Solved

Windows 7 VPN to Windows 2008 SBS

Posted on 2012-04-13
10
712 Views
Last Modified: 2012-05-15
Hi all,

I have a weird problem,

I have users VPN'ing in to Windows server 2008 SBS. The problem started that their offline documents was not syncing when connected to the Windows VPN (RAS)

When I log on to the remote user to troubleshoot, I can resolve server name over VPN, do nslookup on IP address of server, and ping server FQDN over VPN, all works fine!

When I \\server, I only see the user's offline files (the one that is cashed on the client computer that VPN's)

When I \\192.168.255.5 (the server IP) then it tells me after like 10 seconds cant connect to that IP. But that same IP I can ping, nslookup and resolve the server name to that IP, all works fine.

When I VPN in to the server, and do an ipconfig /all, the following routes are in place:


Before the VPN is formed:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.27     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.27    281
     192.168.1.27  255.255.255.255         On-link      192.168.1.27    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.27    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.27    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.27    281
===========================================================================
Persistent Routes:
  None


AFTER the VPN is formed:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.27     25
   123.123.123.123  255.255.255.255      192.168.1.1     192.168.1.27     26
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.27    281
     192.168.1.27  255.255.255.255         On-link      192.168.1.27    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.27    281
    192.168.255.0    255.255.255.0   192.168.255.28   192.168.255.16     26
   192.168.255.16  255.255.255.255         On-link    192.168.255.16    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.27    281
        224.0.0.0        240.0.0.0         On-link    192.168.255.16    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.27    281
  255.255.255.255  255.255.255.255         On-link    192.168.255.16    281
===========================================================================
Persistent Routes:
  None



IPconfig Information:


PPP adapter VPN - test:

   Connection-specific DNS Suffix  . : domain.local
   Description . . . . . . . . . . . : VPN - test
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.255.16(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.255.5
   NetBIOS over Tcpip. . . . . . . . : Enabled


I cant \\server or \\serverIP and I know this is the reason the filesync is not working. I can do everything else, nslookup on the server ip, ping the server, tracert the server name and IP and resolve the server name. But I just cant brows file shares on the server by IP or server name. There are two servers on the remote VPN site, and both servers gives me the same conclusion as above. I just cant brows share names on any of the remote servers over the VPN.

I have ipconfig /flushdns and restarted the computer many times, nothing!

I have even in the network location changed the order of the network cards so dialup is above all (first) in order to use to try and resolve names. I have used the administrator credentials for the VPN and the users own credentials, still nothing. (Both these credentials works from my PC at the office) so it is not a file share permission problem.

When I try and do it from another computer (My work PC) it works, I can \\server and \\server IP address over the VPN.

Any assistance would be appreciated!

Scrooge
0
Comment
Question by:wimpie_asg
  • 5
  • 5
10 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"I cant \\server "
Does \\server.domain.local\  work?

If so try adding the domain suffix to the client machine as per:
http://blog.lan-tech.ca/2011/05/14/vpn-client-name-resolution-2/
0
 
LVL 3

Author Comment

by:wimpie_asg
Comment Utility
RobWill,

Thank-you for your responce,

I have tried \\server.domain.local and the outcome was the same as when I do \\serverIP, it takes about 5 seconds and say, network location is unavailable.

But I can do \\server and see just the users offline files and nothing else. There are supose to be more network folders / shares but I can only see the users offline folders when \\server.

I don't have an issue resolving any hostname over the VPN, it is just when browsing that I cant see anything, only that which is cashed and nothing else. And the fact that when I try \\serverIP it returns an error, network location not availabe, "Diagnose problem now" and then windows finds no errors.

Scrooge.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
On a different note, often with offline files and folder redirections the polcies are not applied with VPN's due to slow links.  There are slow link detection policies that you can enable to assist with this.
http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
One of the issues when using a software VPN client is you are connecting with cached credentials as the server is not available at logon.  This may be part of the problem.
As mentined near the end of the link above, if a Windows VPN, at logon there is an option to logon with a dial up connection, then select the VPN, this will allow proper domain authentication and Group Policy processing, thoght the slow link detection policies usualy have to be enabled.
0
 
LVL 3

Author Comment

by:wimpie_asg
Comment Utility
Hi,

With Computer Configuration\Administrative Templates\System\Group Policy  I noticed under the help, there is also a setting under Computer Configuration\Administrative Templates\System\user profiles, there is a setting that says "do not detect slow network connections"
If I enable this, will this not be better than specifying a slow connection speed? The user is not in the same country as where she VPN's to, she VPN's from a diffrent country, so I don't know what speed to enter under the slow network speed. Will disabling this option be better?

Scrooge.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The problem that exists is if the connection is slow, less than a typical LAN, logon completes before authrntication and GP is applied.  You want to "detect slow networks" so that  the connection waits to complete.

Other policies that are also useful in tweaking this are:
Computer Configuration | Administrative Templates | System | Logon  | Always wait for the network at computer startup and login
Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
Newer systems (Win7):
Computer Configuration | Administrative Templates | Network | Offline files | Configure slow-link mode.
0
 
LVL 3

Author Comment

by:wimpie_asg
Comment Utility
Hi all,

Thank-you so much for your input and valueble time, this is much appreciated.

I have made the appropriate changes also after reading up more on the values to add etc. I do a gpupdate /force and get the following result, most propably because the UNC to the server is not available for updating, but I also restarted the computer for good measures. I get the following error when doing a gpupdate:

Updating Policy...

User policy could not be updated successfully. The following errors were encount
ered:

The processing of Group Policy failed. Windows attempted to read the file \\server.local\SysVol\DOMAIN.local\Policies\{aaaaaaaaa-F281-4391-AC81-62089093A809}
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
 could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows attempted to read the file \\server.local\SysVol\DOMAIN.local\Policies\{aaaaaaaa-27B9-411E-94EC-626058E8ED41}
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
 could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
 has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

Needless to say, when I \\server or \\serverIP nothing, still the same thing. It is as if the whole computer is working in "OFFLINE MODE" from the network, similar to a server thobstone mode. It is a whole ripple effect I think caused by the same issue, I still can resolve hostnames by ping or nslookup or FQDN to the server IP and server NAME. But I can not brows the server, nor anything else on the remote network after VPN. I can even RDP in to the local IP of the server from the VPN client on the local IP of the server.

Any further assistance would really be greatly appreciated.

Scrooge.
0
 
LVL 3

Accepted Solution

by:
wimpie_asg earned 0 total points
Comment Utility
Hi,

This is exacly what my problem is, but this article is for Windows XP, and does not apply to Windows 7.

http://support.microsoft.com/kb/290523

This is exacly the issue I am having. Any idea how I can fix this on Windows 7?

Scrooge.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The article states; "This behavior can occur if you initially logged on to the computer with cached credentials ". As I mentioned earlier; "One of the issues when using a software VPN client is you are connecting with cached credentials as the server is not available at logon.  This may be part of the problem. As mentined near the end of the link above, if a Windows VPN, at logon there is an option to logon with a dial up connection, then select the VPN, this will allow proper domain authentication and Group Policy processing,"
0
 
LVL 3

Author Closing Comment

by:wimpie_asg
Comment Utility
.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now