Move RRAS from SBS 2003 to Windows 2008 R2

Hi Experts,

I am separating the major functions of an SBS 2003 server into a Win 2008 R2 server and an Exchange 2010 server.  I am looking for guidelines/best practices for moving RRAS used for VPN access.

I've created a new domain controller as a start.  Everything is sitting behind a Cisco 5510 router/firewall, with rules pointing to the old server.

Here are my questions:
Is it OK to move the VPN to the new DC or is that not recommended?  Should it be on another server instead?
Is there a simple way of moving the settings to a new server?  I saw some powershell stuff but it seemed easier to do it manually (according to
How can I test the new settings without changing the firewall rules to port forward to the new server?  I want to make sure everything is working properly and not impact the users?  Can I change the PPTP port on the new server and forward the PPTP request to the new server?  If so, how do I change the setting on the client port?
How would you suggest migrating the remote user settings to use the new server?  I can't use a DNS alias because Exchange traffic comes over the same host.

Thanks for the assistance.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
For security reasons it is not recommended to run RRAS on the DC, because you expose it to the Internet that way. But you can do so, of course ;-).

I would transfer those few settings required for RRAS manually.

You cannot change the PPTP port, it is fixed.So you will have a hard time testing with public IP. You do not have more than one public IP available? That would it make easy, as you can separate services that way.
If you cannot use different public IP addresses, you'll have to switch all users at once. Otherwise you can change the IP address on the client side one by one.
JohnBusiness Consultant (Owner)Commented:
Two overarching comments.

1. Moving today to Server 2008 is already obsolete. Is there a reason why you cannot use Server 2012 R2?

2. VPN is BEST done with hardware VPN. Put in a Cisco or Juniper VPN box and divorce entirely from your servers. It just works better that way (in my experience with clients).
svillardiAuthor Commented:
So, even for testing, I cannot change the port on the receiving server, create a new port forward setting for the request to point to the new server and then somehow set up a client to use that

I can't do this without a way to test.  I only have one IP.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

JohnBusiness Consultant (Owner)Commented:
How many users?  Put in a VPN box for your one IP first, move the users, and then upgrade the Server.
svillardiAuthor Commented:
We aren't licensed for 2012 servers.

We are running a Cisco 5510 and I could set up Anyconnect, but getting this out to the users won't be easy.  At least I could test it easily...  But I don't know what licensing is there either.

This is a small business with non-technical users.  Trying to keep things as easy as possible for them.
svillardiAuthor Commented:
60 users about.
svillardiAuthor Commented:
But maybe a max of 10 at a time?
JohnBusiness Consultant (Owner)Commented:
I am not a big fan of server RRAS. I prefer hardware VPN and you can easily do it for 25 users at a time.

However, that is just the way my clients have been doing this for a long time.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Though everything stated above by John is correct, we have to live with things we have at hand sometimes ... Juniper and Cisco (ASA) require to use IPSec or SSL VPN clients. A big change here.

So let us stay with the original question. And that is you cannot use both RRAS servers at the same time from the Internet.

The only way I see you testing this is from inside your LAN. Connect to the new RRAS server with its internal IP. Check the IPs and routing table created at that time. The test machine might loose connection to the LAN, but that does not matter - just terminate the PPTP connection to restore access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
R. Andrew KoffronownerCommented:
I'd use the Cisco as your gateway and leave RRAS off an SBS2011 server, leave the DNS on the SBS. and just skip the extra load and complication.  Basically what john said.
your ASA should already have the port exceptions for the old server.
svillardiAuthor Commented:
DNS and DHCP have already been moved to the new DC.
R. Andrew KoffronownerCommented:
should be able to just change the scope option for gateway in the DHCP server to the ASA and be up and running. you'll have to tweak the port exceptions, and the VPN stuff, but should be pretty minor changes.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.