Link to home
Start Free TrialLog in
Avatar of Scott Nowacki
Scott Nowacki

asked on

RRAS VPN Issues - Can't see all machines on remote network

I have the following network configuration:

SERVER_A: SBS 2008
Services: DNS, AD, File Sharing

SERVER_B: Server 2003
Services: DNS, AD, RRAS,  DHCP

The router on the network forwards to SERVER_B for RRAS (PPTP)

When clients connect, they get an IP Address and DNS servers and they can connect to SERVER_A most of the time, sometimes it doesn't let them connect and says "Can't find server". Then we use the IP Address and it works OK.

One of the issues is the sporadic nature of this. Sometimes it works, sometimes it doesn't. I have DHCP set up to give out DNS #1 as SERVER_B and DNS #2 as SERVER_A. It's that way because if it's switched around, then they can't access anything on the office network. It's as if SERVER_A (SBS) is not responding to DNS requests.

I've changed settings a number of times, switch RRAS and all services to the SBS server like they should be but the clients connect and can't see any network services. It's almost like the server is not responding to any DNS requests for the VPN.

Any thoughts? I know it sounds garbled. I will clarify for you what I can.
Avatar of Qlemo
Qlemo
Flag of Germany image

Both servers are in the same domain, I assume? DNS relies on the proper DNS suffixes appended to names, and if the DNS suffixes provided by RRAS are not correct, name resolution will fail.
Avatar of Scott Nowacki
Scott Nowacki

ASKER

Both server are on the same domain. One is running Small Business 2008 (SERVER_A) and the other is running Server 2003 Standard (SERVER_B).

I'm thinking it's some sort of DNS relay issue. It's as if the RRAS server is doing the DNS work but only for some select devices.
That should not happen. The SBS is the server, and its DNS should work great.
How does that work in the office itself? The same DHCP settings, probably - and so all IPs are only registered on Server_B DNS. The issue with Windows DNS is that a second DNS server will never get asked if the first DNS server responds with a "I don't know the IP" message.

The proper setup is that all machines use the same DNS server, or DNS servers replicating their info.
I've rearranged the VPN and network configuration as follows:

SERVER_A - RRAS, DNS, DHCP, AD
SERVER_B - AD

I reconfigured the router to go directly to SERVER_A for PPTP.

Now, when clients connect they can access shares on both servers with no issues. They can ping the servers too.

The remaining issue is that they need access to shares that are on some of the network's workstations. We still cannot browse to those machines or ping their IP Addresses. NSLOOKUP resolves the name and IP ok. But I can't browse to the shares using "\\workstationname"

It's almost as if there is something not routing the file sharing traffic to those machines.

Internally, it all works just fine.
Did you use the same IP network for RAS as for the internal network? Otherwise each Windows Firewalll might block access (as the network is unknown and hence untrusted).

You might have to monitor network traffic (with WireShark or MS NetMon, resp. successor "Microsoft Message Analyzer") on the SBS and one of the target workstations.
Instead, you can try to perform a tracert -d -w 100 from a workstation to the connected remote PC.
Yes, I'm using the same IP block.
Try if (temporarily) disabling the Windows Firewall on the workstation with the share makes a difference.
Could not disable firewall on the workstation.  Group Policy is running that show.

It seems like there is an issue with the traffic to other machines outside of the server. Almost as if the RRAS is not routing traffic to or from those other machines correctly. I attached some screenshots of the RRAS config.

Also does it need a DHCP relay agent if the server is also hosting it's own RRAS?

I also compared it to another SBS 2008 machine that I know is functional and working to see where there were differences. I noticed that the routing table was different (IP addresses notwithstanding). I also noticed that there were a lot more firewall items on the functioning server that start with Network ICMP (all greyed out).

Thanks for any thoughts.
User generated imageUser generated imageUser generated image
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I am certain that I can use shares inside the LAN. If I go to any workstation on the network I can type \\workstation and press enter and get screen that shows all shared folders from each workstation. I can browse them and save and open files from them. So that all works internally.

That does not work when connected via the VPN. It's apparently a critical requirement of the system. They also want to be able to browse shared folders on the computer that's at the remote end of the VPN too.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It's the \\workstation or \\ip.address that doesn't work. I've tried \\workstation or ip\share and they don't work either.
After 8 hours on the phone with Micrsoft support we narrowed the problem down to a DHCP/DNS issue. The machines all had a static IP record in DNS. Their actual IP Addresses were NOT the same as the static addresses. As soon as I changed the addresses to match, we can access the machine across the VPN.

Now to figure out why DHCP isn't working correctly.
Now it's working too - MS support guy turned of the server's firewall! Now it's back on and things seem to be working again.