Hello,

I have setup Server 2012 with roles Primary DC, RAAS, DHCP and DNS. SSTP has been configured as the type of VPN.

My server is on the 10.0.0.0/24 network. Under IPv4 Address Assignment a static pool has been configured in the 10.0.98.0/24 range, instead of default "use DHCP"

Enable broadcast name resolution is ticked.

The LAN adapter has been selected to be used to for DHCP, DNS, and WINS addresses for dial-up clients. The LAN adapter has got the ip address of 10.0.0.231, DNS 10.0.0.231.

When a client VPNs into the server it correctly gets an address on the 10.0.98.0/24 range. Pinging works fine but DNS resolution does not. Only if the 'Connection Specific DNS Suffix' is manually configured in the VPN properties on the client does DNS work.

DHCP relay agent has been configured to point to 10.0.0.231 (IP address of the DHCP server).

There is no scope configured for the 10.0.98.0/24 range on the DHCP server, but under 'Server Options' in the DHCP console, option 015 DNS Domain Name has been configured appropriately.

Any clues as to what is causing my clients to not receive a Connection Specific DNS suffix?

Thanks in advance.

Peter

Hi guys, i'm configuring a backup site on my company so I added an additional DC on my backup site, just in case of "fire". What I need to do now is configure the replication of AD-Integrated zone of my domain to be replicated ONLY in this way.

PRIMARY-SITE -> BACKUP-SITE.

I DO NOT WANT to replicate on the other hand.

how is possible?

When we do nslookup, our ARP server IP is listed additionally in it with a particular domain we have. How to remove that from nslookup. Please help.

Regards,

Harishkumar. R 

Hello,

After I have restarted my DirectAccess Server, DirectAccess stopped working.

If I check Remote Access console I see this errors:

- Configuration for server SRVDA.domain.local cannot be retrieved from the domain controller. 
- IP-HTTPS: Not working properly
- The IP-HTTPS route does not have published propery enabled.
- Route advertisement is disabled on the IP-HTTPS adapter,
- Forwarding is disabled on the IP-HTTPS adapter.

In the Event Viewer I see this error:

Event ID: 10029: IP-HTTPS cannot be enabled on the Remote Access server.

Gpupdate works normally, nslookup also, I can contact DC server from DirectAccess server.

Thank you!

Best wishes,

Marko

Our small family-owned data processing business recently had to change our single static IP address to a bundle of five static IP addresses, with a separate IP address for each of our five office computers, on our Windows Server 2003 platform. Coincidental with that changeover, we can no longer bring up our website on the browser of any computer to which we have access, including a laptop connecting via wifi. We understand there is a set of programs of some kind involving IIS settings which, we think, control access of our website to the internet in general. Services of the system adinistrator who put all this together for us ten years ago are no longer available.

We understand Windows Server 2003, the operating system for two of our office computers, is obsolete and no longer supported at all within about seven months. We therefore intend to replace with Windows Server 2012 some time this winter. We also intend to move our website to a hosted situation which can run ASP.Net sites built with MS Visual Studio, with which our website was designed about 10 years ago. 

But first, we must get our website running again. Hopefully this may entail only resettings so that our website reflects our newly assigned static IP address for the particular server on which our website is hosted.

Thanks in advance for your help.

I'm running a new domain controller with a DNS server on it. The event log entries for the"Microsoft-Windows-DNS-Server-Service" all fail to load. I look at the "DNS Events" item in the "Global Logs" section of the DNS server in the DNS manager tool and every entry there has the generic "cannot be found" message.

How can I repair the event log messages for the Microsoft-Windows-DNS-Server-Service?

Event Type:    Information
Event Source:    Microsoft-Windows-DNS-Server-Service
Event Category:    None
Event ID:    4
Date:        9/21/2014
Time:        15:02:03
User:        NT AUTHORITY\SYSTEM
Computer:    server.domain.corp
Description:
The description for Event ID ( 4 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.

If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s .

