds cant connect to that IP. But that same IP I can ping, nslookup and resolve the server name to that IP, all works fine.
When I VPN in to the server, and do an ipconfig /all, the following routes are in place:
Before the VPN is formed:
IPv4 Route Table
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.27 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.27 281
192.168.1.27 255.255.255.255 On-link 192.168.1.27 281
192.168.1.255 255.255.255.255 On-link 192.168.1.27 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.27 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.27 281
==========================
Persistent Routes:
None
AFTER the VPN is formed:
IPv4 Route Table
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.27 25
123.123.123.123 255.255.255.255 192.168.1.1 192.168.1.27 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.27 281
192.168.1.27 255.255.255.255 On-link 192.168.1.27 281
192.168.1.255 255.255.255.255 On-link 192.168.1.27 281
192.168.255.0 255.255.255.0 192.168.255.28 192.168.255.16 26
192.168.255.16 255.255.255.255 On-link 192.168.255.16 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.27 281
224.0.0.0 240.0.0.0 On-link 192.168.255.16 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.27 281
255.255.255.255 255.255.255.255 On-link 192.168.255.16 281
==========================
Persistent Routes:
None
IPconfig Information:
PPP adapter VPN - test:
Connection-specific DNS Suffix . : domain.local
Description . . . . . . . . . . . : VPN - test
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.255.16(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.255.5
NetBIOS over Tcpip. . . . . . . . : Enabled
I cant \\server or \\serverIP and I know this is the reason the filesync is not working. I can do everything else, nslookup on the server ip, ping the server, tracert the server name and IP and resolve the server name. But I just cant brows file shares on the server by IP or server name. There are two servers on the remote VPN site, and both servers gives me the same conclusion as above. I just cant brows share names on any of the remote servers over the VPN.
I have ipconfig /flushdns and restarted the computer many times, nothing!
I have even in the network location changed the order of the network cards so dialup is above all (first) in order to use to try and resolve names. I have used the administrator credentials for the VPN and the users own credentials, still nothing. (Both these credentials works from my PC at the office) so it is not a file share permission problem.
When I try and do it from another computer (My work PC) it works, I can \\server and \\server IP address over the VPN.
Any assistance would be appreciated!
Scrooge
ASKER
RobWill,
Thank-you for your responce,
I have tried \\server.domain.local and the outcome was the same as when I do \\serverIP, it takes about 5 seconds and say, network location is unavailable.
But I can do \\server and see just the users offline files and nothing else. There are supose to be more network folders / shares but I can only see the users offline folders when \\server.
I don't have an issue resolving any hostname over the VPN, it is just when browsing that I cant see anything, only that which is cashed and nothing else. And the fact that when I try \\serverIP it returns an error, network location not availabe, "Diagnose problem now" and then windows finds no errors.
Scrooge.
Thank-you for your responce,
I have tried \\server.domain.local and the outcome was the same as when I do \\serverIP, it takes about 5 seconds and say, network location is unavailable.
But I can do \\server and see just the users offline files and nothing else. There are supose to be more network folders / shares but I can only see the users offline folders when \\server.
I don't have an issue resolving any hostname over the VPN, it is just when browsing that I cant see anything, only that which is cashed and nothing else. And the fact that when I try \\serverIP it returns an error, network location not availabe, "Diagnose problem now" and then windows finds no errors.
Scrooge.
On a different note, often with offline files and folder redirections the polcies are not applied with VPN's due to slow links. There are slow link detection policies that you can enable to assist with this.
http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx
One of the issues when using a software VPN client is you are connecting with cached credentials as the server is not available at logon. This may be part of the problem.
As mentined near the end of the link above, if a Windows VPN, at logon there is an option to logon with a dial up connection, then select the VPN, this will allow proper domain authentication and Group Policy processing, thoght the slow link detection policies usualy have to be enabled.
