Re: what happened to my post re KB830063 - Browsing over VPN?

From: Wendigo (please_at_spam.me.co.uk)
Date: 04/20/04 

Date: Tue, 20 Apr 2004 09:55:56 +0100

Marina

I have been following this post because I have exactly the same problem as
Richard and have changed quite a lot of my settings based on your comments.
I had a lot of WINS and DNS settings different.

While I have the same symptoms in that I can't browse through network
neighbourhood, I don't have two DNS entries like Richard. Some machines
respond to ping, some don't. I can remote desktop when connected. It is
painfully slow, even with a broadband connection. I can't test
things until I get home so I can't respond very quickly to suggestions, but
this thread has been invaluable even if it hasn't yet resolved the problem.

Last night I tried again, still with no joy, but things were a little
different, e.g. a Workgroup, called 'Workgroup' appeared in the 'Microsoft
Widows Network' but I didn't have permission to view the resources!!. Ok,
it doesn't work, but things have changed and the more information that is
passed down, the more chance I (and Richard) have of understanding it. It
must be something, somewhere and it is probably the most insignificant
little setting somewhere. Personally, even if it
takes weeks to sort this out then it will still be worth it.

I think that so far, DNS, WINS and RRAS have pretty much been covered but
some confusion remains with the pros and cons of static vs dhcp. How about
machine settings? What difference does it make if the client is stand-alone
rather than a domain member? Some advice states that the machine can belong
to a workgroup with the same name as the domain. It didn't work for me but
maybe that was because of the other settings. My SBS installation was fresh
btw.

Basically, please don't give up. I've had this problem for months and this
is the first thread that has pursued it to this extent.

