I'm attempting to deploy an Always on VPN profile to Windows 10 using an XML file. What I see once the profile has been deployed is that he network interface has been created however if I go to Settings>VPN to try to connect to the VPN there's no VPN there. If I try to manually create the VPN there I get a message that says it already exists. Anyone know what would cause this?

<VPNProfile><AlwaysOn>true</AlwaysOn><DnsSuffix>MYDOMAIN.com</DnsSuffix><NativeProfile><Servers>RAS.MYDOMAIN.com</Servers><RoutingPolicyType>SplitTunnel</RoutingPolicyType><NativeProtocolType>IKEv2</NativeProtocolType><Authentication><MachineMethod>Certificate</MachineMethod></Authentication>  </NativeProfile><DeviceTunnel>true</DeviceTunnel><RegisterDNS>true</RegisterDNS><TrustedNetworkDetection>MYDOMAIN.local</TrustedNetworkDetection><DomainNameInformation><DomainName>MYDOMAIN.local</DomainName><DnsServers>192.168.100.4</DnsServers></DomainNameInformation></VPNProfile>

BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo

Hi all, 

I have an RRAS/NPS setup in a lab and while I can get my client connected via IKEv2 just fine I can't ping or communicate route outside of the static IP range they reside in.

External NIC 10.2.2.x

Internal NIC 10.1.1.x

When clients connect they are in a static address pool of 172.16.255.10-39 (30 addresses)

From my understanding I need to setup static routes to allow the clients to communicate with other subnets but I'm having difficulty in figuring out how configure this. I have successfully used DHCP relay to the 10.1.1.x network and while it works the clients then have access to resources they should not have access to which is a security risk so I thought it best a static pool with very specific routes would be best. 

Ultimately I want the clients to have access to a few resources on this network:

A jump host they RDP (3389) to (10.1.7)

RemoteApp server (443,3389) to stream an app, (10.1.1.14)

DNS/AD for GPO processing (10.1.1.20-21) 

So what I'm asking is how to I setup these routes so the clients can talk. 

Do I need to setup static routes in RRAS?

Do I need to add a static route on the endpoints, is the best done in AD?

Thank you in advance. 

We have an issue where our Always on VPN clients (windows 10 V 1803) Remain in a 'connected' state even once the network has lost internet connection.

Normally this is not an issue when using stable connection but becomes an issue when using the VPN unstable connection(for example a mobile hotspot on a train). The connection stays connected meaning the VPN does not try to reconnect automatically once the connection is back up.

Does anyone know how i can make the connection disconnect when  there is no longer a connection to the VPN?

Many thanks

We have a 2008r2 domain with ActiveDirectory-Integrated DNS.  We are almost a 100% windows environment and our windows clients are setup to register their connections(Not through a policy.  I think it is just the default for Windows OS).  We are currently set to accept both "secure and nonsecure" dns updates, and I know that is a security issue.  We also have DHCP set for dynamic updates on clients even if they do not request it(we also use a ddns update credential account).  

When it comes to changing ddns updates to "secure only", my biggest concerns are the Lights Out interfaces on the servers and the few linux servers.  Most of those are on DHCP, so I think they will be fine but guessing that any that are not using DHCP would be scavenged according to those schedules?  As long as I check and make sure the dns records for those concerned non-windows clients are either using DHCP, or do not have a timestamp on their host record, is there anything else I should be concerned about?

Thanks,

Dave

MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

I have a new client that I will be adding a second DC to their domain.  They are currently running 2003 functional level with a single server 2008 R2 DC.  I will be adding a second domain controller running server 2008 sp2 but before I do I have cleaned up old metadata from old improperly removed DC's and removed several old DNS records as well.  

My question is this, when I run dcdiag /test:dns /v I receive the following errors:  

Error:
                     Missing SRV record at DNS server 192.168.50.101:
                     _ldap._tcp.68f495a1-7552-4ddf-8d91-42effff06952.domains._ms
dcs.removedforanonymity.com
                     [Error details: 9003 (Type: Win32 - Description: DNS name d
oes not exist.)]

I'm not sure how to resolve this.  I have tried restarting netlogon service from services and I have also tried:

net stop netlogon

renamed C:\Windows\System32\config\netlogon.dnb

renamed C:\Windows\System32\config\netlogon.dns

net start netlogon

ipconfig /registerdns

Then ran dcdiag /test:dns /v again but still get same error.