As mentined near the end of the link above, if a Windows VPN, at logon there is an option to logon with a dial up connection, then select the VPN, this will allow proper domain authentication and Group Policy processing, thoght the slow link detection policies usualy have to be enabled.
ASKER
Hi,
With Computer Configuration\Administrati
If I enable this, will this not be better than specifying a slow connection speed? The user is not in the same country as where she VPN's to, she VPN's from a diffrent country, so I don't know what speed to enter under the slow network speed. Will disabling this option be better?
Scrooge.
With Computer Configuration\Administrati
If I enable this, will this not be better than specifying a slow connection speed? The user is not in the same country as where she VPN's to, she VPN's from a diffrent country, so I don't know what speed to enter under the slow network speed. Will disabling this option be better?
Scrooge.
The problem that exists is if the connection is slow, less than a typical LAN, logon completes before authrntication and GP is applied. You want to "detect slow networks" so that the connection waits to complete.
Other policies that are also useful in tweaking this are:
Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
Newer systems (Win7):
Computer Configuration | Administrative Templates | Network | Offline files | Configure slow-link mode.
Other policies that are also useful in tweaking this are:
Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
Newer systems (Win7):
Computer Configuration | Administrative Templates | Network | Offline files | Configure slow-link mode.
ASKER
Hi all,
Thank-you so much for your input and valueble time, this is much appreciated.
I have made the appropriate changes also after reading up more on the values to add etc. I do a gpupdate /force and get the following result, most propably because the UNC to the server is not available for updating, but I also restarted the computer for good measures. I get the following error when doing a gpupdate:
Updating Policy...
User policy could not be updated successfully. The following errors were encount
ered:
The processing of Group Policy failed. Windows attempted to read the file \\server.local\SysVol\DOMA
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed. Windows attempted to read the file \\server.local\SysVol\DOMA
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
Needless to say, when I \\server or \\serverIP nothing, still the same thing. It is as if the whole computer is working in "OFFLINE MODE" from the network, similar to a server thobstone mode. It is a whole ripple effect I think caused by the same issue, I still can resolve hostnames by ping or nslookup or FQDN to the server IP and server NAME. But I can not brows the server, nor anything else on the remote network after VPN. I can even RDP in to the local IP of the server from the VPN client on the local IP of the server.
Any further assistance would really be greatly appreciated.
Scrooge.
Thank-you so much for your input and valueble time, this is much appreciated.
I have made the appropriate changes also after reading up more on the values to add etc. I do a gpupdate /force and get the following result, most propably because the UNC to the server is not available for updating, but I also restarted the computer for good measures. I get the following error when doing a gpupdate:
Updating Policy...
User policy could not be updated successfully. The following errors were encount
ered:
The processing of Group Policy failed. Windows attempted to read the file \\server.local\SysVol\DOMA
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed. Windows attempted to read the file \\server.local\SysVol\DOMA
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
Needless to say, when I \\server or \\serverIP nothing, still the same thing. It is as if the whole computer is working in "OFFLINE MODE" from the network, similar to a server thobstone mode. It is a whole ripple effect I think caused by the same issue, I still can resolve hostnames by ping or nslookup or FQDN to the server IP and server NAME. But I can not brows the server, nor anything else on the remote network after VPN. I can even RDP in to the local IP of the server from the VPN client on the local IP of the server.
Any further assistance would really be greatly appreciated.
Scrooge.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The article states; "This behavior can occur if you initially logged on to the computer with cached credentials ". As I mentioned earlier; "One of the issues when using a software VPN client is you are connecting with cached credentials as the server is not available at logon. This may be part of the problem. As mentined near the end of the link above, if a Windows VPN, at logon there is an option to logon with a dial up connection, then select the VPN, this will allow proper domain authentication and Group Policy processing,"
ASKER
.
Does \\server.domain.local\ work?
If so try adding the domain suffix to the client machine as per:
http://blog.lan-tech.ca/2011/05/14/vpn-client-name-resolution-2/