DNS Server won't forward

July 27, 2018, 1:10 pm

≫ Next: problem with VPN and IIS IP restrictions

≪ Previous: Powershell equivalent commands

Here's the run-down.

Server A (AD/DNS Server) needs to communicate with Server C (Member Server)

Server B (Forwarder) is set up for Server A to use to communicate with Server C.

Problem:

'Server A' NSLOOKUP Commands work as intended when looking at most devices... but when reaching out for 'Server C' the DNS cannot seem to locate it even though 'Server B' is setup properly, 'Server A' does not automatically go to use 'Server B'.

Other Info:

If I use NSLOOKUP to directly use 'Server B' I can reach it immediately and contact 'Server C'.

---

I cannot share much information considering the environment I am in, but this issue has stumped my team and I.

Please let me know what other info I can share to help with the solution.

Thank you

↧

problem with VPN and IIS IP restrictions

July 27, 2018, 3:23 pm

≫ Next: Always ON VPN with NPS doesn´t work - "The connection was prevented because of a policy configured on your ras/vpn server"

≪ Previous: DNS Server won't forward

I have a problem with VPN configuration in connection with IIS IP restriction.

I set VPN connection (one NIC) on VPN server and a pool of static IP addresses for connecting clients. I set the same pool in IP restrictions on IIS server, so the website can be accessed only via VPN. However, when I checked IP address in logs (after connecting via VPN) I still see the IP provided by ISP instead of the one set in VPN configuration.

↧

Always ON VPN with NPS doesn´t work - "The connection was prevented because of a policy configured on your ras/vpn server"

June 11, 2018, 9:04 am

≫ Next: vpn password

≪ Previous: problem with VPN and IIS IP restrictions

I´m piloting VPN Always ON solution on Windows 10. Previously I had only VPN Server 2016 running without NPS and everything was working (I used MS Chap v2 + IKEv2). This solution was not secure enough and certificates didn´t matter, only the user account.

Okay, now I got NPS installed on my other DC and the client/server refuses to connect with the error: The connection was prevented because of a policy configured on your ras/vpn server

Troubleshoting I already made;

- Firewall is off everywhere
- Double checked the security configurations from Whitepaper on W10 Client, VPN server and on NPS server to matchMicrosoft Protected EAP (PEAP)
- Certificates are not expired
- Re-created VPN profile manually on W10, (tried with sign-in info=Certificate or User & Password).

Whitepaper was located somewhere here before:

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment

I´m good with RRAS but NPS is new for me.

MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

↧

vpn password

July 29, 2014, 3:42 pm

≫ Next: Something odd with VPN role.

≪ Previous: Always ON VPN with NPS doesn´t work - "The connection was prevented because of a policy configured on your ras/vpn server"

I cannot get logged on to vpn as it says my password is wrong have tried a few but with no luck

↧

Something odd with VPN role.

August 1, 2018, 1:52 am

≫ Next: VPN Always On

≪ Previous: vpn password

We have VPN role on Windows Server 2016 and a Public IP assigned to Server's NIC So users from other sites can connect to the server, It used to work just fine until it was inaccessible and when pinging the server's public IP it is unreachable although the right configuration are set and nothing changed.

The odd thing is when stopping the VPN service on the server the the server's public IP become reachable and what is more strange the users used to connect via VPN connection can connect now to the server without initiating VPN connection.

My question is if the security of the server is compromised in this situation and is this considered direct access service? and how to go back to the old working settings when VPN server is started and running and users can connect only when initiating a VPN connection?

Regards.

↧

VPN Always On

August 1, 2018, 4:12 am

≫ Next: Windows 2012 R2 NPS (Radius) - Wireless 802.1x Not Working

≪ Previous: Something odd with VPN role.

Dear,

I would like to verify the vpnalwaysOn client prerequisites :

=> Is on-premise active directory join a prequisite for the client device ?

I am looking for a seamless vpn solution for azure active directory joined devices.

Any ideas ?

Kind reg

Gino D

↧

Windows 2012 R2 NPS (Radius) - Wireless 802.1x Not Working

August 1, 2018, 9:35 am

≫ Next: EAP-TLS VPN issues with Windows NPS - help

≪ Previous: VPN Always On

Hello,

We currently use a Windows 2003 Radius server for our wireless 802.1x network. Our wireless solution is by Aerohive.