Hi,

I've built a NPS server and added my Cisco router to it as a device.  I'm trying to give a user restricted access to the router and Cisco tell be I need to use something called CLI Views on the router.  Anyway they said to configure the NPS server I need to add this, the thing is I can't figure out where in NPS I need to add this:

We need to add Cisco as a vendor first on the radius server, then add “Cisco-AV-Pair” as a vendor specific attribute on that server.

**********************
Cisco vendor Id- 09
cisco-av-pair number is 01
type= string
direction= INOUT or BOTH

Then in that avpair he needs to send the value:
 cli-view-name=<name-of-the-parser-view>

**********************

Any ideas?

Thanks

Hi,

we have a 2008 server with 2 public ip addresses. We want to use RRAS with SSTP protocol with one of the public ip addresses. So, port 443 is in use with one public ip address.

We want to use the other public ip address also with port 443 for a special web server.

But the RRAS takes all of the public ip addresses automatically. How can we limit RRAS to only one?

Regards,
Hans-Peter

Hans-Peter

I currently have security network consisting of five physically separated locations connected. Each location has 50 to 100 devices requiring IP addresses. These devices are network cameras, alarm control components and access control devices. 

Each location has either a dual Sonicwall TZ 215's or dual 2400's in failover configurations. For additional redundancy three of the locations also have two ISP's.

Each location is a subnet. The subnets are connected using VPN tunnels configured between each Sonicwall. The Sonicwall on each subnet also provides DHCP and other services needed for its subnet.

Subnet Configuration:

???.???.100.1 Primary Location

???.???.101.1

???.???.102.1 Secondary Location

???.???.103.1

???.???.104.1 

There is now a need to configure Windows 2012 Network services, DC, DHCP, DNS, File Services Keeping in mind that this system will remain a closed network with minimal requirements for internet access (upgrades, utility services, etc...).

Would like to have high availability (load balancing and failover) spread between Primary and Secondary locations. Will only have 15 to 20 Users Logging on and accessing video servers and other security assets.

Hello,

We recently upgraded our domain controllers to Windows Server 2012 R2 from Windows Server 2003. The migration process went well with minimal issues. However I have another Windows 2003 Server I'm running RRAS on. Most clients are about to VPN w/out issue but a few have encountered the following issue when they try access certain network computers:

System error 1311 has occurred.

There are currently no logon servers available to service the logon request.

I'm sure this is related to the migration to the 2012 DCs. From the 2003 VPN server I'm able to access the entire network and all of its resources without a problem. DNS seems to function just fine as well. Its an issue with a few of my VPN clients. Even using the pure IP of the network resource isn't helping. Any ideas here?

Thanks,
Craig

Hi all,

i have configured a DirectAccess pilot with the following configuration:

• DirectAccess Server 2012 R2
• "external" interface connected to DMZ and NATted to external firewall
• internal interface connected to intranet
• Windows client 8.1 Enterprise on Surface Pro 3

A PKI with Enterprise subordinate CA was created and all the computer certificates issued. Once the configuration was finished, the client is updated with last GPOs and is able to determine its position. It pings to directaccess server and IPv6 intranet servers like DNS-DC using ip direction only.

However, when try to ping using dns namespace is not able to create the intranet and infrastructure tunnel. Is not able to resolve names neither. Using the Windows 8.1 DA Troubleshooter reveals problems pinging intranet DNS using namespace and is not able to create tunnels. No more specific info. 

I hesitate with 2012 R2 configuration due to its supposed to use DNS64 and NAT64 so i´m not sure if further isatap configuration is necessary

Could anyone help?

Regards.

I have 2 domain controllers, both have DNS role installed, both seem to be working correctly (i.e. client records are added and are replicated to both servers.) I have 1 zone, it is active directory-integrated primary. Both servers are set to not zone transfer (per technet.microsoft.com/en-us/library/cc781340(v=ws.10).aspx ) and neither have any secondary servers defined.

