Re: what happened to my post re KB830063 - Browsing over VPN?

From: Marina Roos [SBS-MVP] (marina_at_roos.nodontwantspam.nl.com)
Date: 04/20/04 

Date: Tue, 20 Apr 2004 12:29:32 +0200

Is the vpn-client part of the domain or not? What OS on that vpnclient? 

-- 
Regards,
Marina
Microsoft SBS-MVP
"Wendigo" <please@spam.me.co.uk> schreef in bericht
news:%23UfaWVrJEHA.3704@TK2MSFTNGP11.phx.gbl...
> Marina
>
> I have been following this post because I have exactly the same problem as
> Richard and have changed quite a lot of my settings based on your
comments.
> I had a lot of WINS and DNS settings different.
>
> While I have the same symptoms in that I can't browse through network
> neighbourhood, I don't have two DNS entries like Richard.  Some machines
> respond to ping, some don't.  I can remote desktop when connected.  It is
> painfully slow, even with a broadband connection.  I can't test
> things until I get home so I can't respond very quickly to suggestions,
but
> this thread has been invaluable even if it hasn't yet resolved the
problem.
>
> Last night I tried again, still with no joy, but things were a little
> different, e.g. a Workgroup, called 'Workgroup' appeared in the 'Microsoft
> Widows Network' but I didn't have permission to view the resources!!.  Ok,
> it doesn't work, but things have changed and the more information that is
> passed down, the more chance I (and Richard) have of understanding it.  It
> must be something, somewhere and it is probably the most insignificant
> little setting somewhere.  Personally, even if it
> takes weeks to sort this out then it will still be worth it.
>
> I think that so far, DNS, WINS and RRAS have pretty much been covered but
> some confusion remains with the pros and cons of static vs dhcp.  How
about
> machine settings?  What difference does it make if the client is
stand-alone
> rather than a domain member?  Some advice states that the machine can
belong
> to a workgroup with the same name as the domain.  It didn't work for me
but
> maybe that was because of the other settings.  My SBS installation was
fresh
> btw.
>
> Basically, please don't give up.  I've had this problem for months and
this
> is the first thread that has pursued it to this extent.
>
> Regards
>
> Darren
>
> "Richard Prossor" <richard.prossor@prossor.com> wrote in message
> news:c62ld7$4t8$1$8300dec7@news.demon.co.uk...
> > Hi Marina
> >
> > I am trying to resolve the situation with the guidance from this
newsgroup
> > first before going down any other route.
> >
> > re the ipconfig you have posted - the obvious query is not the ip of the
> vpn
> > client but the fact that the default gateway is blank. I am sure that
with
> > both dhcp and via static pool, my client gets a gateway of its own
issued
> > ip.
> >
> > Regards
> >
> > Richard
> >
> > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> message
> > news:D4_gc.1551$%4.28994@typhoon.bart.nl...
> > > Richard,
> > >
> > > Please, forget about that 830063 article. You really do NOT want to
> enable
> > > netbios on your external nic. You're totally on your own if you
persist
> on
> > > that.
> > >
> > > You mentioned an ipconfig when vpn-ed in at your server. If everything
> > would
> > > be fine and assuming you are using DHCP to give IP's to rasclients,
the
> > > ipconfig should look something like this (if the internal serverIP
would
> > be
> > > 192.1.1.2):
> > >
> > > PPP adapter VPN:
> > > DHCP enabled:    no
> > > IP-address:        192.1.1.67
> > > subnetmask:        255.255.255.255
> > > Default gateway:
> > > DNS:            192.1.1.2
> > > WINS:        192.1.1.2
> > >
> > > --
> > > Regards,
> > >
> > > Marina
> > > Microsoft SBS-MVP
> > >
> > > "Richard Prossor" <richard.prossor@prossor.com> schreef in bericht
> > > news:c607gk$sfc$1$830fa7a5@news.demon.co.uk...
> > > > Hi Marina
> > > >
> > > > I am assuming that since my SBS server is
> > > > prossornt01.prossorsnt.prossors.com, the domain name is
> > > > prossorsnt.prossors.com and its parent is prossors.com. Since you
> advise
> > > to
> > > > tick append parent suffixes both will appear.
> > > >
> > > > the drop down box in reverse look up zone properties - allow dynamic
> > > updates
> > > > gives me three choices: "No", "Yes" and "Only secure updates". I
have
> > > > changed it from "Only secure updates" to "Yes"
> > > >
> > > > Under forward look up zone is the container
"prossorsnt.prossors.com".
> > The
> > > > following are the only entries which do not specifically refer to an
> IP
> > > > address in solely numeric form.
> > > >
> > > > Name                                        Type
> Data
> > > > WPAD                                       CNAME
> > > > prossornt01.prossorsnt.prossors.com
> > > > (same as parent folder)                NS
> > > > prossornt01.prossorsnt.prossors.com
> > > > (same as parent folder)                SOA                  [4707],
> > > > prossornt01.prossorsnt.prossors.com., admin.
