I have restrustured 2 different domains and their IP addressing structure. Both are small networks and all addressed are static. Before the re-addressing the PDC was able to resolve external/internet addresses using its root hints. After the address change no external addresses can be resolved even if forwarders are supplied . You can PING external addresses. DCDIAG does not reveal any errors nor does the event log. What more can I do?

Lee

I just started looking at Direct Access and have a few questions.

1. I keep seeing examples where DHCP is installed on the DC. Is that a requirement or can it be any DHCP on the internal net?

2. Does the domain functional level need to be 2012? Or will 2003 and/or 2008 work as long as a 2012 DC exists?

3. If you can have a mix of DC's (03,08,12) does the fsmo roles need to be on 2012?

I am going to stand up a test net to work with but these are what has jumped out at me after reading and watching cbts.

Thanks

I have a situation that I can't seem to explain on our internal network.  

My DNS (Active Directory) does not host a zone or any records for our internet facing domain. Yet, when I do Lookups in that domain, I get the internal address.

Example:  

Nslookup server.domain.com internal.dns.local
Answer: 192.168.100.xxx

nslookup sever.domain.com internet.dns.com
Answer: 12.xxx.xxx.xxx

How can this be if my DNS is not hosting that domain or record?  There is no entry in hosts file either.  And this works for multiple hosts on our internet domain.  

Thank you in advance for your help!

The Windows Server Networking TechCenter is now redesigned to help you accomplish your networking goals with the right documentation for the Windows Server products that you use.

You can find the new TechCenter at http://aka.ms/mj4ecs

Thanks -

James McIllece

Hi,

I am configuring a simple hub-and-spoke VPN using Windows Server 2008 R2 and RRAS. It is going very well and I now have a router configured to establish a VPN connection to the server. However, I have having problems configuring the static route so that the server can see the LAN behind the router.

When the router establishes the VPN connection, it is assigned an IP address of 10.0.0.5 (the VPN IP address of the internal interface created by RRAS is 10.0.0.1). The LAN behind the router is 192.168.10.0/24, so for testing, I created a route using the following command:

route add 192.168.10.0 mask 255.255.255.0 10.0.0.5

This works perfectly. I can ping a computer on the remote LAN; for example:

C:\Users\Administrator>ping 192.168.10.2

Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=506ms TTL=127
Reply from 192.168.10.2: bytes=32 time=536ms TTL=127
Reply from 192.168.10.2: bytes=32 time=508ms TTL=127
Reply from 192.168.10.2: bytes=32 time=506ms TTL=127

Here is the routing table at this point:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     109.228.20.1   109.228.20.174      6
         10.0.0.1  255.255.255.255         On-link          10.0.0.1    279
         10.0.0.4  255.255.255.255         10.0.0.4         10.0.0.1     24
         10.0.0.5  255.255.255.255         10.0.0.5         10.0.0.1     24
     109.228.20.0    255.255.252.0         On-link    109.228.20.174    261
   109.228.20.174  255.255.255.255         On-link    109.228.20.174    261
   109.228.23.255  255.255.255.255         On-link    109.228.20.174    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.10.0    255.255.255.0         10.0.0.5         10.0.0.1     24
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    109.228.20.174    261
        224.0.0.0        240.0.0.0         On-link          10.0.0.1    279
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    109.228.20.174    261
  255.255.255.255  255.255.255.255         On-link          10.0.0.1    279
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     109.228.20.1       1
===========================================================================

Now, the problem comes when I try to make this a static route. First of all, I specify the static route using the dial-in properties for the user:

After the client has established its connection, the routing tables looks thus:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     109.228.20.1   109.228.20.174      6
         10.0.0.1  255.255.255.255         On-link          10.0.0.1    279
         10.0.0.4  255.255.255.255         10.0.0.4         10.0.0.1     24
         10.0.0.5  255.255.255.255         10.0.0.5         10.0.0.1     24
     109.228.20.0    255.255.252.0         On-link    109.228.20.174    261
   109.228.20.174  255.255.255.255         On-link    109.228.20.174    261
   109.228.23.255  255.255.255.255         On-link    109.228.20.174    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.10.0    255.255.255.0         10.0.0.5         10.0.0.1     23
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    109.228.20.174    261
        224.0.0.0        240.0.0.0         On-link          10.0.0.1    279
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    109.228.20.174    261
  255.255.255.255  255.255.255.255         On-link          10.0.0.1    279
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     109.228.20.1       1
===========================================================================

Note: It appears that the metric I have specified has been ignored, as the table shows a metric of 23.

