• Setting up VPN on Win2003 R2


    It appears I have a lot to learn.

    Here are the basics: Windows 2003 R2 Standard, acting as a domain controller and file server. 9 users. Five static IP addresses.

    I’ve never set up a VPN on 2003 server, and was using http://searchexchange.techtarget.com/news/…1069414,00.html%5B/url%5D as a guide. Right around step 6, all users lost communication with the server. At this point I had set up a group in AD to manage policies for VPN users.

    What I’m stuck with now is two-fold, but one issue is critical: computers that were already members of the domain had no connectivity issues. All other workstations lost their name resolution – the server is still on the network and visible, but cannot be reached using its name; IP only. To get around this I added the IP address of the server to everyone’s HOSTS file, but there has to be a reason name resolution went off the deep and no longer works.

    Secondly, given that I still have no working VPN server, can anyone recommend a reference or learning materials on how to do this properly? I’d much prefer not to have the domain controller take on an additional role given that it already handles file serving as well as authentication, but to be frank I don’t think the load would amount to much anyway.

    Thanks in advance for helping a fledgling server admin!

    Viewing 0 reply threads
    • #1103345


      • #1103421

        Good resources, thank you Joe! Unfortunately the section on troubleshooting DNS has led to no real answers. To be honest, I’m not sure what to check, but I believe it must be a policy setting that is making this happen. Machines that are domain members (about half of our workstations) can resolve names through the DNS server, but workstations that remain in a workgroup (due to software requirements) cannot resolve names. I’m stumped.

        • #1103422

          I wonder if it has anything to do with guest/anonymous access on the DNS server.



          • #1103423

            I don’t know. The Guest account is disabled, but I was considering also the fact that I now have a static IP in the mix where I didn’t before. The DNS server will need to communicate with the outside world somehow, and since I’m far from well versed in DNS it’s time to read up and learn. In the meantime, I would love to know what got my 2k3 box in a snit. The workaround is not a permanent solution. Even the shares work properly, so users are being authenticated. confused

            • #1103473

              Can you tell me a little more about your hardware topology? Do you have three servers involved? What roles do each play?



            • #1104149

              Joe, sorry it took so long to get back on this one. Here are the details you requested:

              • One hardware firewall (SonicWall) where the Internet connection comes into the building. It also serves up DHCP leases to clients.
              • One physical server, Win2K3 R2 as the base OS. When I refer to “servers” I’m using it in the more generic sense, meaning that the server applications are set up and running – on one physical box.
                • Domain Controller (operational)
                • File Server (operational)
                • FTP Server (not operational
                • VPN/Radius Services (not operational)[/list]
                • This server is the domain controller, among its other functions. I realize this is a lot to cram on one physical server, but I haven’t been able to loosen the purse strings far enough to get another box yet.
                • There are approximately 10 client workstations at this time.[/list]Again, my biggest single problem at this point is that domain members can resolve the server’s IP address, but all other workstations must have the entry in their HOSTS file. This “change” occurred when setting up VPN services.
            • #1104177

              Has your Firewall been your DHCP server all along? Did you add the DNS server name and IP address to the DHCP Scope?



            • #1104183

              Yes, the firewall has always been the DHCP server – but maybe it shouldn’t be. There was no place in the configuration to enter the DNS name, although the permanent IP address that I recently had set up was entered and everything was working properly – until the VPN Wizard did its thing. I’m almost certain it’s a security setting that was changed, because the functionality isn’t gone, just hard to get to.

            • #1104190

              I’m not sure where to look but it sure seems as though some setting about authenticated users got enabled.



            • #1104191

              Also, I don’t know that having the firewall as the DHCP server is good or bad. It is just somewhat different than the directions in the link you provided. I suppose it should not make any difference.



            • #1104196

              I’ll have to dig and see what policies apply to authenticated users. That sounds accurate.

              As it relates to the firewall, I think simplicity would demand that it simply passes traffic on to the server, and the server fills the DHCP role. I’m trying to make the best of a mess that existed when I arrived at the company!

            • #1104206

              I’d think the same about the firewall. I’ve got DHCP disabled at the firewall and running on the win2k3 server. Straightening up messes like you’ve got sure takes a lot of time and energy. I’ve had to cleanup more than one during the my various incarnations. You’ve got my sympathy. Meanwhile, I’ll try to dig around some more to see what I can find on configuring a VPN.



            • #1104207

              Thanks Joe… that will help. I’m seriously contemplating backing up the user data, blowing out Server and reloading it. Since we have a small group (9 total) I think it would be beneficial in the long run, because then I would be starting with a known quantity. There truly are few benefits to having a domain for a group of this size, although the ability to have roaming profiles is nice. Not to mention, I’d just like to learn it!

            • #1104399

              Unofrtunately, I’ve been unable to come up with anything more concrete. I’d just caution you that going from a domain to a workgroup is not just a matter of reloading the server. There are security ownership issues with files on the server and clients. You could have software problems on the clients if anyone was able to install software and have done so under the domain userid. I’m sure there are other things I can’t think of off the top of my head.



            • #1104405

              I’ve solved at least part of my problems by making locally logged in users administrators on their machines. I added Domain Users to the local administrative group, so that solves the problem with the software package we have.

              I also changed the DNS server entries on the firewall so that the server as well as our static IP would propagate to the workstations. That solved the name resolution problem. Mind you, the policy that changed is still in place somewhere, but it’s moot now that users can resolve names to IP addresses.

              Now, to figure out that VPN. I discovered that the Sonicwall firewall can also serve as a VPN endpoint – I’m starting to like the little device now, although it’s not as flexible as a server.

            • #1104407

              In desktop OSes other than Vista, running as a regular user is very problematic. But, it seems as though you are making good progress.



            • #1104410

              So true… you create a lot more administrative and support tasks because of poor multi-user support in earlier versions of Windows. The software that I mentioned earlier is from a major company, and is distributed far and wide – I can’t believe they don’t support a more modern security model. shrug It is what it is, I guess!

            • #1104420

              The problems you see from software vendors who should know better are enough to make you scream. Still writing to the “Program Files” or “windows” folders is nuts. Most vendors just don’t see that sort of cleanup as vital. Because of limited resources and a never ending list of changing requirements, they won’t do it until forced. With Vista & Windows Server 2008, Microsoft has taken the first steps to force them to clean up their acts.



            • #1104480

              The SonicWall VPN client has improved a lot in recent years. However, depending on your unit, you might need to purchase additional licenses. In some cases the bundled VPN licenses are only for connecting multiple SonicWall units to one another, and not for their end-user software. sad

            • #1104484

              That’s what I found out this afternoon whilst digging in the Sonicwall settings. The two high-end models support VPN licenses out of the box, but not the one we have – which will accept a max of ten, probably more that I will ever need it to handle. It might just be easier to get an older box, put it in the DMZ, and use it for tunneling.

    Viewing 0 reply threads
    Reply To: Setting up VPN on Win2003 R2

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: