Our internal domain name is called "abc.com" and our company website is called "abc.com". I have created an "A" record that points towww.abc.com so staff can browse the website from within the office. The problem is that if people enter "abc.com" from a web browser with the office it does not resolve in an efficient manner. Can someone please help?
Hi,
I am new here and I am not a professional system administrator but as I have worked in sales for datacenter infrastructure I have a rough idea how things should work. Of course I have some sysadmin knowledge on Microsoft and Linux as well.
For a small company I set up a AD/DNS/Exchange environment. Everything works fine but there's one issue:
I can't reach my own companies website via webbrowser which is hosted by a web hosting provider.
The strange this is that I am able to ping the www address, nslookup and test-net-connection delivers correct results.
DCdiag doesn't return any error.
I have tried this from a Windows 10 client, from the AD/DNS itself and it's every time the same behavior.
All other websites are accessible except our companies one.
Some more information:
- all servers are VMs
- as naming scheme for the AD I have chosen: ad.contoso.com (replaced contoso by my companies name)
- in the forward lookup zone I created the host A entry for www.contoso.com which points to the webhosters ip address
- I only use root hints, no dns forwarders
- in the W10 client, I only use my local dns server as dns entry
As I never set up such an environment before, I first set up the VM for the AD/DNS with contoso.local.
After having read more I have realized that this naming is not best practice any more.
The weird thing is that with this AD I can reach my companies website without any issues.
So, I should be a routing/firewall problem.
If someone can help me resolving this I would be extremely happy.
Holger
.
Hello,
I've created all the required servers for Always on VPN. I can connect via IKE automatically with my laptop when I use an external internet provider. However, I'm questioning if this layout is the correct or if I'm making it too complicated. I thought I'd run it by others to be sure I'm going at this the right way. I see a lot of info on setting everything up but nothing ever on the actual layout.
Basically, here's my layout
aopvon.cs.org goes to my external firewall which gets natted to the external nic on my always on dmz server.
I also have an internal nic without a gateway. It has an ip of 172.16.32.1. My static pool is 172.30.32.2-172.30.33.253. The internal nic and static pool is all on the same vlan.
The router for the vlan is 172.30.33.254.
Do I need to be sure all the routes to all the other subnets/sites are on the 172.30.33.254 router?
Is this a typical setup or should I be doing this differently?
Thank you,
Matt
Have noticed that non-PDC domain controllers are not synchronising with DC which holds FSMO roles (inc PDC). How can I check that it is advertising the time service? My non-PDC domain controllers cannot find the new authoritative time server and this is causing group policy problems.
On the non-PDC domain controller (Server2012R2), it can "not locate a time-server". Despite the following settings, I cannot enable this DC to sync its time with the PDC.
PS C:\Windows\system32> w32tm -query -source Local CMOS Clock PS C:\Windows\system32> net time Could not locate a time-server.
On this non-PDC domain controller are the following registry entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\ParametersType=NT5DS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer\Enabled=0
This article usefully describes how to configure a DC which is no longer the PDC (after the FSMO roles have been transferred - which is my scenario)... https://social.technet.microsoft.com/wiki/contents/articles/8863.time-service-configuration-on-dc-with-pdc-emulator-fsmo-role.aspx and I have run the command followed by a restart:
w32tm /config /syncfromflags:domhier /reliable:no /update
On the new PDC (Server2016), I have configured it to use external NTP servers and it seems to be synchronising successfully with these external NTP sources.
w32tm /config /manualpeerlist:"0.uk.pool.ntp.org,0x1 1.uk.pool.ntp.org,0x1 2.uk.pool.ntp.org,0x1 3.uk.pool.ntp.org,0x1" w32tm /config /reliable:yes net stop w32time && net start w32time
The AnnounceFlags registry entry has been configured according to the Microsoft article above.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags=5
If anyone has a solution to this, it would be appreciated! Thanks.
As suggested in the Server Manager forum, I try my luck in this forum.
I have a Win2008R2 Server with DNS services installed. The server is configured not to allow recursive queries from clients.