Now, when I try to ping, I get a general failure:

C:\Users\Administrator>ping 192.168.10.2

Pinging 192.168.10.2 with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.

As a relative newbie, I simply don't understand why this route is not working. It looks spot on and the only difference (although I guess it could be the key factor) is the difference in the metric (i.e. it is 24 when assigned by hand using route add, but 23 when it is a static route).

I would appreciate any help!

Thanks,

Ben

Hi all. Easy question hopefully.. I currently have about 250 reverse zones, mostly class Cs. I did some analysis and found that this still doesn't include all the Cs covered by our DHCP scopes. Instead of adding additional class C zones, I'd like to create two class Bs to cover the ranges being passed out by DHCP. My question is whether this will have an effect on the existing class Cs, or in other words, will the more "specific" reverse zones get priority for queries and dynamic updates, or will I need to create delegations to the other zones? Long-term, I'd like to collapse all the Cs into the two Bs.

For example, suppose we have:

10.20.30.in-addr.arpa
12.20.30.in-addr.arpa

What happens if I create 20.30.in-addr.arpa? If you can reference any documentation I'd appreciate it.

Thanks!

Paul

I configured Name Protection on DHCP. As far as I know, DNS A/PTR Records are discarded and not deleted by DHCP after DHCP Lease expiration.

Here's my problem:

• Client A gets an IP from DHCP with an 8 day lease. DHCP registers record in DNS.
• After 9 days the lease expires and client B gets the the same as A did. DHCP registers a record in DNS.
• Now I have two PTR/A Records to the same IP…

Is DNS Scavenging the only option I have to prevent multiple A/PTR records to the same IP? From my understanding I would configure DNS Scavenging based on the following formula

DHCP Lease Periode <= NoRefrehPeriod + Refresh + Scavenging Period

For an 8 days lease duration I would set

• NoRefreshPeriode: 3 days
• Refresh: 4 days
• Scavenging Period 1 days

Please let me know if I misunderstood something. DCs are Windows Server 2008R2

best regards

Pirmin

Hi, I have installed windows 2008 r2 on server and made the user as per my requirement with shared folder. when i am accessing the server in network through \\server, its not prompting for credential and directly shows the shared folder. and not giving the access to open that folder. Server is not in domain. Please suggest.

Thanks..

Hi,

We have two public facing DNS servers. DNS1 Primary and DNS2 secondary.

DNS2 is using massive amounts of bandwidth. Can we have the updating ports only allow access to DNS1 and then have only port 53 open to the outside world. Thus DNS2 can only update from DNS1 but DNS1 can update from all other DNS servers on the net. Is this acceptable industry practice or would this be a workaround and not resolving the problem.

Ports open on DNS2 according to this link:http://technet.microsoft.com/en-us/library/dd197515(v=ws.10).aspx

Incoming port 53 only.

Outgoing: 1025 -5000 and 49152 -65535 (high usage happening on these ports)

Hi,

Sorry for the strange title, but i cant seem to find any logic in this problem..

We have a 3rd party application for control of our VoIP system, and it uses TCP port 3333 to connect to the server that runs the application, and when one of my DirectAccess clients tries to start the application (it runs from a UNC-path) the application starts fine, but it cant connect to the server.

My first thought - there must be some element in the server / client configuration tied up on a IPv4 address. I checked everything, and asked the developers of the software, and there wasn't, everything runs on DNS names (witch should work, and i can ping the server by its DNS name).

My second thought - Maybe it gets blocked! Checked my network firewall log, the log seemed pretty normal. After I checked the firewall on the client, and tried to create a custom rule allowing TCP port 3333 - still no dice..
I also did a "NETSTAT" command on the client, while trying to connect, the TCP connection stalled at "SYN_SENT" - for me, still seems like the TCP port is blocked somewhere..

So, now I am a bit lost, i hope someone can help me - thanks!

/Mick Negendahl

Hi,

I am trying to create a simple VPN hub-and-spoke topography. I have managed to get quite a long way and the following diagram shows what I have been able to build thus far:

As you can see, the hub is a Windows Server 2008 R2 box running RRAS. The spokes with either be Dreytek routers with a number of PCs (or other devices) on the LAN behind them or PCs dialling in directly to the server. All of this works as expected exceptfor the fact that none of the LAN devices at the spokes are able to communicate with the devices at the other spokes. For example, the direct dial-in PC (192.168.1.11) cannot communicate with 192.168.3.1 or 192.168.10.1.