I'm trying to switch to Windows 2012 R2 NPS. When I test Radius with Aerohive, it works when pointing to the Windows 2012 R2 server, but when I try to connect my notebook to the 802.1x SSID, the Radius request is sent to the NPS server without success. My request is being 'discarded.' Events 6273 and 6274.

MS support hasn't been useful. At least, the team that I have been dealing with.

Could it be a Enterprise certificate issue?

Environment

AD 2012
Windows 2003 CA and Radius
Windows 2008 CA
Windows 2012 R2 NPS

The Windows 2012 R2 server is getting it's certificate from the Windows 2003 CA. Therefore, the EAP certificate is the Windows 2003 CA certificate.

Should I introduce a Windows 2012 R2 CA and slowly remove the 2003/2008 CA's?

Thanks

Ron

↧

EAP-TLS VPN issues with Windows NPS - help

August 1, 2018, 9:24 pm

≫ Next: VPN service on Server 2016 is stopped however client can connect to Server.

≪ Previous: Windows 2012 R2 NPS (Radius) - Wireless 802.1x Not Working

Hi there

Ive spent 2 weeks trying to get EAP-TLS VPN working via NPS and am going grey.

I have setup a RRAS VPN Server via IKEv2 , a NPS server, and a CA.

I have issued out the RAS template to the NPS server, and installed it into NPS. My NPS Policy is as per technet articles with the setup inside the NPS e.g. EAP with Smart card or Other certificate, and then I select my cert of the NPS server . I have pushed out and confirm User certificates are installed on my endpoints and when trying to connect I select the correct Cert.

Though I keep getting Error 262 on the RADIUS logs and am unable to connect. If I change it from EAP-TLS , to EAP-MSCHAPv2, it works perfectly.

Really not sure where to go from here. Any ideas?

Error logs from NPS Server

>IRE-xxx01-A</Client-Friendly-Name><MS-RAS-Correlation-ID data_type="1">{6BAAEBB6-658D-BD8E-A0EE-C5678F827D5B}</MS-RAS-Correlation-ID><MS-Network-Access-Server-Type data_type="0">2</MS-Network-Access-Server-Type><MS-RAS-Vendor data_type="0">311</MS-RAS-Vendor><MS-RAS-Version data_type="1">MSRASV5.20</MS-RAS-Version><User-Name data_type="1">xxxxx@xxxx.co.uk</User-Name><Proxy-Policy-Name data_type="1">VPN</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">xxxx\xe</SAM-Account-Name><NP-Policy-Name data_type="1">VPN</NP-Policy-Name><Class data_type="1">311 1 172.18.110.169 08/02/2018 03:29:59 24</Class><Authentication-Type data_type="0">11</Authentication-Type><Fully-Qualifed-User-Name data_type="1">int.xxxxxx.xx.uk/xxxxx/People/Azure AD Connect/Test OU/xxxxx</Fully-Qualifed-User-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">08/02/2018 03:46:25.808</Timestamp><Computer-Name data_type="1">IRE-VPN03-A</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Acct-Session-Id data_type="1">273</Acct-Session-Id><Class data_type="1">311 1 172.18.110.169 08/02/2018 03:29:59 24</Class><Authentication-Type data_type="0">11</Authentication-Type><Fully-Qualifed-User-Name data_type="1">int.xxxxx.co.uk/xxxx/People/Azure AD Connect/Test OU/xxxxx</Fully-Qualifed-User-Name><NP-Policy-Name data_type="1">VPN</NP-Policy-Name><SAM-Account-Name data_type="1">xxxxx\xxxxx</SAM-Account-Name><Provider-Type data_type="0">1</Provider-Type><Client-IP-Address data_type="3">172.18.175.75</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">IRE-VPN01-A</Client-Friendly-Name><Proxy-Policy-Name data_type="1">VPN</Proxy-Policy-Name><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">262</Reason-Code></Event>

↧

VPN service on Server 2016 is stopped however client can connect to Server.

