We are experiencing a problem since we put in a new domain at a client site. There are two DC's that are configured as DNS servers in the new domain (.160 and .162) and the new domain has a two way trust to the old (2003) domain.  We recently discovered that PC's are getting  the wrong DNS server info on reboot.  They are getting the OLD DNS servers (.10 and .11).  If you force them to do an actual DHCP broadcast via ipconfig /renew - they get the right DNS information and show the DHCP server as being the correct, new domain controller (.160).

We are not sure where the old DNS server information is coming from as the old scopes are disabled.  We have even spun up a new OS, set the IP configuration to "obtain automatically", joined it to the new domain and on boot, it also gets the "old" DNS server info.  Interestingly, we have shut down the DHCP service, rebooted the machine so that it has no IP addressing at all then turned the DHCP service back on and it gets the "old" info (.10 and .11).  The only way to get machines to do an actual DHCP broadcast and get the new DNS server info is to perform an "ipconfig /renew". 

I have turned on switchport monitoring and performed a packet capture.  It would appear that the machines do not perform an actual DHCP broadcast on boot.  Is it possible that the lease was set to an extreme amount of time and until that original"old" lease expires the machine will automatically use a "cached" DNS server entry?

We have run a piece of software that looks for rogue DHCP scopes and it has found nothing.  I have checked every switch, router and firewall in the network as well.  Any insight or help you may have would be much appreciated!

Thank you,

Curtis

I have two AD / DNS servers for my internal clients.  One is running Server 2016 (dc1) and the other is running Server 2012 R2 (dc2).  I have been notified that my clients are unable to connect to the host https://www.ruffalonl.com.  It appears this is boiling down to a name resolution error.  I've tried using NSLookup and connecting to both of my DNS servers to make the following queries with both servers yielding the same results:

Does anyone have any ideas as to why my servers would be unable to resolve the www host?  If I have NSLookup make the same query against 8.8.8.8, it successfully resolves:

Hi,

 I work for a national public sector organisation with around 6000 staff and 40 sites. We have a simple AD setup, single forest/domain with a trust to another older single forest/domain. We have less than 10,000 computers.

We're looking at replacing our DDI product, VitalQIP with another product. My boss wants one of the heavy hitters such as InfoBlox, BlueCat or Efficient IP. We use DDI for the usual things:

• DNS resolution and forwarding, custom domains
• IPV4 address management (A, CNAME, SRV records)
• DHCP scopes and MAC reservations

We don't need any Bentley class features, so in my opinion, Microsoft DNS and DHCP on server 2012/2016 should be fine. Is this a reasonable assumption or are there shortcomings of Ms DDI that I'm missing?

Thanks

IT Support/Everything

I'm deploying always-on IKEv2 to eliminate Wi-Fi passwords (clients will connect to an open wireless network and VPN-in from there) and to have a seamless transition in and out of Wi-Fi. Like in most RADIUS-backed networks, there's VLAN assignment for the clients too and I'd like to keep it but grant instead the assignment over the IKEv2 IPsec tunnel instead of the regular 802-point-something.I've been trying combination in the RADIUS attributes hoping to guess the correct one, if any, but really I'm not sure if it's possible at all.

Is it? Perhaps setting different policies with matching requests? I had to relax quite a bit the network policy so it would allow me to make the connection from the intranet to begin with, so I'm a little wary about continuing trying or right away start redesigning the whole network around the this. I saw the option to change attribute Tunnel-Type 802.1x to ESP, this gives me high hopes.

Anyway, I'd really appreciate any advice you have on this. Thanks!

I bet you think this post is about you. Don't you…don't you. ♪

Dear All,

I have created a thread in migration forum but moderator suggested me to post into this forum for further help.

I did a lab testing to perform migration but found out NPS server certificate is not show in EAP settings.

Please find below links for this thread.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/db18a770-3710-4048-880c-2eec89c7c364/network-policy-server-and-certificate-authority-migration?forum=winserverMigration#d8923525-3e5f-4ff3-a3ca-443b9e4c3fab

We are currently planning to migrate below server from Windows 2008R2 to Windows 2016
Server1 - ADDS/DNS/NPS/File Server
Server2 - ADDS/DNS/NPS/CA

Due to there are many roles are running in one server and we would like to use back the same hostname and IP for both servers.
My planning is to migrate server2 roles first but i have concern with NPS and CA roles migration. NPS configure with Microsot EAP (PEAP)for wireless and switch access.

The NPS server is act as a radius server also, radius client is cisco WLC wireless AP and cisco switch.
Client authentication is EAP, MS-CHAP or MS-CHAP-v2 based and not certificate based.