Things that I have tried and work:

• All of the LAN devices can ping any of VPN addresses (so, for example, the direct dial-in PC can ping 10.0.0.1, 10.0.0.4 and 10.0.0.5).
• I have enabled Syslog on the Draytek routers and can see the ICMP traffic through the firewall when the 10.0.0.x address of the router is pinged (for example, if I ping 10.0.0.5 from the direct dial-in PC, I can see the firewall allowing the ping).
• I have added static routes to the Dreytek routers (for example, on the 10.0.0.5 router, I have added a route for 192.168.1.0 / 24 and 192.168.3.0 / 24 routing via 10.0.0.1).
• I have added static routes to the direct dial-in PC for 192.168.3.0 / 24 via 10.0.0.4 and 192.168.10.0 / 24 via 10.0.0.5
• I have added static routes to the server for each LAN at the end of the spokes (for example, I added a route for 192.168.1.0 / 24 to route via 10.0.0.2, and 192.168.10.0 / 24 via 10.0.0.5). I am having trouble persisting these routes so that they re-establish if the VPN connection drops and re-connects.

Things that don't work:

• The server is unable to ping any of the LAN PCs (for example, it can't ping 192.168.10.1 or .2 etc.).Syslog on the routers does not see any ICMP traffic.
• The client PCs are unable to ping any remote PCs (for example, 192.168.10.x PCs cannot ping 192.168.3.x PCs or the direct dial-in client at 192.168.1.11).

If a use tracert or pathping, it does look like the traffic istrying to go via the server but it never gets there. For example:

C:\Users\Administrator>pathping -n 192.168.10.2

Tracing route to 192.168.10.2 over a maximum of 30 hops

  0  10.0.0.1
  1  10.0.0.5
  2     *        *        *

I am really at a loss as to what to do next. It must be possible to get this working... I have found so many articles about this topic but nothing seems to address this particular problem. So I guess my two main questions are:

1. What am I missing to get the remote LAN PCs to be able to communicate with each other?
2. What do I need to do to persist the routes via the VPN clients to their LANs?
3. Can I avoid static routes completely and use dynamic routes?  I have tried using RIP but the RIP multicasts come in over the VPN (I have seen this using Wireshark) and I can't create RIP on the "Internal Interface".

One idea that I've had... Could the problem be anything to do with IPv6? When I was experimenting, I tried disabling it using Microsoft Fixit 50409. After I did this, neither the routers nor the direct dial-in W7 client were able to establish a VPN connection until I re-enable it... I had assumed that all traffic would be IPv4 but perhaps I'm wrong?

Many thanks!

I'm trying to delete an 'A' record from my AD-Integrated DNS zone using 'dnscmd /RecordDelete'. I'm prompted to confirm that I want to delete the record, and after selecting 'y' I get a message that the operation completed successfully, but the record is still there. I know the syntax is correct. 

I've tried refreshing the zone, restarting the DNS server service, changing the scavenging/aging options on the zone and the server, but nothing seems to work. I've also tried to delete 'static' records and a record with a time stamp. 

If I right-click the record and select "delete" through the DNS snap-in, the record is deleted. I presume using the "dnscmd /RecordDelete" command is the same operation, no? 

Why can't I delete the record? 

The other day I was building a PTR record using the dnscmd set from the command prompt on my server. I managed to swap the position of the record's value (should have been 1 for a resulting value of 6.6.6.1) and the time to live of 1200 seconds.

The server accepted the entry and created a PTR record of 6.6.6.1200 !

I thought it was fluke so I deleted and re-created with a more descriptive name...it took a second time too. I have now done this on 2003 and 2008.

How is this possible?

Thanks in advance.

I'm having the following problem.

In DHCP we have 2 scopes - one for wireless and 1 for cabled network.

Laptops sometime connect to wireless and sometimes to the cable. And thus they have 2 ip addresses registered in DNS. Is there a way to prevent this and make sure only 1 DNS record is registerd with the current ip address. Now in DNS I have al lot of laptops with 2 ip addresses.

How can I prevend from having 2 ip addresses on the same hostname ?

Thanks

Patrick

It has been about 10 years since I had to do anything with RRaS, and even then it was only when working on my MCSE, so I appreciate your patience with what may end up being a dumb question.

I have recently implemented a Dell Compellent storage system, which runs on an internal network of 10.0.x.x (/16). Due to security restrictions, the storage system itself does not have external connections. The front end is a Server 2012 cluster, which serves out the CAP to the users.

In addition, there is a second box which is used to run Enterprise Manager. This box is on the 10.0.x.x /16 network along with the Compellent system on NIC Interface #1, and also on our external network using a static IP on Interface #2.

