Re: what happened to my post re KB830063 - Browsing over VPN?

From: Marina Roos [SBS-MVP] (marina_at_roos.nodontwantspam.nl.com)
Date: 04/20/04 

Date: Tue, 20 Apr 2004 12:28:29 +0200

No Richard, I've posted an ipconfig/all from a VPN-client. 

-- 
Regards,
Marina
Microsoft SBS-MVP
"Richard Prossor" <richard.prossor@prossor.com> schreef in bericht
news:c62ld7$4t8$1$8300dec7@news.demon.co.uk...
> Hi Marina
>
> I am trying to resolve the situation with the guidance from this newsgroup
> first before going down any other route.
>
> re the ipconfig you have posted - the obvious query is not the ip of the
vpn
> client but the fact that the default gateway is blank. I am sure that with
> both dhcp and via static pool, my client gets a gateway of its own issued
> ip.
>
> Regards
>
> Richard
>
> "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
message
> news:D4_gc.1551$%4.28994@typhoon.bart.nl...
> > Richard,
> >
> > Please, forget about that 830063 article. You really do NOT want to
enable
> > netbios on your external nic. You're totally on your own if you persist
on
> > that.
> >
> > You mentioned an ipconfig when vpn-ed in at your server. If everything
> would
> > be fine and assuming you are using DHCP to give IP's to rasclients, the
> > ipconfig should look something like this (if the internal serverIP would
> be
> > 192.1.1.2):
> >
> > PPP adapter VPN:
> > DHCP enabled:    no
> > IP-address:        192.1.1.67
> > subnetmask:        255.255.255.255
> > Default gateway:
> > DNS:            192.1.1.2
> > WINS:        192.1.1.2
> >
> > --
> > Regards,
> >
> > Marina
> > Microsoft SBS-MVP
> >
> > "Richard Prossor" <richard.prossor@prossor.com> schreef in bericht
> > news:c607gk$sfc$1$830fa7a5@news.demon.co.uk...
> > > Hi Marina
> > >
> > > I am assuming that since my SBS server is
> > > prossornt01.prossorsnt.prossors.com, the domain name is
> > > prossorsnt.prossors.com and its parent is prossors.com. Since you
advise
> > to
> > > tick append parent suffixes both will appear.
> > >
> > > the drop down box in reverse look up zone properties - allow dynamic
> > updates
> > > gives me three choices: "No", "Yes" and "Only secure updates". I have
> > > changed it from "Only secure updates" to "Yes"
> > >
> > > Under forward look up zone is the container "prossorsnt.prossors.com".
> The
> > > following are the only entries which do not specifically refer to an
IP
> > > address in solely numeric form.
> > >
> > > Name                                        Type
Data
> > > WPAD                                       CNAME
> > > prossornt01.prossorsnt.prossors.com
> > > (same as parent folder)                NS
> > > prossornt01.prossorsnt.prossors.com
> > > (same as parent folder)                SOA                  [4707],
> > > prossornt01.prossorsnt.prossors.com., admin.
> > > (same as parent folder)                WINS                [192.0.0.7]
> > > _udp
> > > _tcp
> > > _sites
> > > _msdcs
> > >
> > > In addition I have three further entries for (same as parent folder)
> > >
> > > (same as parent folder)                  A
192.0.0.54
> > > (same as parent folder)                  A
192.0.0.22
> > > (same as parent folder)                  A
192.0.0.7
> > >
> > >
> > > There is no change in the operation of my system - I still cannot
browse
> > > over VPN.
> > >
> > > Regards
> > >
> > > Richard
> > >
> > >
> > >
> > >
> > >
> > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> > message
> > > news:MOCgc.1508$%4.27397@typhoon.bart.nl...
> > > > Hi Richard,
> > > >
> > > > It should not add 2 suffixes on your nic.
> > > > I don't understand your changing dynamic updates to 'only secure'.
> > > > About 15: delete all records that don't belong  to your internal
> > network.
> > > If
> > > > you delete an internal one, don't bother, they will be created
> > > > automaticallly.
> > > > If you see the dot-folder (just a single dot), then delete it.
Restart
> > > > DNS-server.
