none
Do I need to run DNS on an SBS2011 for remote access? RRS feed

  • Question

  • I got my SBS2011 back on line, and I am trying to set it up as a RRAS server so I can access local resources over the internet. I  am able to VPN into the Server from the outside, but the resources don't show up. The only thing I can do is to access a website that is running on the server, and I can access the hard drive on the server. Most of the information resides on a couple of NAS devices, and I don't see them when I am VPNed in.

    The server is NOT the DHCP server for the network. That actually turned out to be a goo thing, as the server lost internet connectivity (se another thread), and my entire (small) network would not have been able to connect to the internet because the server had issues. In my case the DHCP server is the firewall on the network.

    So, do I have to enable the DNS role on the server to be able to connect to the other resources? Is it even possible to have router being the DHCP server, and the SBS2011 as the DNS server for the internal network?

    Monday, December 16, 2019 9:04 PM

Answers

  • Hello,

    A SBS Server is Domain Controller, so it always needs DNS. You should enable this. Do you have added a static route for your VPN Subnet to your firewall or the SBS Server? Your network traffic going in to the VPN doesn't know how to find its way back.

    Thanks,

    Niels

    • Marked as answer by vistauser111 Thursday, December 19, 2019 4:08 PM
    Monday, December 16, 2019 9:17 PM
  • Hello,

    You can leave the firewall and the DHCP scope as is. It serves the subnet with the public DNS servers and that's fine. 

    What you should do in order to get the traffic flowing over the VPN is this:

    For Example, this is the subnet for your network:

    10.1.0.0/24

    This is the server:

    10.1.0.10

    An this the firewall:

    10.1.0.1

    For Example this is your VPN subnet:

    10.2.0.0/24

    You need to configure a static route in your firewall to make sure the VPN traffic can flow:

    Traffic for 10.2.0.0/24 should go to the next hop 10.1.0.10.

    Thanks,

    Niels

    • Marked as answer by vistauser111 Thursday, December 19, 2019 4:08 PM
    Tuesday, December 17, 2019 7:08 AM
  • Hello,

    You can also try to setup the route on the SBS server with this command:

    route ADD destination_network MASK subnet_mask  gateway_ip metric_cost

    In your situation that would be:

    route ADD 192.168.7.0 MASK 255.255.255.0 192.168.0.18

    I am not sure about the MASK parameter since you didn't specify the subnetmask of your VPN subnet. Please doublecheck this.

    If you have more questions, let me know!

    • Marked as answer by vistauser111 Thursday, December 19, 2019 4:09 PM
    Wednesday, December 18, 2019 6:59 AM

All replies

  • Hello,

    A SBS Server is Domain Controller, so it always needs DNS. You should enable this. Do you have added a static route for your VPN Subnet to your firewall or the SBS Server? Your network traffic going in to the VPN doesn't know how to find its way back.

    Thanks,

    Niels

    • Marked as answer by vistauser111 Thursday, December 19, 2019 4:08 PM
    Monday, December 16, 2019 9:17 PM
  • Thanks. I will try that tonight and set up the DNS role and see what happens.

    You are referring to a static route for the VPN subnet. Do you mean a static IP address into the system? Yes, I have set up something with no-ip.com, so I can get to the server from the outside. Is that what you meant? 

    Monday, December 16, 2019 10:23 PM
  • Ok, I am a bit confused now. The DNS Role is installed and everything is green (except that I get a warning that a disabled adapter is high on the binding list, but I don't seem to be able to change that. 

    So, the DHCP server also serves the DNS server addresses to the clients. They are currently set to 2 public DNS servers. But when I log in via VPN, the login happens on the server. Since the firewall is the DHCP server the clients will get the DNS servers that are set up in the firewall. Meaning, they don't now how to get info from the DNS server? Do I need to specify the SBS2011 (RRAS) as the second DNS server in the firewall? I'll give that a try now.

    Tuesday, December 17, 2019 3:47 AM
  • Hello,

    You can leave the firewall and the DHCP scope as is. It serves the subnet with the public DNS servers and that's fine. 

    What you should do in order to get the traffic flowing over the VPN is this:

    For Example, this is the subnet for your network:

    10.1.0.0/24

    This is the server:

    10.1.0.10

    An this the firewall:

    10.1.0.1

    For Example this is your VPN subnet:

    10.2.0.0/24

    You need to configure a static route in your firewall to make sure the VPN traffic can flow:

    Traffic for 10.2.0.0/24 should go to the next hop 10.1.0.10.

    Thanks,

    Niels

    • Marked as answer by vistauser111 Thursday, December 19, 2019 4:08 PM
    Tuesday, December 17, 2019 7:08 AM
  • HI
    1.Is it even possible to have router being the DHCP server, and the SBS2011 as the DNS server for the internal network?
    yes.

