VPN migration

[Furio1]

Hello,
I recently upgrade our main office to AD from NT4.0, and we are now
having problems with the VPN connection originating from our hot site
on a different subnet. I get "Error 930: authenticating server did
not respond..." Do I need a DC on that subnet as well? VPN is running
on a win2k server, should it be ok? I'm questioning whether I need to
migrate the vpn software over to a win2k3 server, or shoukld it be ok
in the short term on a win2k server?

Any help is appreciated.

 

[Furio1]

should be noted that main and branch (hot site) are connected via a
pt-to-pt private line.

 

[Herb Martin]

Hello,
I recently upgrade our main office to AD from NT4.0, and we are now
having problems with the VPN connection originating from our hot site
on a different subnet. I get "Error 930: authenticating server did
not respond..." Do I need a DC on that subnet as well?

No. Not necessarily but you must be able to authenticate
any place such is required.

Chances are you have DNS problems -- since 95% of all AD
authentication problems are DNS anyway, and you may not have
used that under NT4 anyway, or at least not the same was as
AD does.

VPN is running
on a win2k server, should it be ok? I'm questioning whether I need to
migrate the vpn software over to a win2k3 server, or shoukld it be ok
in the short term on a win2k server?

From a functional point of view it should work on either.

Run DCDiag on each DC (see below for more DNS help * )
Run NetDiag on each NON-DC that is (or might be) involved
in the problem.

should be noted that main and branch (hot site) are connected via a
pt-to-pt private line.

Not that it matters but why do you use a VPN if you already have a
private point-to-point network?

Wouldn't just routing there work as well? (Just a thought.)


* DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Furio1]

Hey Herb,
thanks for the help, I am checking on some of this these suggestions.
I did point the vpn server to the correct DNS server, but it did not
resolve my problem.

We have vpn setup for a couple of users that are outside of the two
locations (actually just one location, since we are talking about a hot
site setup for backup purposes). All traffic routs through our hot
site to our main location via the private line, that part is certainlly
handled through the routing tables.

Is there any permissioning I need to setup on the AD DC in regards to
the additional subnets?

 

[Furio1]

more info: vpn server has a static ip

 

[Furio1]

I ran netdiag on the vpn server and this is making me pause:

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for FREKI$.


LDAP test. . . . . . . . . . . . . : Failed
[WARNING] The default SPN registration for 'HOST/freki' is missing
on DC 'te
rra.sandiego.xxxx.com'.
[WARNING] The default SPN registration for 'HOST/FREKI' is missing
on DC 'te
rra.sandiego.xxxxx.com'.
[WARNING] The default SPN registration for 'HOST/freki' is missing
on DC 'te
stadupgrade02.sandiego.xxxxxx.com'.
[WARNING] The default SPN registration for 'HOST/FREKI' is missing
on DC 'te
stadupgrade02.sandiego.xxxxxx.com'.
[FATAL] The default SPNs are not properly registered on any DCs.

any ideas?

 

[Furio1]

Hey Herb,
I ran netdiag on the vpn server and I got:
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for FREKI$.


LDAP test. . . . . . . . . . . . . : Failed
[WARNING] The default SPN registration for 'HOST/freki' is missing
on DC 'te
rra.sandiego.xxxxx.com'.
[WARNING] The default SPN registration for 'HOST/FREKI' is missing
on DC 'te
rra.sandiego.xxxxx.com'.
[WARNING] The default SPN registration for 'HOST/freki' is missing
on DC 'te
stadupgrade02.sandiego.gxxxxx.com'.
[WARNING] The default SPN registration for 'HOST/FREKI' is missing
on DC 'te
stadupgrade02.sandiego.xxxxx.com'.
[FATAL] The default SPNs are not properly registered on any DCs.

any idea how I would go about correcting it (assuming it is the source
of my problem)

Thanks in advance,
Furio

Hello,
I recently upgrade our main office to AD from NT4.0, and we are now
having problems with the VPN connection originating from our hot site
on a different subnet. I get "Error 930: authenticating server did
not respond..." Do I need a DC on that subnet as well?