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Marina
> > > > Microsoft SBS-MVP
> > > >
> > > > "Richard" <richard.prossor@prossor.com> schreef in bericht
> > > > news:c5un11$g3a$1@newsg1.svr.pol.co.uk...
> > > > > Hi Marina
> > > > >
> > > > > thanks for all your help on this. I've followed the instructions
you
> > > sent
> > > > > (by the way appending parent suffix adds back the second entry
> showing
> > > > > prossors.com on the internal nic) - the only changes I have had to
> > make
> > > > are
> > > > > adding WINS-R in reverse look up and changing Dynamic updates to
> "yes"
> > > > from
> > > > > "only secure" in the same area.
> > > > >
> > > > > However I am unsure what you meant by:
> > > > >
> > > > > > 15.) Delete any record which is not on the local internal
subnet.
> If
> > > > there
> > > > > > is a folder with a dot "."  listed then delete it. (note- This
> > > indicates
> > > > > to
> > > > > > the server that it is the root server, which means do not go
> beyond
> > > this
> > > > > > server for name resolution.)
> > > > >
> > > > > do you mean delete the folders which start with underscore?
> > > > >
> > > > > Regards
> > > > >
> > > > > Richard
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote
in
> > > > message
> > > > > news:5i%fc.1477$%4.26398@typhoon.bart.nl...
> > > > > > You might have to check your DNS-configuration:
> > > > > >
> > > > > > Active Directory with DNS on the same server.
> > > > > >
> > > > > > TCP/IP settings
> > > > > >
> > > > > > Internal nic:
> > > > > > 1.) Right click "My network places" and select Properties.
> > > > > > 2.) For the LAN connection right click and select Properties.
> > > > > > 3.) On the properties page double click TCP/IP.
> > > > > > 4.) On the internal nic (when using 2 nics) the gateway should
be
> > > blank.
> > > > > At
> > > > > > the bottom of the protocols page select Preferred DNS Server
> option
> > > and
> > > > > > enter the IP address for the server itself. Leave the alternate
> DNS
> > > > server
> > > > > > IP blank.
> > > > > > 5.) On the DNS-tab, verify that the only DNS server is the
servers
> > > > > internal
> > > > > > IP address. Make sure the "Append parent suffixes of the primary
> DNS
> > > > > suffix"
> > > > > > and "Register this connection's address in DNS" selection are
> > checked.
> > > > > > 6.) On the WINS-tab, verify that the WINS address is the servers
> > > > internal
> > > > > IP
> > > > > > address. Verify that "Enable LMHOSTS lookup" is checked and that
> > > "Enable
> > > > > > NetBIOS over TCP/IP" is selected.
> > > > > >
> > > > > > External nic:
> > > > > > 1.) Right click "My network places" and select Properties.
> > > > > > 2.) For the WAN connection right click and select Properties.
> > > > > > 3.) On the properties page double click TCP/IP.
> > > > > > 4.) The IP should be in a different range from the internal nic.
> At
> > > the
> > > > > > bottom of the protocols page select Preferred DNS Server option
> and
> > > > enter
> > > > > > the IP address for the server itself. Leave the alternate DNS
> server
> > > IP
> > > > > > blank.
> > > > > > 5.) On the DNS-tab, verify that the only DNS server is the
servers
> > > > > internal
> > > > > > IP address. Make sure the "Append parent suffixes of the primary
> DNS
> > > > > suffix"
> > > > > > and "Register this connection's address in DNS" selection are
> > > unchecked.
> > > > > > 6.) On the WINS-tab, verify that there are no WINS addresses
> listed.
> > > > > Verify
> > > > > > that "Enable LMHOSTS lookup" is checked and that "Disable
NetBIOS
> > over
> > > > > > TCP/IP" is selected. This will have the effect of allowing only
> the
> > > > > internal
> > > > > > nic to register with WINS. NetBIOS packets are blocked by
internet
> > > > > routers,
> > > > > > so no NetBIOS over TCP/IP should be permitted on the external
nic.
> > > > > >
> > > > > >
> > > > > > DNS settings
> > > > > >
> > > > > > 1.) Open up the DNS console.