> > > > (same as parent folder)                WINS
[192.0.0.7]
> > > > _udp
> > > > _tcp
> > > > _sites
> > > > _msdcs
> > > >
> > > > In addition I have three further entries for (same as parent folder)
> > > >
> > > > (same as parent folder)                  A
> 192.0.0.54
> > > > (same as parent folder)                  A
> 192.0.0.22
> > > > (same as parent folder)                  A
> 192.0.0.7
> > > >
> > > >
> > > > There is no change in the operation of my system - I still cannot
> browse
> > > > over VPN.
> > > >
> > > > Regards
> > > >
> > > > Richard
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
> > > message
> > > > news:MOCgc.1508$%4.27397@typhoon.bart.nl...
> > > > > Hi Richard,
> > > > >
> > > > > It should not add 2 suffixes on your nic.
> > > > > I don't understand your changing dynamic updates to 'only secure'.
> > > > > About 15: delete all records that don't belong  to your internal
> > > network.
> > > > If
> > > > > you delete an internal one, don't bother, they will be created
> > > > > automaticallly.
> > > > > If you see the dot-folder (just a single dot), then delete it.
> Restart
> > > > > DNS-server.
> > > > >
> > > > > --
> > > > > Regards,
> > > > >
> > > > > Marina
> > > > > Microsoft SBS-MVP
> > > > >
> > > > > "Richard" <richard.prossor@prossor.com> schreef in bericht
> > > > > news:c5un11$g3a$1@newsg1.svr.pol.co.uk...
> > > > > > Hi Marina
> > > > > >
> > > > > > thanks for all your help on this. I've followed the instructions
> you
> > > > sent
> > > > > > (by the way appending parent suffix adds back the second entry
> > showing
> > > > > > prossors.com on the internal nic) - the only changes I have had
to
> > > make
> > > > > are
> > > > > > adding WINS-R in reverse look up and changing Dynamic updates to
> > "yes"
> > > > > from
> > > > > > "only secure" in the same area.
> > > > > >
> > > > > > However I am unsure what you meant by:
> > > > > >
> > > > > > > 15.) Delete any record which is not on the local internal
> subnet.
> > If
> > > > > there
> > > > > > > is a folder with a dot "."  listed then delete it. (note- This
> > > > indicates
> > > > > > to
> > > > > > > the server that it is the root server, which means do not go
> > beyond
> > > > this
> > > > > > > server for name resolution.)
> > > > > >
> > > > > > do you mean delete the folders which start with underscore?
> > > > > >
> > > > > > Regards
> > > > > >
> > > > > > Richard
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com>
wrote
> in
> > > > > message
> > > > > > news:5i%fc.1477$%4.26398@typhoon.bart.nl...
> > > > > > > You might have to check your DNS-configuration:
> > > > > > >
> > > > > > > Active Directory with DNS on the same server.
> > > > > > >
> > > > > > > TCP/IP settings
> > > > > > >
> > > > > > > Internal nic:
> > > > > > > 1.) Right click "My network places" and select Properties.
> > > > > > > 2.) For the LAN connection right click and select Properties.
> > > > > > > 3.) On the properties page double click TCP/IP.
> > > > > > > 4.) On the internal nic (when using 2 nics) the gateway should
> be
> > > > blank.
> > > > > > At
> > > > > > > the bottom of the protocols page select Preferred DNS Server
> > option
> > > > and
> > > > > > > enter the IP address for the server itself. Leave the
alternate
> > DNS
> > > > > server
> > > > > > > IP blank.
> > > > > > > 5.) On the DNS-tab, verify that the only DNS server is the
> servers
> > > > > > internal
> > > > > > > IP address. Make sure the "Append parent suffixes of the
primary
> > DNS
> > > > > > suffix"
> > > > > > > and "Register this connection's address in DNS" selection are
> > > checked.
> > > > > > > 6.) On the WINS-tab, verify that the WINS address is the
servers
> > > > > internal
> > > > > > IP
> > > > > > > address. Verify that "Enable LMHOSTS lookup" is checked and
that
> > > > "Enable
> > > > > > > NetBIOS over TCP/IP" is selected.
> > > > > > >
> > > > > > > External nic:
> > > > > > > 1.) Right click "My network places" and select Properties.
> > > > > > > 2.) For the WAN connection right click and select Properties.
> > > > > > > 3.) On the properties page double click TCP/IP.
> > > > > > > 4.) The IP should be in a different range from the internal
nic.
> > At
> > > > the
> > > > > > > bottom of the protocols page select Preferred DNS Server
option
> > and
> > > > > enter
> > > > > > > the IP address for the server itself. Leave the alternate DNS
> > server
> > > > IP
> > > > > > > blank.
> > > > > > > 5.) On the DNS-tab, verify that the only DNS server is the
> servers
> > > > > > internal
> > > > > > > IP address. Make sure the "Append parent suffixes of the
primary
> > DNS
> > > > > > suffix"
> > > > > > > and "Register this connection's address in DNS" selection are
> > > > unchecked.