Here is a copy of ipconfig /all

C:\Users\administrator.removedforanony>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : TE-SERVER-ARCGIS
   Primary Dns Suffix  . . . . . . . : removedforanonymity.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : removedforanonymity.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client) #41
   Physical Address. . . . . . . . . : 78-2B-CB-6C-C3-4C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.50.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.50.1
   DNS Servers . . . . . . . . . . . : 192.168.50.101
   Primary WINS Server . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

My DNS forward lookup zones are:

_msdcs.removedforanonymity.com

removedforanonymity.com

Here is a copy of my  dcdiag /test:dns /v

C:\Users\administrator.removedforanony>dcdiag /test:dns /v

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine TE-SERVER-ARCGIS, is a Directory Server.
   Home Server = TE-SERVER-ARCGIS
   * Connecting to directory service on server TE-SERVER-ARCGIS.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=removedforanonymity,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=removedforanony,DC=com
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=removedforanonymity,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=TE-SERVER-ARCGI,CN=Ser
vers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=removedforanony
,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\TE-SERVER-ARCGI
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... TE-SERVER-ARCGI passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\TE-SERVER-ARCGI
      Test omitted by user request: Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Test omitted by user request: FrsEvent
      Test omitted by user request: DFSREvent
      Test omitted by user request: SysVolCheck
      Test omitted by user request: KccEvent
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: MachineAccount
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: Replications
      Test omitted by user request: RidManager
      Test omitted by user request: Services
      Test omitted by user request: SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyReplicas

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         See DNS test in enterprise tests section for results
         ......................... TE-SERVER-ARCGI passed test DNS

   Running partition tests on : ForestDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : DomainDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : Schema
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : Configuration
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : removedforanonymity
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running enterprise tests on : removedforanonymity.com
      Starting test: DNS
         Test results for domain controllers:

            DC: TE-SERVER-ARCGIS.removedforanonymity.com
            Domain: removedforanonymity.com


               TEST: Authentication (Auth)
                  Authentication test: Successfully completed

               TEST: Basic (Basc)
                  The OS
                  Microsoft Windows Server 2008 R2 Standard  (Service Pack level
: 1.0)
                  is supported.
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter
                  [00000008] Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Clien
t):

                     MAC address is 78:2B:CB:6C:C3:4C
                     IP Address is static
                     IP address: 192.168.50.101
                     DNS servers:
                        192.168.50.101 (TE-SERVER-ARCGI) [Valid]
                  The A host record(s) for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found prim
ary
                  Root zone on this DC/DNS server was not found

               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     205.152.132.23 (<name unavailable>) [Valid]
                     205.152.37.23 (<name unavailable>) [Valid]

               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server

               TEST: Dynamic update (Dyn)
                  Test record dcdiag-test-record added successfully in zone removedforanonymity.com
                  Test record dcdiag-test-record deleted successfully in zone removedforanonymity.com

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000008] Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Clien
t):

                     Matching CNAME record found at DNS server 192.168.50.101:
                     033af388-8783-4714-ad6b-691fed2eaf75._msdcs.removedforanonymity.com

                     Matching A record found at DNS server 192.168.50.101:
                     TE-SERVER-ARCGIS.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _ldap._tcp.removedforanonymity.com

                     Error:
                     Missing SRV record at DNS server 192.168.50.101:
                     _ldap._tcp.68f495a1-7552-4ddf-8d91-42effff06952.domains._ms
dcs.removedforanonymity.com
                     [Error details: 9003 (Type: Win32 - Description: DNS name d
oes not exist.)]

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _kerberos._tcp.dc._msdcs.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _ldap._tcp.dc._msdcs.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _kerberos._tcp.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _kerberos._udp.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _kpasswd._tcp.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _ldap._tcp.Default-First-Site-Name._sites.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _kerberos._tcp.Default-First-Site-Name._sites.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _ldap._tcp.gc._msdcs.removedforanonymity.com

                     Matching A record found at DNS server 192.168.50.101:
                     gc._msdcs.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _gc._tcp.Default-First-Site-Name._sites.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.removedforanonymity.com

                     Matching  SRV record found at DNS server 192.168.50.101:
                     _ldap._tcp.pdc._msdcs.removedforanonymity.com

               Warning: Record Registrations not found in some network adapters

         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 192.168.50.101 (TE-SERVER-ARCGI)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered

            DNS server: 205.152.132.23 (<name unavailable>)
               All tests passed on this DNS server

            DNS server: 205.152.37.23 (<name unavailable>)
               All tests passed on this DNS server

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: removedforanonymity.com
               TE-SERVER-ARCGIS             PASS PASS PASS PASS PASS WARN n/a

         ......................... removedforanonymity.com passed test DNS
      Test omitted by user request: LocatorCheck
      Test omitted by user request: Intersite

Any suggestions why I am still getting this error?