Regards

Darren

"Richard Prossor" <richard.prossor@prossor.com> wrote in message
news:c62ld7$4t8$1$8300dec7@news.demon.co.uk...
> Hi Marina
>
> I am trying to resolve the situation with the guidance from this newsgroup
> first before going down any other route.
>
> re the ipconfig you have posted - the obvious query is not the ip of the
vpn
> client but the fact that the default gateway is blank. I am sure that with
> both dhcp and via static pool, my client gets a gateway of its own issued
> ip.
>
> Regards
>
> Richard
>
> "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
message
> news:D4_gc.1551$%4.28994@typhoon.bart.nl...
> > Richard,
> >
> > Please, forget about that 830063 article. You really do NOT want to
enable
> > netbios on your external nic. You're totally on your own if you persist
on
> > that.
> >
> > You mentioned an ipconfig when vpn-ed in at your server. If everything
> would
> > be fine and assuming you are using DHCP to give IP's to rasclients, the
> > ipconfig should look something like this (if the internal serverIP would
> be
> > 192.1.1.2):
> >
> > PPP adapter VPN:
> > DHCP enabled: no
> > IP-address: 192.1.1.67
> > subnetmask: 255.255.255.255
> > Default gateway:
> > DNS: 192.1.1.2
> > WINS: 192.1.1.2
> >
> > --
> > Regards,
> >
> > Marina
> > Microsoft SBS-MVP
> >
> > "Richard Prossor" <richard.prossor@prossor.com> schreef in bericht
> > news:c607gk$sfc$1$830fa7a5@news.demon.co.uk...
> > > Hi Marina
> > >
> > > I am assuming that since my SBS server is
> > > prossornt01.prossorsnt.prossors.com, the domain name is
> > > prossorsnt.prossors.com and its parent is prossors.com. Since you
advise
> > to
> > > tick append parent suffixes both will appear.
> > >
> > > the drop down box in reverse look up zone properties - allow dynamic
> > updates
> > > gives me three choices: "No", "Yes" and "Only secure updates". I have
> > > changed it from "Only secure updates" to "Yes"
> > >
> > > Under forward look up zone is the container "prossorsnt.prossors.com".
> The
> > > following are the only entries which do not specifically refer to an
IP
> > > address in solely numeric form.
> > >
> > > Name Type
Data
> > > WPAD CNAME
> > > prossornt01.prossorsnt.prossors.com
> > > (same as parent folder) NS
> > > prossornt01.prossorsnt.prossors.com
> > > (same as parent folder) SOA [4707],
> > > prossornt01.prossorsnt.prossors.com., admin.
> > > (same as parent folder) WINS [192.0.0.7]
> > > _udp
> > > _tcp
> > > _sites
> > > _msdcs
> > >
> > > In addition I have three further entries for (same as parent folder)
> > >
> > > (same as parent folder) A
192.0.0.54
> > > (same as parent folder) A
192.0.0.22
> > > (same as parent folder) A
192.0.0.7
> > >
> > >
> > > There is no change in the operation of my system - I still cannot
browse
> > > over VPN.
> > >
> > > Regards
> > >
> > > Richard
> > >
> > >
> > >
> > >
> > >
> > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> > message
> > > news:MOCgc.1508$%4.27397@typhoon.bart.nl...
> > > > Hi Richard,
> > > >
> > > > It should not add 2 suffixes on your nic.
> > > > I don't understand your changing dynamic updates to 'only secure'.
> > > > About 15: delete all records that don't belong to your internal
> > network.
> > > If
> > > > you delete an internal one, don't bother, they will be created
> > > > automaticallly.
> > > > If you see the dot-folder (just a single dot), then delete it.
Restart
> > > > DNS-server.
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Marina
> > > > Microsoft SBS-MVP
> > > >
> > > > "Richard" <richard.prossor@prossor.com> schreef in bericht
> > > > news:c5un11$g3a$1@newsg1.svr.pol.co.uk...
> > > > > Hi Marina
> > > > >
> > > > > thanks for all your help on this. I've followed the instructions
you
> > > sent
> > > > > (by the way appending parent suffix adds back the second entry
> showing
> > > > > prossors.com on the internal nic) - the only changes I have had to
> > make
> > > > are
> > > > > adding WINS-R in reverse look up and changing Dynamic updates to
> "yes"
> > > > from
> > > > > "only secure" in the same area.
> > > > >
> > > > > However I am unsure what you meant by:
> > > > >
> > > > > > 15.) Delete any record which is not on the local internal
subnet.
> If
> > > > there
> > > > > > is a folder with a dot "." listed then delete it. (note- This
> > > indicates
> > > > > to
> > > > > > the server that it is the root server, which means do not go
> beyond
> > > this
> > > > > > server for name resolution.)
> > > > >
> > > > > do you mean delete the folders which start with underscore?
> > > > >
> > > > > Regards
> > > > >
> > > > > Richard
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote
in
> > > > message
> > > > > news:5i%fc.1477$%4.26398@typhoon.bart.nl...
> > > > > > You might have to check your DNS-configuration:
> > > > > >
> > > > > > Active Directory with DNS on the same server.
> > > > > >
> > > > > > TCP/IP settings
> > > > > >
> > > > > > Internal nic:
> > > > > > 1.) Right click "My network places" and select Properties.
> > > > > > 2.) For the LAN connection right click and select Properties.
> > > > > > 3.) On the properties page double click TCP/IP.
> > > > > > 4.) On the internal nic (when using 2 nics) the gateway should
be
> > > blank.
> > > > > At
> > > > > > the bottom of the protocols page select Preferred DNS Server
> option
> > > and
> > > > > > enter the IP address for the server itself. Leave the alternate
> DNS
> > > > server
> > > > > > IP blank.
> > > > > > 5.) On the DNS-tab, verify that the only DNS server is the
servers
> > > > > internal