> > > > > > > 6.) On the WINS-tab, verify that there are no WINS addresses
> > listed.
> > > > > > Verify
> > > > > > > that "Enable LMHOSTS lookup" is checked and that "Disable
> NetBIOS
> > > over
> > > > > > > TCP/IP" is selected. This will have the effect of allowing
only
> > the
> > > > > > internal
> > > > > > > nic to register with WINS. NetBIOS packets are blocked by
> internet
> > > > > > routers,
> > > > > > > so no NetBIOS over TCP/IP should be permitted on the external
> nic.
> > > > > > >
> > > > > > >
> > > > > > > DNS settings
> > > > > > >
> > > > > > > 1.) Open up the DNS console.
> > > > > > > 2.) Once opened, right click on the server in the right hand
> pane
> > > and
> > > > > > select
> > > > > > > Properties.
> > > > > > > 3.) On the Interfaces tab, set the server to listen only on
its
> > > > internal
> > > > > > IP
> > > > > > > Address.
> > > > > > > 4.) On the "Forwarders" tab, check the "Enable forwarders"
> > selection
> > > > at
> > > > > > the
> > > > > > > top.
> > > > > > > 5.) Add the ISP-DNS-numbers and click Apply. (note- In the
> TCP/IP
> > > > > > settings,
> > > > > > > we selected the choice for DNS to point to itself.  If name
> > > resolution
> > > > > > > cannot be resolved then a request is made to the forwarders.
If
> > > > > > resolution
> > > > > > > cannot be made via the internal DNS and there are no
forwarders
> > > > listed,
> > > > > > then
> > > > > > > resolution will be made via the root hints.)
> > > > > > > 6.) On the Monitoring tab, select simple and recursive test
> types
> > > and
> > > > > > click
> > > > > > > the Test now button. Both types should pass. Uncheck test
types,
> > > click
> > > > > > > Apply, then click OK.
> > > > > > > 7.) Expand the containers beneath the servers name and click
on
> > the
> > > > > > Reverse
> > > > > > > lookup zone subnet. It should correspond to the network ID of
> the
> > > LAN
> > > > > with
> > > > > > > an "x" in the last octet. If one is not present, create a
> Reverse
> > > > lookup
> > > > > > > zone, type Active Directory Integrated.
> > > > > > > 8.) Verify that the server has a pointer record listed for its
> own
> > > IP.
> > > > > > > 9.) Bring up the properties of the Reverse Lookup Zone subnet.
> > > > > > > 10.) Click on the Name Servers tab. Verify that the nameserver
> is
> > > the
> > > > > > > servers FQDN with only the internal IP address listed.
> > > > > > > 11.) Click on the WINS-R tab. Enable WINS reverse lookup and
> enter
> > > the
> > > > > > > domainname.
> > > > > > > 12.) Click on the General tab and set "Allow dynamic updates?"
> to
> > > yes.
> > > > > > > 13.) Click Apply, clik OK.
> > > > > > > 14.) Click on the "Forward Lookup Zone" beneath the container
> > > Forward
> > > > > > Lookup
> > > > > > > Zones.
> > > > > > > 15.) Delete any record which is not on the local internal
> subnet.
> > If
> > > > > there
> > > > > > > is a folder with a dot "."  listed then delete it. (note- This
> > > > indicates
> > > > > > to
> > > > > > > the server that it is the root server, which means do not go
> > beyond
> > > > this
> > > > > > > server for name resolution.)
> > > > > > > 16.) Bring up the properties of the Forward Lookup Zone.
> > > > > > > 17.) Click on the Name Servers tab. Verify that the nameserver
> is
> > > the
> > > > > > > servers FQDN with only the internal IP address listed.
> > > > > > > 18.) Click on the WINS-R tab. Enable WINS forward lookup and
> enter
> > > the
> > > > > > > servers internal IP address and click the Add button.
> > > > > > > 19.) Click on the General tab and set "Allow dynamic updates?"
> to
> > > yes.
> > > > > > > 20.) Click Apply, clik OK.
> > > > > > > 21.) Restart DNS-server.
> > > > > > >
> > > > > > > Open up a command prompt and type the following:
> > > > > > >
> > > > > > > 1.) At the prompt type "ipconfig /flushdns" and wait for the
> > > services
> > > > to
> > > > > > > flush.
> > > > > > > 2.) "ipconfig /registerdns" and wait for the services to
> register.
> > > > > > > 3.) net stop netlogon
> > > > > > > 4.) net start netlogon
> > > > > > >
> > > > > > > Once all of this is done, open the DNS console again.  Expand
> the
> > > > > Forward
> > > > > > > lookup zones, then expand the domain folder.  You should see
the
> > > > > > underscore
> > > > > > > folders below:
> > > > > > >
> > > > > > > _msdcs
> > > > > > > _sites
> > > > > > > _tcp
> > > > > > > _udp
> > > > > > >
> > > > > > > --
> > > > > > > Regards,
> > > > > > >
> > > > > > > Marina
> > > > > > > Microsoft SBS-MVP
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>