WAP - redirecting to internal host name for external clients

April 21, 2016, 12:34 am

≫ Next: Windows Server NAT - one public - two DHCP private interfaces dont work?

≪ Previous: DHCP scope deactivates spontaniously

$

0

0

Hi all,

 hoping this is the right forum, as there doesn't seem to be one for WAP.

Exchange 2016 published via WAP, using pass-through for all services, including OWA and ECP - as the ADFS server is under control of another group.

When publishing these services, an external URL and different back-end URL are entered.

Internally, if I hit the url, all is fine e.g. webmail.company.com.... and after I auth (forms based), the url stays at webmail.company.com.

If however I hit WAP from the outside world on webmail.company.com, as soon as I auth, the url is replaced with the internal URL - which obviously my external client cannot resolve.

Any ideas as to why this difference in behaviour ?

---

Windows Server NAT - one public - two DHCP private interfaces dont work?

April 20, 2016, 6:02 am

≫ Next: RRAS VPN (SSTP) in Azure - cannot ping other VMs in subnet

≪ Previous: WAP - redirecting to internal host name for external clients

$

0

0

Hi Microsoft.

I'm a student on university college nordjylland study computer science.
I'm working on a virtuel datacenter setup were I now have a physical DHCP server with a NAT sharing internet connection to a Windows Server 2012 R2 with hyper-v.
The DHCP/NAT server have a "virtual private network adapter 1" for the hyper-v host and a "virtual private network adapter 2" for only the virtual machines nad "public network adapter" with internet connection.

The Windows Server 2012 R2 with hyper-v have "virtual private network adapter 1" and "virtual private network adapter 2".
"virtual private network adapter 2" is not sharing the connection with the operating system, but I dont get internet connection for my virtuel machines, but I get IP address from the DHCP server.

My DHCP scopes ranges is:
192.168.1.1-192.168.1.12 - gateway: 192.168.1.1
and
192.168.2.1-192.168.2.254 - gateway: 192.168.2.1

My virtuel machine have automatic settings and get IPs, but no internet connection still, but the HYPER-V HOST have internet connection.

I think i have something wrong configuration for Windows Server NAT. Can you help?

RRAS VPN (SSTP) in Azure - cannot ping other VMs in subnet

February 12, 2016, 4:29 pm

≫ Next: DirectAccess and SMB3.0

≪ Previous: Windows Server NAT - one public - two DHCP private interfaces dont work?

$

0

0

Hi there,

I'm trying to setup RRAS on Windows Server 2012 R2 server in Azure to support inbound VPN connections from internet machines using SSTP.

I've setup the RRAS service, and am able to successfully VPN into the host from a guest machine, and can establish connectivity to the RRAS server using ICMP etc. However, I cannot connect to any other VMs in the same subnet as the RRAS server... no matter what I do. My connection is just limited to the RRAS machine.

My environment is as follows

RRAS server - single interface.

• IP address of 10.50.0.12
• Configured as a VPN service (SSTP with public wildcard certificate)
• RRAS configured with a static address pool of 172.16.10.10 - 172.16.10.254 

I have configured a static route on another server in tenant (10.50.0.11) that points all traffic to the static address pool via the RRAS server (route add 172.16.10.0 mask 255.255.255.0 10.50.0.12 -p)

I can successfully connect from my client machine, and establish connecting and ping the RRAS server on 10.50.0.12. 

However, I cannot ping anything else, including the secondary VM that I put the static route on (10.50.0.11). I've tried disabling the Windows firewall on all machines... no difference.

Can anyone point me in the right direction as to what might be wrong?

Regards, James

---

James Frost

DirectAccess and SMB3.0

May 19, 2015, 8:56 am

≫ Next: A system with multiple equal metric gateways. Round robin operation?

≪ Previous: RRAS VPN (SSTP) in Azure - cannot ping other VMs in subnet

$

0

0

Hi

We are currently experiencing a problem whereby a Windows 8.1 client connected to DirectAccess cannot access file shares hosted on our Netapp SAN when SMB3.0 is enabled.

Troubleshooting we've done:

On Windows 8 PC:
Share accessible on LAN. Running Get-SMBConnector in Powershell shows a Dialect 3 connection to the share.
If we turn off SMB3 on the SAN, it shows dialect 2.1 connection to the share.

