VPN Server and Internal Browser conflicting

Discussion in 'Server Networking' started by John Crowley, Nov 17, 2003.

  1. John Crowley

    John Crowley Guest

    Here's the basic setup:
    Windows 2003 PDC which is also DHCP, DNS, AD. It has a single NIC on internal network with internal IP (192.168.0.x). Setup the external router to forward VPN, HTTP and Term Service ports to PDC. The DNS server has a root authority that is a subdomain of our main domain name (internal.xxx.com)

    I wanted to setup VPN, so enabled routing and remote access. This seems to have worked fine, external clients can see internal network by VPN connection.

    The problem is that the routing service has created a dial-up IP interface, and assigned a second IP address, so now the machine has 2 IP addresses. The dial-up IP address gets registered with DNS, and now all the internal network clients are unable to browse the network. All the internal machines resolve the PDC machine name to the dial-up adapter IP, instead of the normal ethernet adapter address. If I manually remove the DNS entry for the dial-up adapter, the internal machines start resolving to the ethernet adapter address, and things start working again. But everytime the machine cycles, the DNS entry gets registered again.

    Is there a way to prevent the DNS record from being created? Why the heck does the dial-up adapter want to be in DNS anyway? Do I even need a dial-up adapter at all (and is there some way to remove it)? The thing only has one NIC. I haven't been able to find a good answer to this problem on the net anywhere.
     
    John Crowley, Nov 17, 2003
    #1
    1. Advertisements

  2. OT, but you really really really don't want to be running RRAS on that poor
    server given its roles. Either get another server (with two NICs) for RRAS,
    or, (my preference) use third party IPSec VPN thru a firewall like Sonicwall
    or equivalent (Watchguard, etc). Takes the resource load off the server, and
    is more secure - I've truly never understood the point of turning a Windows
    box into a router myself to begin with, esp. now that fireall/router
    appliances are so cheap. Just my two cents.
     
    Lanwench [MVP - Exchange], Nov 17, 2003
    #2
    1. Advertisements

  3. John Crowley

    Bill Grant Guest

    It was never a good idea to run a PDC as a multihomed server, and it still
    isn't!

    If you must do it, you need to prevent the "virtual" IP from registering
    in DNS and/or WINS. Even if you aren't running WINS, having two interfaces
    enabled for Netbios over TCP/IP will upset browsing.

    See KB 292822 for ways to handle the DNS and Netbios problems.

    PS. What do you think the remotes connect to, if not the dialup adapter?

    internal network with internal IP (192.168.0.x). Setup the external router
    to forward VPN, HTTP and Term Service ports to PDC. The DNS server has a
    root authority that is a subdomain of our main domain name
    (internal.xxx.com)
    to have worked fine, external clients can see internal network by VPN
    connection.
    interface, and assigned a second IP address, so now the machine has 2 IP
    addresses. The dial-up IP address gets registered with DNS, and now all the
    internal network clients are unable to browse the network. All the internal
    machines resolve the PDC machine name to the dial-up adapter IP, instead of
    the normal ethernet adapter address. If I manually remove the DNS entry for
    the dial-up adapter, the internal machines start resolving to the ethernet
    adapter address, and things start working again. But everytime the machine
    cycles, the DNS entry gets registered again.
    does the dial-up adapter want to be in DNS anyway? Do I even need a dial-up
    adapter at all (and is there some way to remove it)? The thing only has one
    NIC. I haven't been able to find a good answer to this problem on the net
    anywhere.
     
    Bill Grant, Nov 18, 2003
    #3
  4. John Crowley

    John Crowley Guest

    Thanks Bill, that seems to have done the trick...

    Yes I know it would be nice to have a separate server or vpn appliance, but when you've got a server that only needs to support 10 clients and 3 vpn clients, and you had to fight to get the pdc at all, you do what you have to do.
     
    John Crowley, Nov 18, 2003
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.