    2.do you consider migrating your sbs2011 to wse2016 or high version?
    Manage VPN in Windows Server Essentials
    https://docs.microsoft.com/en-us/windows-server-essentials/manage/manage-vpn-in-windows-server-essentialsEnd of support for Windows Server 2008 and Windows Server 2008 R2

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 17, 2019 10:22 AM
  • Thanks for the response. I tried a few things and I am not sure I understand how to set up a static route. Here is what I have:

    Internal network

    192.168.0.x

    Firewall/DHCP server

    192.168.0.1

    SBS2011

    192.168.0.18

    I also have a no-ip address set up that gives me an IP address that I can use to get access to the SBS2011. Let's call it A.B.C.D

    RRAS server on SBS2011 installed, VPN enabled, VPN subnet

    192.168.7.x

    IP address of Dial in adapter

    192.168.7.1

    When I try to set up a static route on the firewall, it asks me for

    name: Arbitrary

    Destination IP address: 192,168.0.18

    Subnet mask: 255.255.255.0

    Gateway IP address: What would this be? I tried the 192.168.0.1 and 192.168.7.1, but the router complained that it had to be "in selected interface subnet".

    From what you write, I understand that I have to direct traffic that come in on 192.168.7.x to the DNS server. But the static route I am trying to set up does not ask me for the IP addresses to route, so I am not sure I am looking at the right thing. 

    I can set up a VPN connection to the SBS2011, but I can't access any resources other than those directly on the server.

    Right now I am trying to set up a VPN connection with my laptop using a hotspot on my phone, but I can't connect. That could be a problem with the phone, though, so I can't test the VPN setup right now. I'll try again tomorrow.


    Wednesday, December 18, 2019 5:19 AM
  • Hello,

    You can also try to setup the route on the SBS server with this command:

    route ADD destination_network MASK subnet_mask  gateway_ip metric_cost

    In your situation that would be:

    route ADD 192.168.7.0 MASK 255.255.255.0 192.168.0.18

    I am not sure about the MASK parameter since you didn't specify the subnetmask of your VPN subnet. Please doublecheck this.

    If you have more questions, let me know!

    • Marked as answer by vistauser111 Thursday, December 19, 2019 4:09 PM
    Wednesday, December 18, 2019 6:59 AM
  • Success!

    I set up the RRAS again and the DNS, and I also forwarded PPTP to my server in the firewall. I checked that last night with my laptop connecting to the internet via my phone, but that did not work, But I just now connected to the server from my office (different network) and I can see the resources on the other network :-)

    I think that I can't connect through my iphone, as Apple disabled PPP. I'll have to see how I can do that.

    One thing remains open: Name resolution. I can access devices and computers now by IP address, but not by name (most of them show up with a name when I look at my router. I suspect that is a WINS thing, right?

    Anyway, many thanks for helping me. Appreciate it.

    Wednesday, December 18, 2019 10:02 PM
  • Hello,

    Good to hear that everything worked out!

    Could you please mark my answers as helpful/answer?

    Thanks in advance!

    Niels

    Thursday, December 19, 2019 7:00 AM
  • Done :-)

    Do you have a suggestion about the name resolution?

    Thursday, December 19, 2019 4:10 PM
  • Hello,

    Thank you! Do you specify a DNS server in the RRAS setup? That should be your SBS server.

    Regards,

    Niels

    Thursday, December 19, 2019 4:34 PM
  • Hmm, OK. I am not sure where the VPN connection gets the information about DNS from.

    The DHCP server is my router (192.168.0.1) and it has 2 DNS entries: 8.8.8.8 and 208.67.222.222, and no default gateway. When I look at the VPN adapter properties (ipconfig), it shows 8.8.8.8 and 192.168.0.1, and it does NOT show a Default Gateway. This could explain why the name resolution does not work. Obviously, 8.8.8.8 does not know anything about my internal network, and although 192.168.0.1 is the DHCP router which has the information, I am not sure if it actually works as a DNS server. I don't think so. 

    But since I am not seeing the 208.67.222.222 address as DNS server on the VPN connection, and it is not defined in RRAS, where does the DNS information on the VPN adapter come from?

    I checked the IP4 configuration on the server, and it seems that the server NIC has the 8.8.8.8 and 192.168.0.1 addresses as DNS servers (its a static IP address, so I have to specify the DNS servers manually). Do the VPN connections get their DNS information from the NIC settings of the server?

    The NIC also has an entry for the Default Gateway (192.168.0.1), but that does NOT seem to be passed on to the vpn clients. Where do I set that entry for the VPN connection?


    • Edited by vistauser111 Thursday, December 19, 2019 9:12 PM
    Thursday, December 19, 2019 7:44 PM
  • Hello,

    Your SBS server should be the first DNS server in your VPN configuration.

    Regards,

    Niels

    Friday, December 20, 2019 7:57 AM
  • I am glad to hear that this issue is solved.

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 23, 2019 6:41 AM