After migrate, do i need to publish those certs again to let clients to trust the cert for NPS authentication? May i know how to configue to let my client to trust the cert again?

Current NPS Conection Request Policies 
- Condition: NAS Port Type (Wireless - IEEE 802.11 or wireless - other)
- Settings: Authentication Provider: Local Computer

Current Network Policies
- Domain User connection: NAS Port Type (Wireless - IEEE 802.11 or wireless - other)
- Domain computer: NAS Port Type (Wireless - IEEE 802.11 or wireless - other)

Below is the planning steps for server2 migration. Can i know the migration sequence is correct and any other things are missing?
-Create new server with new hostname and ip address
-Check ADDS/DNS/NPS health
- Change by schedule the publication of the certificate revocation list to extend the date to few weeks and delta CRL to one week
-Backup and export CA config and remove CA roles
-Demote old server as DC and perform ADDS/DNS roles remove
-Check ADDS/DNS health
-Export NPS config and stop NPS services (NPS for server2 stopped and server1 is serving to wireless client access)
-Change IP and Hostname for old server2 to free up of existing hostname & IP, shutdown old server2 server
-Change Hostname and IP for new server2 by using back existing hostname and IP.
-Install back CA roles and import back config
-Check NPS and CA health
-add ADDS/DNS role for new server2 and promote it become DC again
-transfer FSMO roles from old ADDS/DNS server to new server2 ADDS/DNS server
-Install NPS role and import back the config
-Start NPS services

Customer wants to implement Windows 10 Always On VPN with Force Tunneling, with Windows Server 2016 RRAS.  Is any proxy required for outbound internet traffic (traffic coming over the VPN but destined for the internet), or does the RRAS server simply send the traffic out?  Is there any guidance available for capacity planning in this scenario?  what if the RRAS server does not have internet access?

I've read that under DirectAccess with Force Tunneling, outbound proxy was typically required, and the deployment guide does not contain details for the Force Tunnel scenario for Always On VPN.  Thanks for any insights.

hello every one 

my question may be easy for every one 

i have 200 pc

i used dhcp windows server 2012 r2 

these pc not join to domain just take ip auto

20 of these pc i want them access to internet and access to the local network same time (they need to remote control to other servers )

so what should i do?

thank a lot 

Ethernet adapter Local AreaConnection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
   Physical Address. . . . . . . . . : 00-50-56-B3-22-34
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 82.179.190.12(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.128
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   Primary WINS Server . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

---------

The problem is that my static IP is constantly replacing with "autoconfiguration". Ipconfig output says "Autoconfiguration Enabled . . . . : Yes"

Question: How do I disable, turn off the "Autoconfiguration" ?

ps. IP address is statically configured.

Hi,

I setup SSTP VPN for IPv4 for a private company network which works very well:

Company Network: 10.10.10.0/24
VPN Client Range: 10.10.10.100 - 10.10.10.110

Now I want to do the same for IPv6. The IPv6 company network is a /80 subnet and the clients should get addresses within this network (similar to IPv4):

Company Network: A:B:C:D:1::
Desired VPN Client Range: A:B:C:D:1:1000::

When setting A:B:C:D:1:1000:: in the IPv6 Prefix Assignment tab of Routing and Remote Access window I get a "The prefix is invalid. Enter a valid prefix." error message.

How do I configure RRAS VPN client IPv6 address range correctly?

Best Regards,
Christopher Dresel

Hi

We are considering to replace our spreadsheets with MS IPAM but we have a few issues with it(s documentation).

1. Is there a way to import hosts from DNS rather then from DHCP? At the current state we have our servers which have been assigned static IPs but plan to add hundreds of server with DHCP.

2. In the add IP address dialog there are few fields and their values which need some clarification:

a) Managed by service (especially what does it mean if I choose something else then IPAM)

b) Server instance (especially what does it mean if I choose something else then localhost (it shows me also the DHCP server))

c) Assignment type (especially what are the consequences of not using static)

3. In general: How shall I handle regular domain members (servers and clients)? Do I need to do anything (if so what) in IPAM if

a) I use DHCP?

b) I use static addressing?

4. What's about dual-stack IPv4/IPv6 use: Is there a way to link those addresses?

5. Just a side note: http://technet.microsoft.com/en-us/library/hh831622.aspx#config_ipam1 --> To configure IPAM step 16:

Invoke-IpamGpoProvisioning -Domain contoso.com -GpoPrefixName IPAM1 -DelegatedGpoUser user1 -IpamServerFqdn ipam1.contoso.com

is really something I wouldn't expect to do manually. Especially since everything else is done in the GUI! And also 

So looking forward for your answers!