Thanks,

Brian

Hello

We want to redirect domain a to domain b so when you type into browser www.domainA.com it must be redirected and also shown a new url to www.domainB.com. I know this can be done under DNS with CNAME record, but this only redirects domain to a different IP, browsers is still showing the 'old' name. We don't want to use IIS redirection. Looking for a comercial domain on a godaddy hosting services it allows you to redirect a whole domain to a new one, but this is not possible for our country (local) domain. Can this be done in any other way? Any suggestions and help will be gladely appriciated.

Regards,Miha

Hi

I have setup an Always On VPN lab environment up in Hyper-V. My RRAS server's external connection (192.168.1.160) is on the 192.168.1.0/24 network and this has the default gateway set to my Internet router of 192.168.1.254. The internal connection of the RRAS server (172.16.0.104) is on the 172.16.0.0/24. It also has a PPP adapter RAS (dial In) Interface that has picked up an IP address out of the dynamic pool of 172.16.0.210.

The Always On VPN client is set up for force tunnelling.

If I move one of my domain joined clients to the 192.168.1.0/24 network the Always On VPN connects and I can access internal resources, such as pinging 172.16.0.100 (DC and DNS server). So everything is working as expected.

If I now introduce a Kemp LB and follow your instructions for configuring it by creating 2 x Virtual Servers on UDP ports 500 and 4500 and set up port following, etc that Kemp provide, the Always On VPN client connects, but I cannot access any internal resources.

I have compared routing tables and performed network traces but nothing really shows why I cannot access the internal resources.

Does anyone have any ideas or tips that could help me out as I really need to get this working before we implement this for real?

Hi there,

I would to achieve centralized wireless authentication from several small offices NOT directly connected to the company's network.

In other words there are NOT mpls or vpn connections, thus internal NPS servers cannot be reached directly from branch offices.

I'm wondering if using NPS proxies published over Internet is a good idea or not ...

Can I secure enough the traffic using PEAP on internal NPS servers or still some sensitive parts of Radius packets are sent in clear text ?

Thank you

Riccardo

I have a customer that is having an issue with some web pages not loading.  Yahoo is one of the pages that isn't working and the page I'm using for testing...

Windows Server 2012 r2 domain with Windows 10 clients.

This issue is with all of their domain joined PC's using IE, Edge and Chrome.  It doesn't matter if I use the Domain DNS servers or use their ISP's DNS or use Google DNS.  Yahoo loads fine on PC's that aren't domain members and on mobile devices.  

Effected pages do try to load, but are very slow and do not load completely.  It appears that only the no secure content is loaded.  I have set up the new VM and joined it to the domain.  All GPO's have been applied with a gpupdate and reboot in between each to see if it was from one of the GPO's.  gpresult shows that the applied GPO's are the same for the new VM as it is for the machine I've been using for testing.  The new VM is working correctly however...., so I guess it's not a corrupt GPO.

This started after I added a third domain controller.  Not sure how to proceed testing this.  Any thoughts?

We set up Radius (NPS) about a year and a half ago on Windows Server 2012 and it's been running fine... until now. We're baffled because we're not aware of any changes that have been made.

We are having an issue where Windows devices will not authenticate with our Radius server (NPS). All other types of devices work fine, the issues seems to only impact windows specifically.

The Network policy settings haven't changed, and we've verified that our certificate isn't expired. We are configured for EAP Types: PEAP and EAP-MSCHAP v2.

The error we get in Event Viewer is Event ID: 6273 Reason Code: 16 "Authentication failed due to a user credentials

mismatch. Either the user name provided does not map to an existing user account or the password was incorrect"

Since the username and password work just fine when connecting a smartphones and other devices, it makes me think that the information getting sent back by windows clients aren't in a format that the server recognizes as valid, or the server isn't parsing through the information correctly.

I have spent a lot of time reviewing every article I can find to try and resolve this issue, but no luck yet. Any help would be GREATLY appreciated!

Hi everyone

I'm getting myself confused with what settings I should be using.

Our DHCP Lease is set to renew every 2 days

What should our DNS Scavaging settings be? I have read they should be less or equal to the DHCP Lease Expiry

So....

1) What should the ageing settings be on the Zone? Should they both be set to 1 day?

What should the automatic scavaging be set to on the DNS server itself. it's currently defaulted to run every 7 days.