On Windows 8 Laptop (DirectAccess)
Share gives error "handle is invalid" when connected to DirectAccess (Powershell shows dialect 3)
Share works when we turn off SMB3 on the SAN. Powershell shows dialect 2.1

On Windows 7 Laptop (DirectAccess)
Share works on either SMB3 or 2.1

Seems to only be Windows 8 and only when using Direct Access (As it works fine when on the LAN)

Kinda stuck. Any help or pointers would be great. Don't want to turn off SMB3 on the SAN because of VHD features etc

Thanks in advance

Tom

A system with multiple equal metric gateways. Round robin operation?

April 22, 2016, 9:15 am

≫ Next: Problem with resolving Active Directory Domain and Email with DNS

≪ Previous: DirectAccess and SMB3.0

$

0

0

Hi all;

Suppose a system with 2 equal metric gateways. In this scenario, does the round robin feature is used?

Thanks

---

Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Problem with resolving Active Directory Domain and Email with DNS

April 22, 2016, 1:11 pm

≫ Next: how many ntp clients are supported?

≪ Previous: A system with multiple equal metric gateways. Round robin operation?

$

0

0

Hello,

I've a problem with my company DNS infrastructure, because the Active Directory Domain name and the email are the same, for example Domain name: Domain.local and the email domain is: user@domain.local, the email is hosted with Office 365, and when i try to set the email account in Outlook I'm not able to contact the server. 

What can i do to solve it?

Thank you in advance

how many ntp clients are supported?

April 24, 2016, 5:30 am

≫ Next: Cannot Connect to L2TP VPN (Preshared Key); Error 20192 on Server

≪ Previous: Problem with resolving Active Directory Domain and Email with DNS

$

0

0

Windows Server 2008 R2

i'm starting to sync our Solaris servers time with the domain time and i'm using my "PDC" as the NTP server for the domain and for Solaris. my "PDC" in turn syncs with some time servers located in on the net.

questions:

1. can i configure a second NTP server in my domain in case the primary one goes offline?
2. how many NTP clients can DC NTP server support based on good practices?

regards,

Rino

Cannot Connect to L2TP VPN (Preshared Key); Error 20192 on Server

June 10, 2012, 12:10 pm

≫ Next: Blue screen - Need Help

≪ Previous: how many ntp clients are supported?

$

0

0

I've been trying to set up a L2TP VPN server using a Preshared Key (PSK) on a Windows Server 2003 workgroup-based server. The router has the appropriate ports forwarded. I can see using the Microsoft Network Monitor utility that both UDP Ports 500 and 4500 are making it through to the server, but my client computer (Windows 7) fails to connect.

While trying to figure out what's wrong, I noticed the following error in the Event Viewer on the server:

Event Type:Warning
Event Source:RemoteAccess
Event Category:None
Event ID:20192
Date:6/9/2012
Time:2:25:49 PM
User:N/A
Computer:[ServerNameHere]
Description:
A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.

Oddly enough, searching on multiple search engines and forums, I can't seem to find an explanation of what this error means and how to resolve it. This definitely wasn't mentions in the support articles on Microsoft's web site on setting up a L2TP VPN server doesn't mention anything about certificates.

Just to note, PPTP connections to the server are currently working fine.

Can anyone provide some insight on this error and how it can be resolved? Thank you.

(Yes, I know. Certificate-based is better than Preshared Key, but I gotta work within the means I've been given, so Preshared Key it is.)

---

- Travis Tubbs travis@travistubbs.net http://travistubbs.net

---

Blue screen - Need Help

April 25, 2016, 5:23 am

≫ Next: SSTP VPN on Direct Access Cluster

≪ Previous: Cannot Connect to L2TP VPN (Preshared Key); Error 20192 on Server

$

0

0

Hello Support,

My server 2008 R2 got restarted itself and given below blue screen.