Thanks

Philippe

Philippe Schnyder

Hey guys,

I have a 2012R2 domain.  All of our server subnets use static IP addresses that are not specified in DHCP.  We keep spreadsheets and want to replace that with something that can scan the subnets we specify and do ping sweeps(SNMP/WMI) to help detect and name devices.   I care more about the ability to scan and the quality of those scans, that I do about all the other features of IPAM.  I know the Microsoft solution will allow static addresses to be entered manually, or imported from a csv file. I am probably going to spin up a 2012 R2 IPAM test server and compare it against the Solarwinds IPAM product, but does anyone know if the Microsoft solution will also scan static subnets specified to help determine which IP addresses are in use? Possibly even query and figure out the servername(if DNS record exists, or if they have credentials to make a SNMP or WMI connection? 

Thanks,

Dave

Hi,

Spent a while trying to troubleshoot an issue with Always on VPN when using computer certificates for authentication with IKEv2. 

On the client end we receive the error "IKE failed to find valid machine certificate.Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store."

On the server in the event log the error "CoId={9B036532-06D1-2BC2-F7BF-843F27270EBD}: The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: XXXX.LOCAL.DOMAIN.UK. IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store."

Current Setup of Server:

Windows 2012 R2:

- RRAS configured with only IKE2 Machine Authentication

- All ports on RRAS disabled except PPPOE and IKEv2

- No NPS configuration changed as I believe the RAS server checks certificates rather than using NPS.

- Configured with a local certificate with the Subject Name CN set as as vpn.domain.uk.  EKU set as Server and IKE Authentication.  No other local certificate installed.  Certificate is trusted by Enterprise CA Root and in store.  Certificate is RSA 2048 SHA256

- 1 Ethernet adapter with private IP assigned.

- External Firewall that is Network Translating external IP to private IP of RRAS server

- Only port 500 UDP and 4500 UDP is being seen on the firewall and therefore only ports that have NAT rules in place

Windows 10 1709:

- Configured VPN host name set to vpn.domain.uk

- Configured with a local certificate.  EKU set as Client Authentication.  No other certificate installed.  Certificate is trusted by the same Enterprise CA Root the server certificate has and in store.  Certificate is RSA 2048 SHA256.

The client certificate is OK, because when laptop is plugged into corporate network, 802.1x authentication uses the same certificate as would be for VPN and works.

Anybody have any idea why the client is not working.  Doesn't matter what certificate I mess around with on the server, DNS, CN names etc using IP hostname results in the same error "Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store."

I know I am missing something.

I have had it working in the past, but when I started to remove what I thought was useless Trusted Root certificates relating to DirectAccess is when it stopped working.  Direct Access was used previously on this server.

We have since installed a new Windows 2012 R2 server and just installed the VPN and not DirectAccess, but receive the same errors.

Also is there any useful info in the logs that I can check to actually see what certificate is being sent to the client, as it obviously isn't the vpn.domain.uk?

Thanks, any help appreciated.

This error below is spamming our server. However, I've fixed everything on the server I can think of. The only errors I am getting are ESENT and most of them are the below. SFC /Verifyonly found no corruption.

svchost (504) SoftwareUsageMetrics-Svc: A request to write to the file "C:\Windows\system32\LogFiles\Sum\SystemIdentity.jfm" at offset 0 (0x0000000000000000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (18 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

The server peridoically starts hanging and freezing. Like my CPU is under max load. Where everything is just super slow and laggy. The only way to fix it is to reboot the computer. Unplugging the power for 30 seconds seems to increase the likely hood the server boots into a stable state. However, unsure if it's just chance.

Any ideas? I have run Intel's Diagnostic tool on the CPU and all green. I just don't know here. Dumbfounded.

I’m testing Windows 10 Always on VPN in our environment and I’ve followed the following sites on creating the NPS and certificate templates.

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-server-infrastructure

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-ras

On the NPS server the network policy authentication methods is set to Microsoft: Protected EAP (PEAP) and the EAP type is set to Secured password (EAP-MSCHAP V2)

The client are configured the same.

 The VPN fails with the following error on the NPS server

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          2/13/2018 2:41:40 PM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      NPS.domain.local

Description:

Network Policy Server denied access to a user.

"Reason"No credentials are available in the security package   

The error on the VPN is:

Log Name:      System

Source:        RemoteAccess

Date:          2/13/2018 2:48:57 PM

Event ID:      20255

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      VPN.domain.local

Description:

CoId={108AE838-1D9D-B57F-772F-9C5E930B6E58}: The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: <Unauthenticated User>. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error

If I change the EAP authentication type to secured password(EAP-MSCHAP v2) then the VPN works