> > > > > > IP address. Make sure the "Append parent suffixes of the primary
> DNS
> > > > > suffix"
> > > > > > and "Register this connection's address in DNS" selection are
> > checked.
> > > > > > 6.) On the WINS-tab, verify that the WINS address is the servers
> > > > internal
> > > > > IP
> > > > > > address. Verify that "Enable LMHOSTS lookup" is checked and that
> > > "Enable
> > > > > > NetBIOS over TCP/IP" is selected.
> > > > > >
> > > > > > External nic:
> > > > > > 1.) Right click "My network places" and select Properties.
> > > > > > 2.) For the WAN connection right click and select Properties.
> > > > > > 3.) On the properties page double click TCP/IP.
> > > > > > 4.) The IP should be in a different range from the internal nic.
> At
> > > the
> > > > > > bottom of the protocols page select Preferred DNS Server option
> and
> > > > enter
> > > > > > the IP address for the server itself. Leave the alternate DNS
> server
> > > IP
> > > > > > blank.
> > > > > > 5.) On the DNS-tab, verify that the only DNS server is the
servers
> > > > > internal
> > > > > > IP address. Make sure the "Append parent suffixes of the primary
> DNS
> > > > > suffix"
> > > > > > and "Register this connection's address in DNS" selection are
> > > unchecked.
> > > > > > 6.) On the WINS-tab, verify that there are no WINS addresses
> listed.
> > > > > Verify
> > > > > > that "Enable LMHOSTS lookup" is checked and that "Disable
NetBIOS
> > over
> > > > > > TCP/IP" is selected. This will have the effect of allowing only
> the
> > > > > internal
> > > > > > nic to register with WINS. NetBIOS packets are blocked by
internet
> > > > > routers,
> > > > > > so no NetBIOS over TCP/IP should be permitted on the external
nic.
> > > > > >
> > > > > >
> > > > > > DNS settings
> > > > > >
> > > > > > 1.) Open up the DNS console.
> > > > > > 2.) Once opened, right click on the server in the right hand
pane
> > and
> > > > > select
> > > > > > Properties.
> > > > > > 3.) On the Interfaces tab, set the server to listen only on its
> > > internal
> > > > > IP
> > > > > > Address.
> > > > > > 4.) On the "Forwarders" tab, check the "Enable forwarders"
> selection
> > > at
> > > > > the
> > > > > > top.
> > > > > > 5.) Add the ISP-DNS-numbers and click Apply. (note- In the
TCP/IP
> > > > > settings,
> > > > > > we selected the choice for DNS to point to itself. If name
> > resolution
> > > > > > cannot be resolved then a request is made to the forwarders. If
> > > > > resolution
> > > > > > cannot be made via the internal DNS and there are no forwarders
> > > listed,
> > > > > then
> > > > > > resolution will be made via the root hints.)
> > > > > > 6.) On the Monitoring tab, select simple and recursive test
types
> > and
> > > > > click
> > > > > > the Test now button. Both types should pass. Uncheck test types,
> > click
> > > > > > Apply, then click OK.
> > > > > > 7.) Expand the containers beneath the servers name and click on
> the
> > > > > Reverse
> > > > > > lookup zone subnet. It should correspond to the network ID of
the
> > LAN
> > > > with
> > > > > > an "x" in the last octet. If one is not present, create a
Reverse
> > > lookup
> > > > > > zone, type Active Directory Integrated.
> > > > > > 8.) Verify that the server has a pointer record listed for its
own
> > IP.
> > > > > > 9.) Bring up the properties of the Reverse Lookup Zone subnet.
> > > > > > 10.) Click on the Name Servers tab. Verify that the nameserver
is
> > the
> > > > > > servers FQDN with only the internal IP address listed.
> > > > > > 11.) Click on the WINS-R tab. Enable WINS reverse lookup and
enter
> > the
> > > > > > domainname.
> > > > > > 12.) Click on the General tab and set "Allow dynamic updates?"
to
> > yes.
> > > > > > 13.) Click Apply, clik OK.
> > > > > > 14.) Click on the "Forward Lookup Zone" beneath the container
> > Forward
> > > > > Lookup
> > > > > > Zones.
> > > > > > 15.) Delete any record which is not on the local internal
subnet.
> If
> > > > there
> > > > > > is a folder with a dot "." listed then delete it. (note- This
> > > indicates
> > > > > to
> > > > > > the server that it is the root server, which means do not go
> beyond
> > > this
> > > > > > server for name resolution.)
> > > > > > 16.) Bring up the properties of the Forward Lookup Zone.
> > > > > > 17.) Click on the Name Servers tab. Verify that the nameserver
is
> > the
> > > > > > servers FQDN with only the internal IP address listed.
> > > > > > 18.) Click on the WINS-R tab. Enable WINS forward lookup and
enter
> > the
> > > > > > servers internal IP address and click the Add button.
> > > > > > 19.) Click on the General tab and set "Allow dynamic updates?"
to
> > yes.
> > > > > > 20.) Click Apply, clik OK.
> > > > > > 21.) Restart DNS-server.
> > > > > >
> > > > > > Open up a command prompt and type the following:
> > > > > >
> > > > > > 1.) At the prompt type "ipconfig /flushdns" and wait for the
> > services
> > > to
> > > > > > flush.
> > > > > > 2.) "ipconfig /registerdns" and wait for the services to
register.
> > > > > > 3.) net stop netlogon
> > > > > > 4.) net start netlogon
> > > > > >
> > > > > > Once all of this is done, open the DNS console again. Expand
the
> > > > Forward
> > > > > > lookup zones, then expand the domain folder. You should see the
> > > > > underscore
> > > > > > folders below:
> > > > > >
> > > > > > _msdcs
> > > > > > _sites
> > > > > > _tcp
> > > > > > _udp
> > > > > >
> > > > > > --
> > > > > > Regards,
> > > > > >
> > > > > > Marina
> > > > > > Microsoft SBS-MVP
> > > >
> > > >
> > >
> > >
> >
> >
>
>