PLease help me for the same. Also I have uploaded the dump file in  below link.

https://www.dropbox.com/s/o3kfjtue7zubknk/042516-22214-01.dmp?dl=0

Problem signature:
  Problem Event Name:    BlueScreen
  OS Version:    6.1.7601.2.1.0.16.7
  Locale ID:    1033

Additional information about the problem:
  BCCode:    1000007e
  BCP1:    FFFFFFFFC0000005
  BCP2:    FFFFF88007347145
  BCP3:    FFFFF88007DBE908
  BCP4:    FFFFF88007DBE160
  OS Version:    6_1_7601
  Service Pack:    1_0
  Product:    16_2

Files that help describe the problem:
  C:\Windows\Minidump\042516-22214-01.dmp
  C:\Users\Administrator\AppData\Local\Temp\2\WER-531464-0.sysdata.xml

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

SSTP VPN on Direct Access Cluster

April 26, 2016, 4:43 am

≫ Next: netsh advfirewall set global StatefulFTP disable

≪ Previous: Blue screen - Need Help

$

0

0

Hello,

I set up a Direct Access Cluster on Windows Server 2012R2 with two nodes and external loadbalancing. Every node has a single NIC an everything is working fine. Now I want to enable SSTP VPN with a 2-factor Authentication or OTP on this cluster solution.

There are only 2 users that should use the VPN, so I dont want to set up a RADIUS implmentation for this.

I am not sure how to achive that. Do you have a suggestion? And I'm not sure about the routing with a single nic. Is this still possible?

greetings Butters

netsh advfirewall set global StatefulFTP disable

May 25, 2014, 10:15 pm

≫ Next: Subnet Mask Change

≪ Previous: SSTP VPN on Direct Access Cluster

$

0

0

In the article How to Configure Windows Firewall for a Passive Mode FTP Server , it has been mentioned that stateful FTP filtering should be disabled so that the firewall does not block any FTP traffic with the command 

netsh advfirewall set global StatefulFTP disable

Can somebody explain to me, why StatefulFTP should be disable?

As I understood that if the StatefulFTP is disabled, then the server firewall will not inspect the FTP connection to match inbound connection requests on port 20 with previous outbound PORT commands from the client. This will lead the FTP server to consider the inbound connection request for data from the client as unsolicited and block it.

Subnet Mask Change

April 27, 2016, 11:24 am

≫ Next: Server Manager BPA reports numerous DNS errors

≪ Previous: netsh advfirewall set global StatefulFTP disable

$

0

0

I'm going to be changing my Subnet to 24 Mask Bits.  Currently, the switch is at 16 Mask Bits and my end points (PCs, Servers, Appliances, etc) are at 8 Mask Bits.  These endpoints are statically assigned.

Can I change the endpoint's mask before I change the switch mask?  I changed a few this past week.  They were 255.0.0.0 and I made them 255.255.255.0.  The switch is still at 255.255.0.0 and endpoints still seem to be communicating.  When the endpoints are changed over I can set the switch to 255.255.255.0.

Server Manager BPA reports numerous DNS errors

April 27, 2016, 4:06 pm

≫ Next: Just FYI, new blog post "New DNS Policy Scenario Guide for Windows Server 2016"

≪ Previous: Subnet Mask Change

$

0

0

The logged errors below are from 2012 R2 Server, just a single Server in a small medical office.  It replaced a 2003 Server and AD was migrated to this machine.  The old Server is gone.  This Server appears to function normally but the fix for these BPA errors that show up in the Server Manager eludes me.  There is only 1 NIC configured and the Servers IP is specified as the primary DNS and the Router's IP is specified as the secondary DNS.  I've done it that way for years on many Servers so I can't understand what is happening here.  The Server is doing DHCP for the work stations and DHCP is turned off in the Router.   

Title:
DNS: DNS servers on NIC1 should include the loopback address, but not as the first entry.

Severity
Error

Date:
3/22/2016 4:27:28 PM

Category:
Configuration

Problem:
The network adapter NIC1 does not list the local server as a DNS server; or it is configured as the first DNS server on this adapter.

Impact:
If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.

Resolution
Configure adapter settings to add the loopback IP address to the list of DNS servers on all active interfaces, but not as the first server in the list.

http://go.microsoft.com/fwlink/?LinkId=188760

Title:
DNS: Zone TrustAnchors secondary servers must respond to queries for the zone.

Severity
Error

Date:
3/22/2016 4:27:28 PM

Category:
Configuration

Problem:
None of the secondary servers configured for zone TrustAnchors are responding.

Impact:
Secondary servers will fail DNS queries for the zone TrustAnchors.

Resolution
Validate secondary servers for zone TrustAnchors.

http://go.microsoft.com/fwlink/?LinkId=188791

Title:
DNS: The DNS server 192.168.1.1 on NIC1 must resolve Global Catalog resource records for the domain controller

Severity
Error

Date:
3/22/2016 4:27:28 PM

Category:
Configuration

Problem:
The DNS server 192.168.1.1 on NIC1 did not successfully resolve the name _ldap._tcp.gc._msdcs.BH.local.