However when sending such a query, the server sends back a list of root hints as response. While the shortest possible query is 45 bytes long, the corresponding answer is 476 bytes long. A similarly configured Bind server just refuses the query, with the reply packet being the same size as the query packet (ie both 45 bytes).
In a DNS amplification attack scenario, this translates to an amplification factor of (476/45)=10.6 for a Windows server even with recursion disabled, as opposed to a factor of 1 for the Bind server.
Is there any way to make the Win2008R2 server refuse recursive queries altogether and thus prevent it from serving as an "amplifier" in such scenarios?
Hi,
Environment contains two 2019 Servers with RRAS roles configured, Always on VPN Device tunnel configured with external load balancing.
Configuration seems to be fine, device tunnel is up and running but it has some major problem with high availability.
In case RRAS Server "RRAS1" is not responding client "CLIENT1" gets disconnected as expected, event 809 from RasClient. CLIENT1 is not trying to reconnect based on event log. Manually triggering connection with rasdial works and CLIENT1 connects to RRAS Server "RRAS2".
Normal user is not able to perform rasdial to reconnect. Also disconnecting CLIENT1 from current (public) network and reconnecting causes Device tunnel triggering.
How reconnecting Always On tunnel should work, is there some configuration what I'm missing?
Thanks for advance!
Thanks!
Hello,
I have a Windows Server 2016 Essentials with SSTP VPN running. Clients (Win 10) can connect without any issues, browse folders, create files, copy files TO the server (any size) but they can't copy FROM the server. Not even files the client just copied to the
server.
Whilst trying to copy the files it shows the "calculating..." text. Small files (100kb) may eventually transfer, but large files always end up locking up explorer.
I've tried OpenVPN, it has the same issues.
LAN does not encounter these issues.
When I RDP over VPN, I can copy files with it (both ways).
I've tried lowering the MTU on the VPN interface to no effect.
I'm lost for ideas and would love some help. PS: it has worked fine for over a year
Hi All,
I have a client that has Windows 2016 Server Essentials. It has all the latest updates. At one time, VPN access was working normally. However, that is not the case now. The Remote Access Connection Manager fails to start with error 711 and in the system event log there is the following entry:
The Remote Access Connection Manager service terminated with the following service-specific error:
{TDI Event Pending} The TDI indication has entered the pending state.
I have attempted all the recommendations I have seen on the various support groups but none have worked. This includes deleting the files from c:\windows\system32\LogFiles\wmi\RTBackup, verifying that Telephony, PnP and other services are able to start, verified that the certs are valid on the server, Repaired Remote Access Anywhere via the wizard, Removed Remote Access Anywhere, Re-configured it and any other hint I could find. All to no avail.
Do anyone have any other ideas? I'm totally out of ideas.
Thanks,
Randall
Hello Friends,
We have connection broken issues with our sap servers. Our sap servers are in Cloud.
We have a tool called niping to check the connection stability with the sap servers.
The problem is The niping test from windows server 2003 to target host is successful. Even for more than 10 Hours test is also success and it doesn't broken.
But the niping test from other systems like Win2012, Win10, Win8... is getting fail always, The connection broken often. This is really strange we do not find the reason. Any one please help us if you have any idea on this issue.
Thanks,
Regards,
Farry
Hello Everyone,
i can't find anything related to setting up an always on VPN Failover Cluster!
i'd like to use my fortigate as a load balancing hardware so that my AOV clients can switch to the second RRAS server if the connection to the first is interrupted.
pretty simple setup really but i can't make it work...
i have 2 RRAS servers setup as AOV servers. i can connect to each one individually but the switch has to be manual, i have to disconnect the client manually and reconnect it so that i switch to the second server. disconnecting the network card does't even disconnect the AOV connection it just stays connected to nothing basically
anyone have any ideas on how to set this up ?
thanks!