Domain controller 1 = Elrond (10.36.0.6), 2008R2
Domain Controller 2 = Thorin (10.36.0.38), 2012

Despite no actual difficulties with clients, I suspect I have a problem because of 2 things:

1) BPA on Thorin (but not on Elrond) shows "Warning DNS: Zone TrustAnchors secondary server 10.36.0.6 should respond to queries for this zone"

2) While  doing some testing, I ran across the recommendation to try nslookup. When I ran it in an elevated prompt from Thorin I received:

C:\Windows\system32>nslookup
Default Server:  elrond.lynden.k12.wa.us
Address:  10.36.0.6

> server elrond
Default Server:  elrond.lynden.k12.wa.us
Address:  10.36.0.6

> ls lynden.k12.wa.us
[elrond.lynden.k12.wa.us]
*** Can't list domain lynden.k12.wa.us: Query refused
The DNS server refused to transfer the zone lynden.k12.wa.us to your computer. I
f this
is incorrect, check the zone transfer security settings for lynden.k12.wa.us on
the DNS
server at IP address 10.36.0.6.

And when run from Elrond, I get the same message about Thorin refusing:

C:\Windows\system32>nslookup
Default Server:  thorin.lynden.k12.wa.us
Address:  10.36.0.38

> server thorin
Default Server:  thorin.lynden.k12.wa.us
Address:  10.36.0.38

> ls lynden.k12.wa.us
[thorin.lynden.k12.wa.us]
*** Can't list domain lynden.k12.wa.us: Query refused
The DNS server refused to transfer the zone lynden.k12.wa.us to your co
f this
is incorrect, check the zone transfer security settings for lynden.k12.
the DNS
server at IP address 10.36.0.38

My reading from the TechNet article is that zone transfers should not be enabled since AD already handles that functionality. Does that mean this error is really ok? it seems strange.

Well, the subject says it all.

I have a newly installed 2008 Server with a DHCP role.  It correctly assigns new machines IP addresses but when I use the GUI MMC the leases do not show.

The DHCP database was imported from a Server 2003.  I don't know if that caused some problems.

Any ideas on how to fix this problem?

David Hidding
Dana Molded Products

Hi all,

I have the following network setup:

I have a site here in New England that will have a few servers in it, including a VPN server, a Web server, a file server, and a domain controller.    I'm trying to do the following with it:

I want to set up a Windows server 2012 R2 site-to-site VPN connection, but I only have one public IP address at the New England site, so i can't place more than one device (the comcast router) on the edge of the network.  So i'm trying to set up RRAS as VPN only and deploy it behind the main router and then connect it to the VPN site (probably runnig on a Forefront TMG 2010 server).  The main reasons for VPN are for security and then The other reason is becausee I have port blockae issues on my network; so VPN is the only way I can even get these two servers to talk to each other anyway.  If you could offer any suggestions, that would be awesome. 

Good afternoon, I would like to ask a question that is above my knowledge level. Currently, I am running a PE2950 with server 2012 datacenter as a home streaming server. Recently due to some large and very frequent power outages in my area, I was forced to purchase a UPS to protect my server. The problem is that in my local area, the best I could get was a APC Back-ups 1300 watt UPS with a single USB monitoring connection. This setup works great with the single server and gives my server about 12 minutes to complete a necessary shutdown. My question is that I also have a PE1950 with the same OS that I want to setup as a NIDS using Snort or something along those lines. How exactly do I make my PE2950 automatically send a shutdown command to my PE1950 in the event of power outage? My UPS is adequate to provide roughly 5 minutes of power with both systems running on it but again, it only has one monitoring line for one computer. The next part of my question pertains to my MD1000 disk array. I am getting ready to put this online with my 2950 and I am curious as to what happens when it is connected to a server and a shutdown is ran. Does the simply MD shutdown or do the disks keep spinning. I am concerned about this because aside from plugging it into a UPS, how is it protected since you cannot physically connect a monitoring line to it? My main concern is protecting the integrity of the disks and hardware in the event of power loss. To reiterate, If power goes out and my server shuts down like it should, what will the MD1000 do? I am hoping that the MD will cease disks access and spin down the disks. Will this be the case? Or does the MD shut itself down along with the server it is connected to? The last part of my question is what is the best way to connect the network when adding the PE1950 as a NIDS. Do I simply plug the internet connecting to port one and connect port two to my switch? Will there be any special setup required for the internet ports under the 2012 server manager? Are there any pros or cons to using the PE1950 for this purpose?