August 2, 2018, 12:45 am

≫ Next: VPN role on Server 2016 stopped but client still can connect to server.

≪ Previous: EAP-TLS VPN issues with Windows NPS - help

The odd thing is when stopping the VPN service on the server the server's public IP become reachable and what is more strange the users used to connect via VPN connection can connect now to the server without initiating VPN connection.

Regards.

↧

VPN role on Server 2016 stopped but client still can connect to server.

August 1, 2018, 1:52 am

≫ Next: How to update a resource record in windows secure DNS (DNSSEC Enabled ) using nsupdate utill

≪ Previous: VPN service on Server 2016 is stopped however client can connect to Server.

Regards.

↧

How to update a resource record in windows secure DNS (DNSSEC Enabled ) using nsupdate utill

August 3, 2018, 3:16 am

≫ Next: Option 54 on a 2012r2 DHCP Server

≪ Previous: VPN role on Server 2016 stopped but client still can connect to server.

How to update a resource record in windows secure DNS (DNSSEC Enabled ) using nsupdate utill

↧

Option 54 on a 2012r2 DHCP Server

February 12, 2014, 5:29 pm

≫ Next: IPEnableRouter - routing/forwarding not working on WIN7 / WIN10 PRO

≪ Previous: How to update a resource record in windows secure DNS (DNSSEC Enabled ) using nsupdate utill

Hi all,

I am trying to set Option 054 (server identifier) in my W2k12r2 DHCP server by:

right clicking IPv4 and choosing the "set predefined options..."

add the proper value and the IP address of the server i want in the OFFERS. this is so I can substitute the legal, outward facing IP instead of the internal IP of the server. This is for an ISP and we want the DHCP client to attempt to renew addresses through the legal address and not the internal one, for obvious reasons.

When I do a packet sniff i find two OFFERS, one with the internal IP and one from the external IP. The external is second and apparently is not regarded by the client. i have attached the contents where you can see both of the option 54s. Any idea how to override the first one?

MessageType: OFFER - Type 53
+ SubnetMask: 255.255.252.0 - Type 1
+ RenewTimeValue: Subnet Mask: 0 day(s),0 hour(s) 0 minute(s) 30 second(s) - Type 58
+ RebindingTimeValue: Subnet Mask: 0 day(s),0 hour(s) 0 minute(s) 52 second(s) - Type 59
+ IPAddressLeaseTime: Subnet Mask: 0 day(s),0 hour(s) 1 minute(s) 0 second(s) - Type 51
- ServerIdentifier: 172.25.1.104 - Type 54
Code: Server Identifier, 54(0x36)
Length: 4 UINT8(s)
- IpAddress:
IpAddress: 172.25.1.104
+ Router: 76.72.196.1 - Type 3
+ DomainNameServer: 0.134744072.1145077276.1145077275 - Type 6
- DomainName: tvscable.com - Type 15
Code: Domain Name, 15(0x0F)
Length: 13 UINT8(s)
Name: tvscable.com
- ServerIdentifier: 68.64.126.26 - Type 54
Code: Server Identifier, 54(0x36)
Length: 4 UINT8(s)
- IpAddress:
IpAddress: 68.64.126.26
- End:
Code: End of Options, 255(0xFF)

↧

IPEnableRouter - routing/forwarding not working on WIN7 / WIN10 PRO

August 6, 2018, 3:07 am

≫ Next: IPAM on 2012R2-Ability to scan and discover static addresses with computernames?

≪ Previous: Option 54 on a 2012r2 DHCP Server

I have two networks:

A: 192.168.38.0/24

B: 192.168.100.0/24

On router machine:

WIN7/10 PRO

IPEnableRouter > 1

Routing Service enabled and started

2 NICs:

192.168.38.5 for A network (This have connection to internet, default gateway 192.168.38.1)

192.168.100.1 for B network

On all clients in both networks A or B I can ping all NICs on router machine, but clients from one network to another no.

WHY?

Thanks for help replyes

↧

IPAM on 2012R2-Ability to scan and discover static addresses with computernames?