Impact:
Active Directory Domain Services (AD DS) operations that depend on locating a Global Catalog will fail.

Resolution
Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to configure DNS servers that can resolve the name _ldap._tcp.gc._msdcs.BH.local.

http://go.microsoft.com/fwlink/?LinkId=121970

Title:
DNS: The DNS server 192.168.1.1 on NIC1 must resolve Kerberos resource records for the domain controller

Severity
Error

Date:
3/22/2016 4:27:28 PM

Category:
Configuration

Problem:
The DNS server 192.168.1.1 on NIC1 did not successfully resolve the name _kerberos._tcp.BH.local.

Impact:
Active Directory Domain Services (AD DS) operations that depend on locating a Kerberos Key Distribution Center(KDC) will fail.

Resolution
Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to configure DNS servers that can resolve the name _kerberos._tcp.BH.local.

http://go.microsoft.com/fwlink/?LinkId=121967

Title:
DNS: The DNS server 192.168.1.1 on NIC1 must resolve LDAP resource records for the domain controller

Severity
Error

Date:
3/22/2016 4:27:28 PM

Category:
Configuration

Problem:
The DNS server 192.168.1.1 on NIC1 did not successfully resolve the name _ldap._tcp.BH.local.

Impact:
Active Directory Domain Services (AD DS) operations that depend on locating domain controllers will fail.

Resolution
Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to configure DNS servers that can resolve the name _ldap._tcp.BH.local.

http://go.microsoft.com/fwlink/?LinkId=121972

Title:
DNS: The DNS server 192.168.1.1 on the NIC1 must resolve PDC resource records for the domain controller

Severity
Error

Date:
3/22/2016 4:27:28 PM

Category:
Configuration

Problem:
The DNS server 192.168.1.1 on NIC1 did not successfully resolve the name _ldap._tcp.pdc._msdcs.BH.local.

Impact:
Active Directory Domain Services (AD DS) operations that depend on locating a Primary Domain Controller will fail.

Resolution
Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to configure DNS servers that can resolve the name _ldap._tcp.pdc._msdcs.BH.local.

http://go.microsoft.com/fwlink/?LinkId=121971

Title:
DNS: The DNS server 192.168.1.1 on NIC1 must resolve names in the forest root domain name zone

Severity
Error

Date:
3/22/2016 4:27:28 PM

Category:
Configuration

Problem:
The DNS server 192.168.1.1 on NIC1 did not successfully resolve the name for the start of authority (SOA) record of the zone hosting the computer's forest root domain name.

Impact:
Active Directory Domain Services (AD DS) operations that depend on locating domain controllers will fail.

Resolution
Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to remove all invalid or unresponsive DNS servers.

http://go.microsoft.com/fwlink/?LinkId=121974

Title:
DNS: The DNS server 192.168.1.1 on NIC1 must resolve names in the primary DNS domain zone

Severity
Error

Date:
3/22/2016 4:27:28 PM

Category:
Configuration

Problem:
The DNS server 192.168.1.1 on NIC1 did not successfully resolve the name for the start of authority (SOA) record of the zone hosting the computer's primary DNS domain name.

Impact:
Active Directory Domain Services (AD DS) operations that depend on locating domain controllers will fail.

Resolution
Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to remove or replace all invalid or unresponsive DNS servers.

http://go.microsoft.com/fwlink/?LinkId=121973

Just FYI, new blog post "New DNS Policy Scenario Guide for Windows Server 2016"

April 28, 2016, 2:28 pm

≫ Next: Related to GNZ

≪ Previous: Server Manager BPA reports numerous DNS errors

$

0

0

Just FYI, blog post "New DNS Policy Scenario Guide for Windows Server 2016" now live athttp://bit.ly/1Tz7s0e

---

James McIllece

Related to GNZ

December 29, 2008, 5:00 am

≫ Next: how to have an in house ntp pool?

≪ Previous: Just FYI, new blog post "New DNS Policy Scenario Guide for Windows Server 2016"

$

0

0

Just to be sure related to GNZ (Global name zone) functionality:

• Can this solution be deployed when there are several domains with no trust between? For example: several labs reside on the same subnet. Each lab has it's own domain-controler but all labs share the same file servers to copy files and utilities.
• Also, does it require that the client will have a suffix named: "GlobalNames" or should it work without suffix?