Hi I am testing client connectivity to DirectAccess. All the operational Status lights are green yet client cannot connect nor do I see any bytes outgoing from DirectAccess Client Monitor. The client troubleshooting tools states the corp dns server cannot be pinged. Any idea how I can further troubleshoot issue would be greatly appreciated.

DirectAccess Logs

Connectivity System Settings DNS/Naming DirectAccess Connectivity Status 

 DirectAccess connectivity status for user: XXXX\xxxxx is

Error: Corporate connectivity is not working. Windows is unable to resolve DNS names for probes. 23/12/2014 23:35:41 (UTC)

Probes List

HTTP: http://da.xxxx.com/  (Fail)

 HTTP: http://directaccess-WebProbeHost.xxxx.com (Fail)

DTE List

PING: 2002:4800:xxxx::4800:xxx  (Pass)

 PING: 2002:4800:xxxx::4800:xxx  (Pass) 

What happens to local (SAM) account database, when we first time promote member server to Domain controller.

Can you let me know what all other changes occurs. like shared folders, securities, if there are any other services prior installed.

( not the changes which can be see while installation of AD, which i have done dozens of time on prod server).

let me give you the analogy all the differences ( which we see on the server)

( Part A),if i see the member server ==============if i see it once it is Domain controller.( Part B)

example:

List of changes occurred after promoting to DC again prior properties while it was member server

consider 2008R2 server

Regards

Basavaraj Navalgund (Raj)

banavalg@yahoo.com

ADS/DNS/DHCP/RIS/GROUP POLICY/PowerShell/VMware/Esxi/Storage.

Hello Everyone,

Client of mine is using RRAS for VPN access to the network.

Everything works as it should, I can change the LAN setting to work as dynamic or static with a range of IP's.

Problem

When the server gets rebooted with the weekly Windows updates, this is where I cannot access the LAN.

I can remote into the VPN network and get an IP address, but I cannot get to the LAN.

Only way I can get access to the lan is switch the IPv4 from dynamic to static. I keep it set to static, as the RRAS gives the server an Internal Address inside the scope. So normally, I can connect to this internal address which points to the RRAS server and I can make this change, then the other VPN users can connect to the network, but there are cases where this does not work if it gets left on Dynamic and the RRAS doesn't assign itself an internal address in the ivp4 section.

So, does anyone know why a simple reboot is affecting this, it works fine for weeks until it gets reboot then no one can access the network externally.

Thanks

I'm pretty sure that when I get an answer, it's going to be one of those "duh moments"...

So I've got seven VMs running on an isolated virtual network segment.  This is a test AD/Exchange/Lync thing, so I want it as isolated as I can from my production network.  However our developers want to be hitting it with their development tools directly from their production workstations.  One of these VMs has a second virtual NIC on it that ties to our production LAN, and I've installed the Routing role on this machine.  NICs are identified with meaningful labels ("corpnet" and"Internet"), the "inside" one is in the domain profile and the "internet" one is in a public profile, all firewalls are turned off on all of the VMs.  I have seven IP addresses that I've allocated on the production network and all I'm after here is a simple one-to-one mapping.

Here's what I've done so far:

• Configure for LAN Routing and NAT
• Under IPV4 -> NAT, create Public interface with Internet NIC
• Under IPV4 -> NAT, create Private interface with Corpnet NIC
• Under IPV4 -> NAT -> Internet -> Address Pool, add small production network address range.
• Under IPV4 -> NAT -> Internet -> Address Pool -> Reservations, create one-to-one mappings of public to private addresses with "Allow Incoming Sessions" enabled
• All VMs are set with the edge server as the gateway.  The edge server is set with my production LAN's gateway on the "Internet" network interface.

From the edge VM, I can get to the production LAN and to the private VMs.  From the production LAN I can get to the edge VM just fine.  However I can't get from the production network to any of the VMs and none of the VMs can get past the edge VM.

What incredibly obvious and simple thing am I missing?  I typically don't use Windows' router, so...  TIA