No. Not necessarily but you must be able to authenticate
any place such is required.

Chances are you have DNS problems -- since 95% of all AD
authentication problems are DNS anyway, and you may not have
used that under NT4 anyway, or at least not the same was as
AD does.

VPN is running
on a win2k server, should it be ok? I'm questioning whether I need to
migrate the vpn software over to a win2k3 server, or shoukld it be ok
in the short term on a win2k server?

From a functional point of view it should work on either.

Run DCDiag on each DC (see below for more DNS help * )
Run NetDiag on each NON-DC that is (or might be) involved
in the problem.

should be noted that main and branch (hot site) are connected via a
pt-to-pt private line.

Not that it matters but why do you use a VPN if you already have a
private point-to-point network?

Wouldn't just routing there work as well? (Just a thought.)


* DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Herb Martin]

Hey Herb,
I ran netdiag on the vpn server and I got:
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for FREKI$.
LDAP test. . . . . . . . . . . . . : Failed
[WARNING] The default SPN registration for 'HOST/freki' is missing
on DC 'te
any idea how I would go about correcting it (assuming it is the source
of my problem)

Yes, it is either the source of your problem OR going to be a problem
if you fix other problems.

This VPN server is a DNS client of the INTERNAL DNS it must
have STRICTLY the Internal DNS servers (for the domain) listed
on the NICs (all NICs.)

A common mistake: to list both internal and EXTERNAL (e.g., ISP
or even itself as DNS server) which is wrong.

If a VPN server must authenticate Domain accounts then it is
by DEFINITION an "internal computer" and must use STRICTLY
the internal DNS.

This is also true for DCs and another common mistake. If the DCs
use the wrong DNS then they never register AND cannot find each
other for replication.

If an "ordinary client" uses the wrong DNS then it cannot find the
DCs for authentication.

And trying to use two different SETS (internal and external) does
NOT work since which one is used is somewhat arbitrary or
random.

Show me the IPConfig /all from your VPN server (save text to
file and paste it in; do not retype and do not use a graphic.)

Show me the IPConfig /all from the DC and/or DNS it should
use and clearly distinguish the various machines.

Test routing between VPN and DNS server to make sure it
can reach the DNS to resolve names.

Test nslookup between them to make sure it can actually
perform the resolution.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks in advance,
Furio

Hello,
I recently upgrade our main office to AD from NT4.0, and we are now
having problems with the VPN connection originating from our hot site
on a different subnet. I get "Error 930: authenticating server did
not respond..." Do I need a DC on that subnet as well?

No. Not necessarily but you must be able to authenticate
any place such is required.

Chances are you have DNS problems -- since 95% of all AD
authentication problems are DNS anyway, and you may not have
used that under NT4 anyway, or at least not the same was as
AD does.

VPN is running
on a win2k server, should it be ok? I'm questioning whether I need to
migrate the vpn software over to a win2k3 server, or shoukld it be ok
in the short term on a win2k server?

From a functional point of view it should work on either.

Run DCDiag on each DC (see below for more DNS help * )
Run NetDiag on each NON-DC that is (or might be) involved
in the problem.

should be noted that main and branch (hot site) are connected via a
pt-to-pt private line.

Not that it matters but why do you use a VPN if you already have a
private point-to-point network?

Wouldn't just routing there work as well? (Just a thought.)


* DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or
indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Furio1]

Here is the ouput of ipconfig /all on DC and vpn server:
C:\Program Files\Support Tools>ipconfig /all *********VPN
Server***********

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : freki
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100+ PCI
Adapter
Physical Address. . . . . . . . . : 00-90-27-7A-49-05
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.252.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.252.1
DNS Servers . . . . . . . . . . . : 192.168.100.11
192.168.100.14
Primary WINS Server . . . . . . . : 192.168.100.11
Secondary WINS Server . . . . . . : 192.168.100.14



************ DC ********************
Windows IP Configuration

Host Name . . . . . . . . . . . . : testadupgrade02
Primary Dns Suffix . . . . . . . : sandiego.test.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sandiego.test.com
globeflex.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : sandiego.test.com
Description . . . . . . . . . . . : Compaq NC3121 Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-50-8B-07-C8-DE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.6
DNS Servers . . . . . . . . . . . : 192.168.100.11
Primary WINS Server . . . . . . . : 192.168.100.11
Secondary WINS Server . . . . . . : 192.168.100.2

192.168.100.14 is the backup DC/DNS server.
I'll test routing right now and post results. I also just realized I
cannot map a drive to the vpn server.

 

[Furio1]

This is what I get on a nslookup:
C:\Documents and Settings\frekisvr>nslookup
*** Can't find server name for address 192.168.100.11: Non-existent
domain
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.100.14: Timed out
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.100.11

I am able to resolve addressess though.

 

[Furio1]

Problem solved. I think what did it was deleting the computer account
and removing th server from the domain and then re-joining it.

 

[Herb Martin]

Here is the ouput of ipconfig /all on DC and vpn server:
C:\Program Files\Support Tools>ipconfig /all *********VPN
Server***********

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : freki
Primary DNS Suffix . . . . . . . :

Systems should have PRIMARY DNS suffix set in the
System control panel and showing here.

Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100+ PCI
Adapter
Physical Address. . . . . . . . . : 00-90-27-7A-49-05
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.252.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.252.1
DNS Servers . . . . . . . . . . . : 192.168.100.11
192.168.100.14

What is 192.168.100.14? Does it have PRECISELY the
same resolutions for this domain's names?

Primary WINS Server . . . . . . . : 192.168.100.11
Secondary WINS Server . . . . . . : 192.168.100.14



************ DC ********************
Windows IP Configuration

Host Name . . . . . . . . . . . . : testadupgrade02
Primary Dns Suffix . . . . . . . : sandiego.test.com

So is the VPN server also a member of this domain?
It should have this Primary suffix set as well.
(Interface specific suffixes are NOT the key.)

Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sandiego.test.com
globeflex.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : sandiego.test.com
Description . . . . . . . . . . . : Compaq NC3121 Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-50-8B-07-C8-DE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.6
DNS Servers . . . . . . . . . . . : 192.168.100.11
Primary WINS Server . . . . . . . : 192.168.100.11
Secondary WINS Server . . . . . . : 192.168.100.2

192.168.100.14 is the backup DC/DNS server.
I'll test routing right now and post results. I also just realized I
cannot map a drive to the vpn server.

Have you run your DCDiag and NetDiag (non-DCs) yet?

 

[Herb Martin]

This is what I get on a nslookup:
C:\Documents and Settings\frekisvr>nslookup
*** Can't find server name for address 192.168.100.11: Non-existent
domain
DNS request timed out.
timeout was 2 seconds.

These initial "errors" from NSLookup are an unfortunate feature
(read: BUG) of the way that NSLookup works.

Ignore them AS LONG AS you get resolution of the actual
record you request.

*** Can't find server name for address 192.168.100.14: Timed out
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.100.11

I am able to resolve addressess though.

Then that is ok. Can you pass DCDiag on every DC and NetDIAG (on non-DCs.)

 

[Herb Martin]

Problem solved. I think what did it was deleting the computer account
and removing th server from the domain and then re-joining it.

Ok. For future reference, try RESETING it in the future.

IF it works (and it usually does when re-adding it would work)
then you will be better off as you move to Windows AD.

You can reset an account in AD Users/Computers by right-clicking
on it.

You can also use DSMod, NetDom, and even NLTest (which works
on NT class machines.)

As you move into the future, you would prefer not to lose a
Computer SID and resetting avoids that. Under NT this was
not (much of) an issue.