Hitch Bardawil
Hi there,
I've been struggling for two days now. So I set up a VPN L2TP Server on Windows Server 2012 R2. Everything works fine. I can connect from within the LAN, I can connect with my iPhone after forwarding UDP ports 500 and 4500 to the server's IP address and after allowing port 1701 on Windows Firewall on the server.
Now, I can't connect when using a standard home internet connection. It'll sit there for a while and eventually return error. I originally thought it was a specific ISP not allowing, then I tried 3 more different home connections and I noticed that the issue was with every one of them. Fun fact: it works when I'm using a phone as a hotspot connected to my Win 10 machine.
The issue happen on Win 10 (latest release, tried 3 machines with 3 different ISP's) and Win 7 (tried 2 different machines with 2 different ISPs). Why would the host spot allow me to connect whilst the other one doesn't?? I don't get it.
The VPN server is behind a NAT-T so I did apply the registry fix to all machines (and rebooted, like 300 times) and also applied an hotfix on one of the Win7 machines. Nothing, it just doesn't want to work!
Forwarding port 1701 at the router level to the internal network also doesn't work. I'm still probably stuck in thinking and trying to understand why LTE connections work.
This is a test project, so nothing to worry about, but after 2 days of googling like an idiot I'm hoping to get some guidance from you guys. Here's the current configuration for the VPN Server's network:
ISP Router >> Forwarding all traffic to a Sitecom Router >> Forwarding UDP 500 and 4500 to W2k12R2 Server's IP
The Server is running off a Windows 10 Pro hypervisor (the v-switch is sharing the only NIC available).
Thank you!
S
I am hoping someone else has ran into this issue, but the on-net detection intermittently doesn't work.
I have ran traces using Microsoft Message Analyzer and have seen the logic of Microsoft_Windows_Networking_VPN_Plugin_Platform detect the on net status and not disconnect the VPN!
Some trace outputs:
Microsoft_Windows_Networking_VPN_Plugin_Platform Autotrigger [CONTOSO AlwaysOn VPN], device is outside the trusted network boundary
Microsoft_Windows_Networking_VPN_Plugin_Platform Autotrigger: [CONTOSO AlwaysOn VPN], profile got activated
Microsoft_Windows_Networking_VPN_Plugin_Platform Autotrigger [CONTOSO AlwaysOn VPN],device is inside the trusted network boundary [internal.CONTOSO.com]
Microsoft_Windows_Networking_VPN_Plugin_Platform Autotrigger: [CONTOSO AlwaysOn VPN], profile got deactivated
I have a ticket open with Pro support and have made NO progress in over THREE months.
Does anyone on this forum have any insight as to why this would happen? I am assuming something is broken on the windows client side.
Thanks for reading,
We have about 200 wifi clients in the network.
The wifi authentication is dona via NPS with a certificate.
Most of the clients are connecting just fine. But we have several that just get unable to connect message
When i Check in the NPS log, for the failed connections i only see a lot of access-request entries with no rejects or accepts
an entry example:
10/10/2019 11:53:44.835 Access-Request XXXXXX X.X.X.X X.X.X.X 4851B7E4D234 XXXXX\XXXXXXXX$ Access-Challenge The connection request
was successfully authenticated and authorized by Network Policy Server.
HI all
Apologizes if this is in the wrong forum, but it's the vest fit I felt.
We currently user DirectAccess for always on connections, but with EOL announced we want to start moving to the Always-On-VPN model.
Currently our DA is 2016 DC edition but our backed end CA is running 2008R2, and we don't have options for for making the Cert compatible with 2012 onwards, nor with Windows 10 laptops as per https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-server-infrastructure.
Is this compatibility necessary, are there options beside upgrading our CA server which would be a large undertaking.
Thanks
David Kafrissen
Network Admin
RVK, Inc.
Portland Or.
Hello,
I am currently working on a project. Please does anyone know How can a User Authenticate with Active Directory while connected to Private Internet.
Kindly provide me with the solutions.
Thank you
Iniobong Nkanga
As Danie1zhou suggested i post my question from https://social.technet.microsoft.com/Forums/windowsserver/en-US/732966e8-dc13-445d-853d-73131cdd69ba/server-2019-set-ndis-reset-network-card?forum=winserverhyperv here.
----------------------------------------------
Dear all
Environment:
3 node HyperV Failover cluster
each node:
- 2x Intel Xeon Gold 6138
- 512 GB RAM
- 1x 2 Port Intel X722
- 3x 2 Port Intel X710
- latest NIC driver and firmware
- Windows Server 2019 17763.805
SET:
Hash algorithm: dynamic
1x SET with the 2 Ports of Intel X722 for Cluster and LiveMigration
1x SET with the first Port of all 3 Intel X710 Networkcards for iSCSI Traffic
1x SET with the second Port of all 3 Intel X710 Networkcards for Data Traffic
After some time (with traffic faster than without) i can see the following events:
----------
Failed to move RSS queue 2 from VMQ 1 of switch 95AD556E-D325-46BB-87EC-AFDEA4ACE8F7 (Friendly Name: SET iSCSI), ndisStatus = -1073741823 .
----------
The network interface "Intel(R) Ethernet Controller X710 for 10GbE SFP+ #6" has begun resetting. There will be a momentary disruption in network connectivity while the hardware resets. Reason: The network driver detected that its hardware
has stopped responding to commands. This network interface has reset 1 time(s) since it was last initialized.
----------
NIC /DEVICE/{F4B0FE78-B659-4D0E-AB0A-83E52D3A5419} (Friendly Name: Intel(R) Ethernet Controller X710 for 10GbE SFP+ #4) is no longer operational.
----------
Intel(R) Ethernet Controller X710 for 10GbE SFP+ #6
Network link is disconnected.
----------
Then the network card comes back for a minute and the last 3 messages from above are written every minute.
The only way to get back to normal evacuate the vm to other hosts and reboot it.
Any idea what could be wrong here?
Thanks
Hi, we have issues with records in the reverse lookup zone which are created by clients in the DHCP zones.
The DHCP is only partially used for entries in the zone. Additionally, the lease time is set to different times (6h, 12h and 24h)
We have to use a short lease time on the DHCP servers and therefore the records are changing constantly. The DHCP servers are set to update the DNS entry for forward-zone and PTR. But in the reverse Zone we have issues with wrong and outdated entries. Normally the DHCP should be owner of all entries for the scopes it is configured. But for a lot of entries still the client is the owner.
Some clients have more than one entry in the reverse zone (possibly due to Wifi and LAN connection) with different owners (system and DHCP user).
We have a setup with two DHCP-Server configured as Hot-Standby Failover. Both servers are NOT a DC and DNS, they only have the DHCP Role installed.
The DHCP-Scopes are configured as followed: Enable DNS dynamic updates according to the settings below -> Alway dynamically update DNS records -> Enabled Discard A and PTR records when lease is deleted -> Enabled Dynamically update DNS records for DHCP clients that do not request updates -> Enabled
Name protection is disabled.
User credentials for DNS dynamic update registration are set on both server (one user for both) The computer objects of the DHCPs are members of the DNSUpdateProxy group.
The DNS-Zones are set to: Dynamic updates: Secure only
Currently the is reverse zone set: 50.10.in-addr.arpa
This zone is used for all scopes of the DHCP and static clients as well.
On the DHCP we can see several errors popping up:
Example: PTR record registration for IPv4 address [[10.50.43.110]] and FQDN x.x.com failed with error 9005 (DNS operation refused.).
Event ID 20322 PTR record registration for IPv4 address [[10.50.6.143]] and FQDN y.x.com failed with error 10054 (An existing connection was forcibly closed by the remote host.).
Event ID 20319 Forward record registration for IPv4 address [[10.50.43.117]] and FQDN z.x.com failed with error 9005 (DNS operation refused.).
Question1: To enable scavenging we will have to create a reverse zone for every scope of the DHCP on the DNS?
For example:
22.50.10.in-addr.arpa (scavenging 12h)
23.50.10.in-addr.arpa (scavenging 24h)
Is this correct? When they are created what will happen to the entries which are currently part of 50.10.in-addr.arpa?
Will a reverse lookup still be resolved if the old entry is in the 50.10.in-addr.arpa or does they have to be recreated in the new zone?
Question2: The DHCP is set manage the DNS entries, but why are a lot of entries still owned by the clients? Even new created entries are sometimes owned by the client and not the DHCP user.
Is it necessary to disable dynamic DNS updates on the client itself to fully manage DNS entries by the DHCP?
I have a problem that is beginning to drive me crazy, any help is much appreciated.
We have a RRAS Windows 2016 Server running in our DMZ. All our laptops are Windows 10 1607 or 1703. We are using IKEv2 Protocol which uses a computer certificate for authentication.
A number of laptops repeatedly disconnect from Always on VPN but on the other hand some remain connected just fine. This morning for example myself and three other colleagues were connected to the same Wi-Fi Access Point, three of us were working fine and remained connected but my other colleague continuously kept getting disconnected. We are seeing this happen a lot and I really need to find the root cause of this problem. It's been tried and tested on numerous Wireless networks (In a few of our offices and many user's home networks and mobile hotspots).
What I've tried and found so far;
- Updated wireless drivers on laptops and updated BIOS
- Installed latest Windows updates on laptops and RRAS Server
- Re-install Always On VPN Profile
- 'Forget' wireless networks on the laptops
- Even though we use IKEv2 I found a few forums posts that mention issues when the VPN is behind a NAT, and so I modified the registry on a couple of affected laptops as follows;
create a new DWORD value called "AssumeUDPEncapsulationContextOnSendRule" under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent" and set it to "2"
What I have noticed is a reoccurring log in event viewer both on the client and server.
On the clients I see: The user dialed a connection named "" which has been terminated. The reason code return on termination is 829. A Google search of this returned that 829 is an (ERROR_LINK_FAILURE). I'm almost certain it's not the wireless connection as we have laptops connected to the same wireless network in the same small room, and some get the problem and some not.
On the server side I've found something that I think may be related but I don't understand the log well enough. If possible could someone shed some light on what the following means? It's in the RASTAPI.LOG which can be found in C:\Windows\Tracing.
07-11 10:57:34:438: RasTapiCallback: lineDropped. port VPN2-449, id=0xffffffffIn particular why is it changing state? What do the state numbers 1,2,4 & 5 mean? What does DisconnectReason=2 mean?
I will be grateful of any help please.
How to get the full DHCP Scope Names programmatically, in Win 2k3 and 2k8 R2?
netsh only gives the first 21 characters of the scope name, which is causing a lot of name conflicts. We have over 3,700 subnets so it is necessary to adopt a long naming scheme.
Hello!
I am about to travel to a country where internet access is highly censored & monitored, and I would like to setup a VPN server to protect my communications. I realise there are commercial methods to do this, but I want to configure it myself so I know it's safe to use.
I have a single Windows 2008 R2 server hosted in the US, and have configured the RRAS service. I can connect to it from the client laptop successfully, and I can access some resources on the server from the client (I say some, because I don't have file access working yet, but presume that's a firewall issue that I can fix later). So far, so good.
However I have a problem I need help with. I cannot access the internet through the server. On googling the issue, most people just go with split-tunnelling (i.e. changing the client-side vpn settings to not using the server's gateway) - but of course that is not an option in my case as it would not give me protected internet.
I think from what I have read that I just need to configure certain static routes on the server to get this to work - but what I have tried so far has not worked. Your assistance would be appreciated.
Here are the details - please let me know if there is more info needed. Thanks again for your help.
(x's used to protect the guilty)
Server's public IP: 216.18.210.x
Server's default gateway (provided & controlled by the hosting company): 216.18.x.1
I have configured RRAS to use a pool of local IP addresses. Note that there is no private LAN per se, as it is just one single server with one NIC & one public IP.
Server: 192.168.100.1
Client: 192.168.100.2
So I think I need to provide a static route to solve this - but need advice on which settings to use.
Thanks,
Mike