My issue is in attempting to allow the Compellent system to communicate with the outside world (Phone Home).  Obviously it cannot do so on its own, so my thought was to configure Routing and Remote Access to permit this. My attempt looked something like this on the admin server (We'll call it Admin):

My external NIC interface is "External", with a static public IP.

My internal NIC interface is "Internal" with a private IP of 10.0.3.100 (/16)

The Dell system (also on the internal network) has an IP of 10.0.1.101 (also /16) - I can ping the Dell system from the Admin server along that network.

I set up Route and Remote Access on "Admin" with Windows Server 2008 Standard R2. In RRaS, I have enabled the computer as an IPv4 Router, Local Area Network (LAN) routing only. I have left the security options at the defaults (Windows Authentication, Windows Accounting), and ensured that Enable IPv4 Forwarding is enabled on the IPv4 tab.

Now, to the meat of it - I want to create a static route that will route traffic from the 10.0.x.x /16 subnet to the external interface's public IP address. (for convenience, let's call it 55.55.55.55).

I created a static route. I set the Interface to Internal, as that is the one I am seeking to route from. For the destination, I set the external network of 55.55.55.0, and the Network Mask for 255.255.254.0 (as that's the mask for the public network), and the default gateway of 55.55.55.1 (which is my normal external gateway). I left the metric at the standard 256.

My first question is - is this correct?  I've been doing the typical google searches, and it appears to be correct, but now the Admin box can't even ping the Dell system over the internal network (10.0.1.101 is not responding). I'm sure this is just a case of my not having messed with this in years, but a fresh perspective might help.

Hi!

I'm trying to setup the RRAS in a Windows server 2012 to route between my two networks. I have a windows server 2012 with two nics and the RRAS installed. I installed "Lan Routing" custom option.

My configuration is:

Server nic1 - 192.168.1.254 255.255.255.0 (no dfgateway)

Server nic2 - 192.168.103.54 255.255.255.0 (no dfgateway)

Clients subnet1 - 192.168.1.x 255.255.255.0 192.168.1.254

Clients subnet2- 192.168.103.x 255.255.255.0 192.168.103.54

The problem is that from a client of subnet1 i can ping 192.168.1.254 and 192.168.103.54 but i can't ping clients of subnet2, and backwards  the same problem.

Thanks.

Hi,

Here is my scenario

I have some RODC servers on our remote sites and some DC's in our HQ

i want some AD users to have administrative rights on those remote RODC's but not in DC's

also we have some stand alone dhcp servers which i don't think makes us difficulties cause there is local dhcp administrators group on them

as told. main problem is to give dhcp different permissions in different servers, administration on RODC servers (or maybe sofe of DC's ha ? why not ?) and view or deny on our DC's (or maybe even RODC's)

simplified : i want to give dhcp admin rights to some of people but just on the RODC or DC servers i like

if i make them meber of dhcp admins they will have rights on all servers

ty

Payne is back

Hello All, is there a best practice on 2003 & 2008 server flavors on how to configure LACP. Specifically if the Cisco switch is configured for LACP Mode Active should i hard code the network adapter on the server for 802.3ad or Auto negotiation?  I have been hit or miss when i use Auto negotiation but rock solid when hard code my Proliant servers to use Ether Channel and the HP Teaming applet set for "802.3ad" and "Destination IP".

Example:

Hi

There seems to be a number of ways to migrate DHCP from 2003 to 2008R2 and, to me at least, some conflicting stories on what’s best. We’re moving from a 2003 DC running DNS and DHCP to a newly promoted 2008 r2 x64 server running as a DC and DNS.

I found this articlehttp://www.networkworld.com/community/node/56296

about using the DHCP migration tool in 2008 r2 and it looks just like what we need. The only thing is it reuses the IP address from the old/existing DHCP server. We’re not reusing the IP address on the new DHCP server, the new DHCP server will have a NEW IP address.

My questions are:

-      What happens when we use a new IP address for our DHCP servers? We don’t want to have to reboot every client.

-      I’ve read we could shorten the lease time to 30 mins on existing DHCP server. Assuming this is correct; at what stage in the process would we do that?

-      I also understand that we need to update the IP helpers on routers, I guess we do this after after the last step?

Apologies if these questions seem daft/obvious. I would have thought what I’m doing is not to left field but I can’t find any definitive articles for DHCP migrations (using DHCP migration tool in 2008 r2)to servers with a NEW IP address.

I’ve found this very similar article but it doesn’t actually say what happens for using a new IP address

http://social.technet.microsoft.com/Forums/en-US/winserverMigration/thread/2b4aae11-3954-4437-88b2-b59f41b58c83

Thanks