I have tried to deploy it but it does not work until I add a suffix to the client. The documentation does not imply that we need to configure a suffix on the client.

Am I wrong?
Did I miss something?


Thanks in advance
Dan

---

how to have an in house ntp pool?

May 1, 2016, 2:54 am

≫ Next: Access Network Shared Folder Via CNAME Alias

≪ Previous: Related to GNZ

$

0

0

Windows Server 2008 R2

i already have my PDCe configured to sync with a pool of ntp servers externally. now i've started configuring my unix boxes to use my PDCe as  their time source. since i have a single point of failure (the PDCe), how does one configure a pool of ntp servers in house?

Access Network Shared Folder Via CNAME Alias

April 30, 2016, 9:08 am

≫ Next: DNS nslookup error timeout was 2 second

≪ Previous: how to have an in house ntp pool?

$

0

0

Hi,

currently we have a server named Shared01 which has some shared folders, and now, we are planning to deploy a new server with shared folders on it named shared02.

is it possible to just add Alias record on dns server like shared01 pointing to Shared02? I tried earlier, i can only access RDP, ping. but accessing \\Shared01 has issue.

My DNS Server is Windows 2008 R2.

Any work around for this? 

Thank you!

DNS nslookup error timeout was 2 second

March 15, 2009, 11:44 pm

≫ Next: DNS request timed out. timeout was 2 seconds.

≪ Previous: Access Network Shared Folder Via CNAME Alias

$

0

0

Dear Sir

after installation of 2008 server and dns when i typed a command of nslookup dos prompt i  m  facing error 

ip address          192.168.0.1 
subnet mask       255.255.255.0

preferred  Dns    192.168.0.1

DNS request timed out.
timeout was 2 seconds

Default Server: Unknown
address: fe80: : b9bc:6516:36ec:84f3

why its not showing me ip address

but at the client side its showing me

Default Server: abc
Address:  192.168.0.1

thanks in advance

---

windows server and exchange server isa server problem

DNS request timed out. timeout was 2 seconds.

August 3, 2012, 5:58 pm

≫ Next: Direct Access - Questions about IPv4 only deployment and the IPv6 addresses

≪ Previous: DNS nslookup error timeout was 2 second

$

0

0

Hi,  we are running Windows Server 2008 R2 Enterprise on our domain controller / Windows DNS server.

Nslookup from Win 7 clients for Internet DNS names result in two timeouts, like so:

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.

and then the query returns an answer. Query for the same name again does not time out; either because the record is in the client's resolver cache or the DNS server's cache.

We have two working (we think) forwarders in the DNS server, and the DNS server is configured to use Root Hints too, if Forwarders aren't there.

Any thoughts on why our name servers are slow to resolve Internet names?

I know this is a pretty broad question, but thanks for any suggestions!

Mike

Direct Access - Questions about IPv4 only deployment and the IPv6 addresses

May 4, 2016, 12:02 am

≫ Next: windows 2008 R2 DNS _msdcs greyed out and _sites _tcp folders missing

≪ Previous: DNS request timed out. timeout was 2 seconds.

$

0

0

Hi there,

i have a few questions about IPv4 deployment of Direct Access, my current setup is already up and it works but i am not sure if everything is good:

DA Server has the following Network configuration
2 NIC NAT Setup
- one in the DMZ (nat to outside)
-> IPv6 is NOT configured, it is just activated
-> IPv4 is configured with Gateway but without DNS
-> Services like Client for MS Network are disabled
- one in internal LAN (direct)
-> IPv6 is NOT configured, it is just activated
-> IPv4 is configured without Gateway but with DNS
-> Services like client for MS Network are enabled

Now i am curious if i should set fixed IPv6 address on the Interfaces...should i? Does it matter?

Internally i see on the Client in the DCA logs thw following error
DTE-Liste
FEHLER - PING: fdc8:535f:5db8:1000::1
FEHLER - PING: fdc8:535f:5db8:1000::2
but internal detection works so far. Is this something that must be fixed?

Last question, the direct access setup DELETES the NLS address in DNS and gives an error about the missing dns record when i apply the config...my current workaround is to disallow write/deletion of this dns record for my admin account. But why happens this?

Thanks in advance.