Re: VPN generates Internal Network logon problem

I'll run these test after 5PM EST and get back to you with the results.

In general though, <FYI> this installation has been trouble free for many
years now. Thinking back I'm I believe (subjective) that it might be
co-incindent with ISA 2004 upgrade. Hard to tell exactly whem as intill now
we didn't want to run a VPN all the time.

As a fall back position I believe that I probably could put aVPN router in
place, but I really don't want to do that as it defeats ISA 2004 firewall.

Allan
Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:76niBHXqGHA.5740@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Allan,

Thank you for posting in SBS newsgroup.

I am sorry for the delayed response due to weekend. Please understand that
the newsgroups are staffed weekdays by Microsoft Support professionals to
answer your systems and applications questions. Your understanding is
greatly appreciated!

From your description, I understand the issue to be: the internal net
logon
turns slow after someone VPN to SBS. After a rebooting, the issue
disappears. However there are 4004 and 4015 DNS errors in the event log.
If
I have misunderstood your concerns, please do not hesitate to let me know.

As I know, 4004 and 4015 could be caused by various network
mis-configurations. I would suggest using the CEICW to default the network
configuration.

825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763

In addition, you could check the following settings to confirm network
configuration. Regarding the slow logon issue, please make sure the
clients
are pointing to only the SBS server.

For 2 NICs on SBS:

On SBS server:

External NIC:
IP: assigned by your ISP or your hardware router
Gateway: your ISP or your Hardware router IP
DNS: SBS INTERNAL NIC IP as the only entry

Internal NIC:
IP: Fixed IP
Gateway: None
DNS: SBS INTERNAL NIC IP as the only entry

In the DNS console (dnsmgmt.msc), right click your ServerName and click
properties. In the Forwarders tab, your ISP DNS server IP should be
inputted there.

On workstation inside your SBS local subnet

IP: Assigned by DHCP on SBS
Gateway: SBS internal NIC IP
DNS: SBS INTERNAL NIC IP as the only entry

Also the events 4004 and 4015 may be logged if the DNS zone information is
corrupted. Let's perform these steps:

A. Open Active Directory Users and Computers, click View, Advanced.
B. Expand domain.local -> System -> MicrosoftDNS and delete domain.local.
C. Open the DNS console, expand Forward Lookup Zones.
D. Click _msdcs.domain.local and delete the Alias for
sbsserver.domain.local (the long GUID entry).

NOTE: If the _msdcs folder is missing under domain.local, please create a
new delegation: Right-click domain.local, select new, then delegation,
click next on the wizard, under delegated domain, type in _msdcs and click
next, click Add and browse to the server's A record under Forward Lookup
Zones, domain.local, click OK and Finish.

F. Run these commands:

ipconfig /flushdns
ipconfig /registerdns

net stop netlogon
net start netlogon

net stop dns
net start dns

And then check if the events 4015 and 4004 are still being logged.

I appreciate your time and look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
| From: "Allan Sabiski" <allans*nospam*@ics-limited.com>
| Subject: VPN generates Internal Network logon problem
| Date: Fri, 14 Jul 2006 16:59:56 -0400
| Lines: 24
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
| Message-ID: <uJXH3h4pGHA.4368@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 66.153.88.130
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:281488
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| We have a SBS2003 premium with ISA 2004.
|
| Most times, whenever someone logs in and out via VPN, existing
connections
| seem to be fine, however, when a client logs in after the VPN
connection,
| then the NETLOGON process (and all other authentication) is painfully
slow.
| DHCP seems to also sometimes fail to generate a DHCP address to the
client.
|
| When the problem exists, there are no error messages reported at the
server,
| the server health status seems to be fine.
|
| The problem is cleared by rebooting the server and clients. This does
seem
| to show some DNS error records. 4004 Unable to complete directory
service
| enumeration and 4015 DNS server encountered a critical error from the
Active
| Directory extended error 51.
|
| Under normal circumstances without using VPN there seem to be no errors
and
| everything runs normal.
|
| Any ideas where to start looking ?
|
| Thanx
| Allan
|
|
|



.

Relevant Pages

  • RE: exchange server cannot mount mailbox store
    ... What's the exact detailed DNS Events ... Type desired internal IP address of your SBS server. ... it will delete the reverse lookup zone if the zone no longer ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: Unable to send any fax only from workstation
    ... You can also run the following command on the server and one problematic ... Microsoft CSS Online Newsgroup Support ... newsgroups so that they can be resolved in an efficient and timely manner. ... Unable to send any fax only from workstation ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2003 - Cannot restore GPO following Article 888943
    ... I note that the DC and DNS are still working, ... >Microsoft CSS Online Newsgroup Support ... >| forwarders on the SBS server DNS. ...
    (microsoft.public.windows.server.sbs)
  • Re: Server Sync and OMA Wont work.
    ... newsgroups so that they can be resolved in an efficient and timely manner. ... Microsoft engineers can only focus on one issue per thread. ... Server Sync and OMA Won't work. ... Please enable IIS logging and reproduced the issue (sync with the SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: For Microsoft Partners and Customers Who Cant Download or Access
    ... to reconfigure the firewall, but to use a static IP on your client ... and to make sure that the DNS server entries on the client are ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
    (microsoft.public.dotnet.general)