> > > > > > 2.) Once opened, right click on the server in the right hand
pane
> > and
> > > > > select
> > > > > > Properties.
> > > > > > 3.) On the Interfaces tab, set the server to listen only on its
> > > internal
> > > > > IP
> > > > > > Address.
> > > > > > 4.) On the "Forwarders" tab, check the "Enable forwarders"
> selection
> > > at
> > > > > the
> > > > > > top.
> > > > > > 5.) Add the ISP-DNS-numbers and click Apply. (note- In the
TCP/IP
> > > > > settings,
> > > > > > we selected the choice for DNS to point to itself.  If name
> > resolution
> > > > > > cannot be resolved then a request is made to the forwarders.  If
> > > > > resolution
> > > > > > cannot be made via the internal DNS and there are no forwarders
> > > listed,
> > > > > then
> > > > > > resolution will be made via the root hints.)
> > > > > > 6.) On the Monitoring tab, select simple and recursive test
types
> > and
> > > > > click
> > > > > > the Test now button. Both types should pass. Uncheck test types,
> > click
> > > > > > Apply, then click OK.
> > > > > > 7.) Expand the containers beneath the servers name and click on
> the
> > > > > Reverse
> > > > > > lookup zone subnet. It should correspond to the network ID of
the
> > LAN
> > > > with
> > > > > > an "x" in the last octet. If one is not present, create a
Reverse
> > > lookup
> > > > > > zone, type Active Directory Integrated.
> > > > > > 8.) Verify that the server has a pointer record listed for its
own
> > IP.
> > > > > > 9.) Bring up the properties of the Reverse Lookup Zone subnet.
> > > > > > 10.) Click on the Name Servers tab. Verify that the nameserver
is
> > the
> > > > > > servers FQDN with only the internal IP address listed.
> > > > > > 11.) Click on the WINS-R tab. Enable WINS reverse lookup and
enter
> > the
> > > > > > domainname.
> > > > > > 12.) Click on the General tab and set "Allow dynamic updates?"
to
> > yes.
> > > > > > 13.) Click Apply, clik OK.
> > > > > > 14.) Click on the "Forward Lookup Zone" beneath the container
> > Forward
> > > > > Lookup
> > > > > > Zones.
> > > > > > 15.) Delete any record which is not on the local internal
subnet.
> If
> > > > there
> > > > > > is a folder with a dot "."  listed then delete it. (note- This
> > > indicates
> > > > > to
> > > > > > the server that it is the root server, which means do not go
> beyond
> > > this
> > > > > > server for name resolution.)
> > > > > > 16.) Bring up the properties of the Forward Lookup Zone.
> > > > > > 17.) Click on the Name Servers tab. Verify that the nameserver
is
> > the
> > > > > > servers FQDN with only the internal IP address listed.
> > > > > > 18.) Click on the WINS-R tab. Enable WINS forward lookup and
enter
> > the
> > > > > > servers internal IP address and click the Add button.
> > > > > > 19.) Click on the General tab and set "Allow dynamic updates?"
to
> > yes.
> > > > > > 20.) Click Apply, clik OK.
> > > > > > 21.) Restart DNS-server.
> > > > > >
> > > > > > Open up a command prompt and type the following:
> > > > > >
> > > > > > 1.) At the prompt type "ipconfig /flushdns" and wait for the
> > services
> > > to
> > > > > > flush.
> > > > > > 2.) "ipconfig /registerdns" and wait for the services to
register.
> > > > > > 3.) net stop netlogon
> > > > > > 4.) net start netlogon
> > > > > >
> > > > > > Once all of this is done, open the DNS console again.  Expand
the
> > > > Forward
> > > > > > lookup zones, then expand the domain folder.  You should see the
> > > > > underscore
> > > > > > folders below:
> > > > > >
> > > > > > _msdcs
> > > > > > _sites
> > > > > > _tcp
> > > > > > _udp
> > > > > >
> > > > > > --
> > > > > > Regards,
> > > > > >
> > > > > > Marina
> > > > > > Microsoft SBS-MVP
> > > >
> > > >
> > >
> > >
> >
> >
>
>