December 26, 2016, 11:15 am

≫ Next: HOST(A ) Record Disappeared

≪ Previous: IPEnableRouter - routing/forwarding not working on WIN7 / WIN10 PRO

Hey guys,

I have a 2012R2 domain. All of our server subnets use static IP addresses that are not specified in DHCP. We keep spreadsheets and want to replace that with something that can scan the subnets we specify and do ping sweeps(SNMP/WMI) to help detect and name devices. I care more about the ability to scan and the quality of those scans, that I do about all the other features of IPAM. I know the Microsoft solution will allow static addresses to be entered manually, or imported from a csv file. I am probably going to spin up a 2012 R2 IPAM test server and compare it against the Solarwinds IPAM product, but does anyone know if the Microsoft solution will also scan static subnets specified to help determine which IP addresses are in use? Possibly even query and figure out the servername(if DNS record exists, or if they have credentials to make a SNMP or WMI connection?

Thanks,

Dave

↧

HOST(A ) Record Disappeared

August 6, 2018, 9:47 am

≫ Next: Slow logons for computers

≪ Previous: IPAM on 2012R2-Ability to scan and discover static addresses with computernames?

Hi,

I have one Ad integrated DNS Server (KDNS01) - it is hosting different ZONE along with default zone -Ibanking.co.in. Other zones are Internetbank.com & TDStax.Gov.In . There is multiple A records in Internetbank.com zone, these entries are all static records. From few days I am observing that one or two records are disappeared. There is no DHCP server in the infrastructure & I can confirm ,records are not deleted manually.

Secondly, there is another new domain is installed - Ibanking.IN . For better name resolve I have created a zone in KDNS01 as IBanking.IN & put few host entries manually in this zone. Today I found a new host entries in this zone. I have not configure any zone transfer with newly installed domain/DNS.

What is the reason of above two problem ?

S Mandal

↧

Slow logons for computers

August 6, 2018, 10:13 am

≫ Next: DHCP Name Protection and VOIP Phones

≪ Previous: HOST(A ) Record Disappeared

I have a site that has no Domain Controllers in it and logon is very slow. I would like to change this. Currently the site object in Sites And Services has no NTDS servers in it. Looking at the logon server a client is authenticating to, it is located across the country. There is a data center here in the same state as the client but because there is no NTDS server in the site it is looking elsewhere to authenticate. If I cannot build a DC here in the same subnet as the clients, but want to authenticate to servers at least here in the same state in a closer data center how would I accomplish that? Would I add the subnet for this location to the site where the closer data center is?

Thanks in advance!

Chad Guiney

↧

DHCP Name Protection and VOIP Phones

August 7, 2018, 9:35 am

≫ Next: Weird MAC on DHCP 31202e3235332e302e

≪ Previous: Slow logons for computers

I am looking at enabling Name Protection for my DHCP scopes but as I was doing some check and verification items, I realized that I have a number of Obihai phones whose Hostname is set as just the model. Ex: OBi300.local and OBi1062.local.

Will I need to change all of these devices to use seperate hostnames so that they can continue to get addresses? Currently it looks like only one device has a forward record but all of the others are having reverse records created for them automatically.

↧

Weird MAC on DHCP 31202e3235332e302e

October 18, 2012, 7:32 am

≫ Next: MFA Extension:The request was discarded by a third-party extension DLL file.

≪ Previous: DHCP Name Protection and VOIP Phones

Hi,

I see some weird addresses lease in my DHCP console that's consuming the whole scope. They really take up to 100% of the leases.

The strange thing are the macs that all start with 31202e3235332e302eXXXXXX - where XXXXXX are random numbers and letters. I've attached an image here to help better.

I'm coping to find out where this is coming from. If it's from a pc, laptop or other network device...

Has anyone gone thru this before??

Cheers

↧

MFA Extension:The request was discarded by a third-party extension DLL file.

March 24, 2017, 6:13 am

≫ Next: DHCP reservation list show previous date.

≪ Previous: Weird MAC on DHCP 31202e3235332e302e

We’re trying to use the MFA Extension with our NPS server. However, when we try to connect through the NPS server with a radius client we receive no response and in the NPS server where the MFA Extension is installed the following event is generated:

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: test@axtion.nl

Account Domain: -

Fully Qualified Account Name: -

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -