Quantcast
Channel: Network Infrastructure Servers forum
Viewing all 5877 articles
Browse latest View live

Host A records not being removed once computer is removed from AD

April 11, 2013, 12:09 pm
$
0
0
Have an issue here I can't figure out.  We have 3 separate servers that are DC's.  One is setup as the master and it replicates to the other 2 DC's at different sites.  DNS and DHCP are setup pretty much the exact same way.  The issue I'm having is if I remove a computer from AD (ie: we put in new workstations) it removes the PC from AD when looking on all 3 DC's like it should, however it does not remove that computers Host A record from DNS.  The issue is all of the computer receive IP addresses via DHCP so over time there are multiple Host A records pointing to the same IP address so when you think you are remoting to a computer its the wrong one due to the  Host A record being wrong.  Anyone know where I would start at with this one?
Search

Port was still closed even after allowing in the firewall?

April 11, 2013, 3:24 pm
$
0
0

Hi Guys,

We have created an Inbound and Outbound rules in the servers firewall to allow a certain TCP port but it appears that the port was still closed by performing a local port scan. We tried turning off the firewall and stopping the firewall service itself but it makes no difference. Is there any other configuration we might be missing? Any advise how we could open the port successfully in the server?

Thank You,

Arnel

event id 4625 and 6273 occurs when do eap-tls auth with third party root certificate

April 11, 2013, 7:40 pm
$
0
0

issue condition:

windows 2008 r2: VMware OS(new installed)

    with domain controller

    certificate auth

    import third party root ca enterprise.der into trusted store

    NPS service: use eap-tls for 802.1x authentication

    client with third party client.pfx(user: MAC address has been created in domain with dial-in checked and store password encryption) in it without           CA(no validate server certificate)

when client auth to network: the log event 4625 and 6273(reason 16) will occur at the same time, 4625 is at the front of 6273.

event 4625:  a user failed login, 0000064(user name doesn't exist)

event 6273: "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

I have try so many method to slove this issue many days, but no result. below is my way:

1.change the NTLMv2 to NTLM

2.renew the windows 2008 R2 SID

3.allow SID/anonymous transition

4....

for few days, not result, is there anyone could help me? pleasure thanks.

NPS Event 6273 Reason Code 16

April 7, 2010, 5:42 pm
$
0
0

We're in the midst of relocating our RADIUS role from a 2003 DC to a 2008 R2 member server.

The following features have been installed and configured:

  • Network Policy Server
  • Routing and Remote Access Services
  • Remote Access Service
  • Routing

All policies have been recreated identically to the previous ones and the server has been registered in AD DS.

When attempting to connect to the RADIUS server I receive the following event:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
 Security ID:   NULL SID
 Account Name:   test
 Account Domain:   DOMAIN
 Fully Qualified Account Name: DOMAIN\test

Client Machine:
 Security ID:   NULL SID
 Account Name:   -
 Fully Qualified Account Name: -
 OS-Version:   -
 Called Station Identifier:  -
 Calling Station Identifier:  -

NAS:
 NAS IPv4 Address:  x.x.x.x
 NAS IPv6 Address:  -
 NAS Identifier:   
 NAS Port-Type:   -
 NAS Port:   1

RADIUS Client:
 Client Friendly Name:  server.fqdn
 Client IP Address:  x.x.x.x

Authentication Details:
 Connection Request Policy Name: Use Windows authentication for all users
 Network Policy Name:  -
 Authentication Provider:  Windows
 Authentication Server:  server.fqdn
 Authentication Type:  PAP
 EAP Type:   -
 Account Session Identifier: -
 Logging Results:  Accounting information was written to the local log file.
 Reason Code:   16
 Reason:    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

All credentials, shared secrets and authentication methods are correct. I have also checked Dial-Up properties in AD DS. Has anyone else experienced this issue?

Regards,

Ryan.

 

DMZ DNS Question

April 11, 2013, 6:40 pm
$
0
0

We are in a process of restructuring our infra , we had some bad design on DNS infra and trying to fix it now ,following is my infra .

AD 2008 R2 with integrated dns zones

FQDN = example.local

ISP hosting = example.com

this server is configured with public IP ( which is not recommended ) and forwards the request to ISP ( example .com )

=============================================

Restructuring plan

I am going with clean infra

VLAN 1 = prod network  ( AD , DNS , IIS ) - remove public IP from AD / DNS server , configure the forwarder to point  to DMZ dns server , so all my client requests for Microsoft.com now will hit the DMZ DNS server and the DNS Server will forward the queries to ISP.

VLAN 2 = DMZ  = configure DNS server with Public IP and enable forwarder to ISP address

VLAN 3 = client network ( just clients ) to point to VLAN1 DNS

question I have is : do I need to create any zone in DMZ DNS server ? or will the DNS server handles my forward queries without any zone requirement.

if I have to configure the zone , what should be that zone ?

Internet Access through VPN server - need help please

June 28, 2010, 11:21 am
$
0
0

Hello!

I am about to travel to a country where internet access is highly censored & monitored, and I would like to setup a VPN server to protect my communications.  I realise there are commercial methods to do this, but I want to configure it myself so I know it's safe to use.

I have a single Windows 2008 R2 server hosted in the US, and have configured the RRAS service. I can connect to it from the client laptop successfully, and I can access some resources on the server from the client (I say some, because I don't have file access working yet, but presume that's a firewall issue that I can fix later). So far, so good.

However I have a problem I need help with. I cannot access the internet through the server. On googling the issue, most people just go with split-tunnelling (i.e. changing the client-side vpn settings to not using the server's gateway) - but of course that is not an option in my case as it would not give me protected internet.

I think from what I have read that I just need to configure certain static routes on the server to get this to work - but what I have tried so far has not worked. Your assistance would be appreciated.

Here are the details - please let me know if there is more info needed.  Thanks again for your help.

(x's used to protect the guilty)

 

Server's public IP:  216.18.210.x

Server's default gateway (provided & controlled by the hosting company): 216.18.x.1

I have configured RRAS to use a pool of local IP addresses. Note that there is no private LAN per se, as it is just one single server with one NIC & one public IP.
Server:  192.168.100.1
Client: 192.168.100.2

 

So I think I need to provide a static route to solve this - but need advice on which settings to use.

Thanks,
Mike

 

RRAS NAT Problem

October 13, 2009, 8:45 am
$
0
0
I'm using Windows Server 2008 R2. The server is running RRAS, and is configured for both VPN and NAT.

The server has two NICs, BE (10.1.0.0/16 network), and FE (two public IP address assigned). The NAT is setup with the BE as the internal, and the FE as the internet-facing network.

The server can access both the internet and the BE network just fine, but machines on the BE network are unable to access the internet. They can resolve the IPs (so DNS is working), but they get request timeout when I ping any public IP address. The machines on the BE network all use the server as their default gateway.

To enable NAT, I simply added the FE, BE, and Internal interfaces to the NAT list in the RRAS mmc. I also tried specifying the address pool in the FE properties under the NAT section in the RRAS mmc, but this setting didn't seem to make a difference.

What am I missing? Is there a good way to debug these issues?

RRAS there is no NAT option so client can not connect internet over VPN - windows server 2012 hosted on a VPS

April 12, 2013, 5:22 am
$
0
0

hello. i have a windows server 2012 vps

i want to use it as a vpn

so far i built it as vpn but there is no internet connection at the client

after excessive search on the internet i found that i also need to install nat

but there is no nat option at here ?

i tried many times reconfigure and select only nat but nat is not appearing here ?

help is appreciated thank you

i do custom configuration
select both nat and vpn but nat is not appearing where it should appear

Browser based Pokemon Style MMORPG Game Developer Used asp.net 4.0 routing at it'sMonsters

Search

Network location on external NIC incorrectly detected as Domain Network

April 4, 2012, 6:20 am
$
0
0

This server is being hacked because "Domain Network" rules are being applied to the external (public facing) NIC and therefore it is wide open to internet traffic.  The logs are filling up with hack attempts to services running on this server.  I have been forced to disable the external NIC for now, but I need this server to be serving websites ASAP.  I need to have NLA detect the external NIC as "Public Network" so that my "Public" WFAS rules apply: only port 80 (HTTP) is open to the internet, all other ports are closed.

I have now wasted over 15 hours searching for solutions and trying to convince NLA that the external NIC should be indentified as "Public Network", to no avail.  (as has been commented about numerous other places, not being able to manually specify a network location is a huge security risk for Windows Server 2008 R2, as is evidenced by all the MSSQLSERVER entries "Login failed for user 'sa'. Password did not match that for the login provided. [CLIENT: 87.242.115.xxx]" and corresponding Security log entries).

This server is a virtual machine Windows Server 2008 R2 DC, hosted on Windows Server 2008 R2 Hyper-V.  The host has 2 NICs: one for LAN and one for WAN traffic, both NICs are configured for use by VMs.  There is another Windows Server 2008 R2 VM on this host, also a DC (different sub-domain), that when tested has the same issue (external NIC is normally disabled).

Since I can test configure the host server, and also a Win7Pro VM on the same box, with an external IP, and both machines CORRECTLY detect the external network as "Public Network", I can only assume I'm fighting an issue with the problem machine being a DNS server (and/or a DC) since (it seems) one of the steps of NLA is can the NIC contact a DC.

Side note: it is VERY confusing that NLA detects the LAN connection as "subdomain1.mycompany.com", even on computers joined to "subdomain2.mycompany.com", and workgroup machines!  I wasted a couple hours thinking this was the cause of the problem.  Seriously? this is a good idea?  Very confusing, ugh.

I know this configuration is *not* recommended, but due to budget and and topology, I need to make this work.  Simply put: I need to have a  DC serve websites.  I know for fact prior versions of Windows Server were quite capable and reasonably secure doing this (how many SBS 2003 are out there?).  In Windows 2000/2003 server, I could use RRAS port filtering to block all but port 80, and be done with configuration in about 10 minutes.  (This server will have multiple public IP's, so getting a capable NAT router will cost hundreds if not thousands of dollars.)  Getting NLA to work correctly has been a royal PITA, and colossal waste of time!!

Any one of these solutions should solve the problem:
- How do I force NLA to detect a NIC as "Public Network"?
- How do I prevent an (external) interface from contacting a DC?
- How do I manually change the detected network to be "Public Network"?

I have picked through all the options under Local Security Policy > Network List Manager Policies, no settings available for "Domain Network, User can change location".  For configuring the 2 NICs, I have tried every possible combination of Gateway and DNS server entries possible.  On the external NIC, I have disabled "Register this connection's addresses in DNS", and "DNS suffix for this connection:" is blank, NetBIOS is disabled.  The DNS server is configured to listen *only* on the internal IP, I have scrubbed through all DNS entries, there are no entries being registered with the public IP.

Help please!

   ---Jay R O

Logging - MAC Address Filtering (Deny)

April 12, 2013, 8:30 am
$
0
0

I am trying to find out where I would see any MAC address that is blocked when the Deny Filter is enabled and MAC addresses are added.  I have looked in the Microsoft DHCP Service Activity Log (DhcpSrvLog-%day%) and see Event ID's 15 (A lease was denied) and 33 (Packet dropped due to NAP policy).  Am I looking in the right place for such things and if so, would it be Event ID 15 or 33 or another?

Thanks in advance.

Windows Server Foundation 2012 (1CPU) - English ROK

April 11, 2013, 10:26 pm
$
0
0

Can we use

 Windows Server Foundation 2012 (1CPU) - English ROK

  server to make RODC?

Arvind

dhcp error 1041, dhcp service bound to a nic with a statically set ip

April 12, 2013, 6:32 am
$
0
0

Hi - I've been getting dhcp error 1041s after an unplanned shutdown (extended powerfailure after business hours, ups software not shutting down gracefully-different issue being resolved.)

The environmentd is an sbs2008 with 2 nics both statically set, dhcp is bound to one. When the server comes back up dhcp is not restarting properly spitting out error 1041. kb article: 298490 http://support.microsoft.com/kb/298490 does not apply since the dhcp server is already bound to a nic with a static ip. Verified this as per article...so why is the service not restarting as normal? the actual error seems as if the service is trying to start before the nics are fully up?

How is this resolved is kb http://support.microsoft.com/kb/298490 is not applicable?

Thanks in advance,

Frank

DHCP in Domain Controller

April 12, 2013, 6:52 am
$
0
0

I have a DHCP in the Domain Controller and I want to provide access to a secruity group. I see the local group Named "Dhcp Administrator" and "DHCP users" are moved to the Active Directory. However even after adding the Group to DHCP user, the user still not able to access it. How, we have 3 such DHCP server all in the Domain Controller. I am not sure if that cause an issue, but looking out if there can be any alternative to solve this out

DirectAccess client enables IPHTTPS interface when inside corporate network at remote sites

April 12, 2013, 10:58 am
$
0
0
We have 4 offices connected via an MPLS network. I've installed the DA server in the main office. We're using a PKI for NLS and IPsec certs and a self-signed cert for IPHTTPS. For the most part everything works great. When a DA client is in the main office all DA settings are disabled and the client acts as it should. When on the internet the IPHTTPs tunnel is established and remote access works.
 
My problem is when the same DA client connects at one of the remote offices. When at a remote office the IPHTTPS interface is active. The NRPT is not. No tunnel is actually established but I find Event 4012, NCSI event logs showing that the Inside/Outside probe failed. This in and of itself would not be a big deal as the tunnel is never established however it does seem to cause Outlook to prompt for a password. I know this has something to do with our OWA site being resolvable inside the network, but I'm at a loss as to why this only happens with the IPHTTPS interface is active with no tunnel established.
 
The NLS site appears to be working from the remote offices. I can ping NLS via DNS name and can open the https NLS website in a browser.
 
Anyone have any ideas as to why this would be happening?

DC Time Server stay on Local CMOS Clock

May 3, 2010, 12:34 am
$
0
0

Hi, 

I need to get my Time Server to sync with a external source.

Server 2008 R2

i have changed the Group Policy for the domain controllers to Sync with a external source2.

I have tried to manually set it with the registry changes

   W32tm /config /syncfromflags:manual /manualpeerlist: ntp.is.co.za
   W32tm /config /reliable:yes
   W32tm /config /update
   W32tm /resync

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
   "AnnounceFlags"=dword:00000005
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
   "Type"="NTP"
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
   "Enabled"=dword:00000001

   Net stop w32time
   Net start w32time
   Net time

When it resync i get this:

"The Computer did not resync because no time data was available"

I have tried it with  time.windows.com and still get that message...

Where can the issue be?

 

Thanks

Search

Domain Relation Ship

April 12, 2013, 9:46 pm
$
0
0

I have a forest domain and multiple sites. I need to change the IP range and subnet of one of my site to another Domains IP range and subnet. my range is 192.168.0.0/24 to 10.100.0.0 range . lets call site A and B. A is under my domain controller and on same IP range. B is in another domain with 10.100.0.0/255.255.0.0 range. A and B  has a trust relation over PtP wifi bridge connectivity. 

My goal is to change Site A's ip range to B's. But i don't know how two different domains will work on the same IP range, Please help me on this issue.

DHCP 2012 Failover protocol and MCLT

April 8, 2013, 6:33 am
$
0
0

How does MCLT help ensure that any leases the failed server may have given out while out of contact with it's partner will have expired ?

For example, if a scope has 1 day lease expiration.  Server A give 192.168.2.50 to ClientA and then crashed before being able to sync that info to Server B.

If the MCLT is 15 minutes, my understanding is that when ServerB will operate in Partner Down, it will wait the MCLT before taking over the whole scope.  So, what will prevent Server B to give 192.168.2.50 once Partner Down + MCLT(15min in that case) is reached.  It could still give that 192.168.2.50 ip, no ?



Split Horizon DNS

April 8, 2013, 11:10 am
$
0
0

We have a split horizon setup on our network, and we have 2 separate DNS setups:
Domain: cloud.xyz.com
cloudad1.cloud.xyz.com with of course AD integrated DNS (Server 2008 R2)

and
ns1.xyz.com non-AD integrated, not in the domain
ns2.xyz.com non-AD integrated, not in the domain, both Windows 2008 R2

At the moment NS1 and NS2 do recursive queries and are public facing. This of course is not best practice and we want to reorganise our name servers to correct this.
We want to add another domain controller to the network but I've run into an issue.
The registrar authoritive DNS server for the domain xyz.com is NS1

I have setup a Server 2012 with AD and DNS called clouadad2.cloud.xyz.com, and joined it to the domain cloud.xyz.com
When I try to promote it to a DC I get the message:

A delegation for this DNS server can not be created because the 
authoritive parent zone cannot be found or does not run Windows 
DNS server. If you are integrating with an existing DNS infrastructure,
you should manually create a delegation to this DNS server in the 
parent zone to ensure reliable name resolution from outside the 
domain "cloud.xyz.com". Otherwise no action is required.

The parent zone xyz.com is on NS1, not in the domain. To delegate I have to delete the zone, but I can't do that as I need it there for public name resolution.

Clearly I am misunderstanding something????

IP-HTTPS Windows 7 on Direct Access Windows 2012

October 30, 2012, 8:29 am
$
0
0

Hi,

We want to implement Direct Access on Windows 2012 where de DA server is behind a NAT device. This means that we use IP-HTTPS as the transition protocol. IP-HTTPS has improved (no dubble encryption) since Windows 2012, but does this also apply when a Windows 7 DA client is used or will it fall back to the old IP-HTTPS implementation?

Thx

Jan Boorsma

DNS Issues

April 14, 2013, 3:16 am
$
0
0

Hi Professionals,

I have my network completely setup.

Presently my deployment is in such a way that I have a mikrotik router serving as DHCP server, DC as DNS Server and forwards my ISP DNS IPs, Router also holds cache records of the DNS records, configured NAT on the mikrotik router. I also configured a remoteApp server, and Application server. I configured VPN on the router and did port forwarding to my application server with arp in consideration.

All client systems IPs are assigned dynamically and they could reach internet but if I want them to connect to remote App, I will have to assign a static DNS IP of my DC. This has made it impossible for my VPN users to connect to any application running internally on my network.

How can i FIX this.

o.k

Viewing all 5877 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>