Thanks in advance.

Is there a way to create a profile that can be a domain user as well as a local user?

I have a couple employees that do work outside of the office but also need access to the network when they are here. Their laptops were set up before they needed network access so most of their work is under the local profile. When I connect them to the domain it creates a new profile. 

One issue is that they need a copy of all files under each profile. On a 256 GB hard drive there isn't much room for duplication. They have less then 50 GB left after the copy is complete. 

Another issue is Outlook has to be reconfigured as well as all other Office programs. The settings don't carry over.

Another issue - and one of the most important - is that some programs need to be re-licensed. 

It's just a headache.

Thanks,

Jessica

Hi guys,

We are running IAS on a Windows 2003 and would like to migrate to a new 2016 server with NPS.  Are there any particular settings we should be aware of or services to make the transition smoothly?

We are looking to reuse existing IP/hostname of the 2003 machine.

We are looking to support VPN/Radius authentication.

Thanks,

TT.

When our windows network and AD structure was created a long time ago by my predecessor, he named the windows domain the same as our internet domain. Since the network was established in a time when Internet wasn't such a big thing, but now it starts to interfer with about every service we use.

In short, our windows domain is named "frambu.no" and our main website also is "frambu.no". The consequence is that frambu.no is resolved as either AD1 or AD2 (DNS is also running on both) instead of the external website. I know that the most logical solutions would be to change the windows domain name, but this is a task I'm not prepared for at the moment.

I've solved the issue temporary with copying in a custom hosts file to all the workstations in the domain, but this is not how I want to run my network - so the question is if there's any way I can override what the Windows DNS resolves for the local domain?

So, I have an application running on my internal network that requires to work on a specific port X. The server where it runs is given access to internet thought RRAS NAT. The fact is that my application requires both inbound and outbound static mapping on port X.

Example: any incomig connection on external port X of RRAS server should be forwarded to internal port X of my application server (inbound) and

any outgoing connection sent from my application server to a remote port X through RRAS should be sent out by RRAS using external port X (outbound)

I know that for the inbound translation I go into RRAs, ipv4-nat tab, right click on the external network adapter, and configure the port mapping.

However, i don't  know how to configure the second thing. At the moment, i can see that packets sent to remote port X are sent out by RRAS using a large-numebr port.

"The system could not register the DNS update request because of a security related problem. This could happen for the following reasons: (a) the DNS domain name that your computer is trying to register could not be updated because your computer does not have the right permissions, or (b) there might have been a problem negotiating valid credentials with the DNS server to update."

I keep getting this error and I've tried "ipconfig /registerdns" but nothing happens

Hello, we are testing Always On VPN on windows 10 clients (ver 1803), All works as expected. It is a User Tunnel, via SSTP,  set up with split routing and Name Resolution Policy table (NRPT), we also have several  Route entries in our profile.xml for the many subnets we have here.

However we have a 3rd party guest network here and laptops with 4G SIM cards in them.  If a laptop connected to one of these the AO VPN connects and all works fine. But if the users then put their laptop in a docking bay, which is on the corporate LAN, the Always On VPN stays connected. What is worse in testing the traffic is still routing through AOVPN (I assume because the NRPT has priority).

The VPN connection FQDN is only accessible from the internet. You can't even resolve it from the corporate LAN.

Question: Is this expected behavior? Do users have to manually disconnect? As I recall Direct Access would detect it was on the corporate network and drop the connection.

Cheers

Matt

Hi,

We have installed Windows Server 2019 Datacenter and have installed a IKEv2 VPN on this server. This works as hoped until the server reboot's, or more specifically when the service is restarted.

If we tried to connect with a client PC we get "ike authentication credentials are unacceptable", and the only way I can resolve this from what I can tell is to Disable Routing and Remote Access and Configure and Enable Routing and Remote Access again in the same way each time:

• "Custom Configuration> VPN access"
• "Authentication Methods" > Tick "Allow machine certificate authentication for IKEv2
• "Allow custom IPsec policy for L2TP/IKEv2 connection" (Using a Preshared Key)
•  Changing the "SSL Certificate Binding" for one I made

I've also run SFC /SCANNOW and powershell DISM /Online /Cleanup-Image /ScanHealth,none of which helped.

What could be stopping the VPN from continuing to work after the service has restarted?

Kind regards
Adam

Hello, Expert,

please see below two  photo. Why is the router to be set as DNS Server for internet connection in upper network. and other network(lower) is not needed to set router(firewall) as DNS server?

Thanks.

Liu