locked
Remote Access (VPN) via RRAS and DHCP issue RRS feed

  • Question

  • I managed to setup VPN connection with RRAS running on Windows 2008 R2. This servers also acts as gateway of the whole (small lab) infrastructure, it routes network traffic between LAN and WAN. VPN authorization works propertly by using PKI's computer certificates, connecting by L2TP protocol. VPn traffic from computer to servers/domain works ok, when VPN is connected, workstations are able to resolve domain. But servers cannot resolve remote computers connected via VPN. I tried both settings of RRAS dhcp option - using the specified scope, and get IP's from DHCP. When using the option to gather IP's from DHCP server (which is primary DC), RRAS reserves many VPN ports from DHCP, but DHCP table in DC does not show real hostnames of remote computers, it shows resrvations as VPN-tunnels. While remote computer is connected via VPN, DNS (which is the same DC) won't update the VPN's IP to DNS table either, even if reload or clean it.

    What else I need to configure, that Remote computers would be served with DHCP and DNS as local computers? Remote computers are getting as DNS server, the proper server - the same DC.

    Wednesday, September 8, 2010 5:37 PM

Answers

  • Hi yannara,

     

    Thanks for post here.

     

    If you are using DHCP to distribute addresses for remote connection computers and want to these computers could be resolved from internal ,then you may like configures Dynamic update with modify DHCP properties to achieve the goal.

    Regard how to configures DHCP properties to implement dynamic update ,please reference to session “Configure DNS dynamic updates on a Windows Server 2003-based DHCP server” in the article below:

     

    How to configure DNS dynamic updates in Windows Server 2003

    http://support.microsoft.com/kb/816592

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, September 13, 2010 6:18 AM
  •   No that is not possible. The client must get its IP address from the server. This is part of the PPP negotiation which sets up the connection. In any case, the IP address in only valid for the duration of the connection, not for the lease time of your DHCP server. If a VPN user logs on for a few minutes, you would not want the user to get an 7-day lease!

       You do not need DHCP relay. You do not need a DHCP scope for the second subnet. You use a static pool in RRAS. You do need a DNS zone for the second subnet. Don't even think about superscopes!

      The remote clients still get their network config from the RRAS server. If you want the remote clients to register their IP addresses in DNS, you will need to have them register directly. DHCP cannot do that on their behalf, because they are not using DHCP.

      If the RRAS server is the default gateway for your LAN, everything should work OK when you enable IP routing in RRAS. All traffic addressed to the "new" subnet will go to the gateway by default routing and VPN will deliver it to the remote client. Traffic for the LAN machines coming from the remotes will come to the RRAS server by default and be deliverd directly on the LAN.

     

      


    Bill
    Tuesday, September 14, 2010 12:34 AM
  • Well, now this issue is really solved!

    I had to modify dial-up connection settings to register DNS, like this:

    http://sphotos.ak.fbcdn.net/hphotos-ak-ash2/hs337.ash2/61696_430138710403_145461595403_5491450_2750447_n.jpg

    Thursday, September 23, 2010 2:28 PM

All replies

  •   If you use the default setting of getting addresses for remote clients from DHCP, the RRAS server actually leases a batch of IPs from DHCP to use remote users. The client gets an IP from the RRAS server when it connects. The client does not lease an IP directly from DHCP.

       If you are using the same IP subnet for the LAN machines and the remotes (which you must be if you are using DHCP), the clients access the servers indirectly. There is no real IP routing being done (since you can only route between subnet). The RRAS server acts as a proxy for the clients.

      The real solution for your problem is to use a different IP subnet for your remotes and route them through the RRAS server. Regard the remotes as if they were another group of machines on a different network. You could then have a different zone in DNS and register their names in that zone.

      See these links for more info on RRAS and off-subnet addressing.

    http://technet.microsoft.com/en-us/library/cc958008.aspx

    http://support.microsoft.com/kb/171185


    Bill
    Thursday, September 9, 2010 12:40 AM
  • Lets see, now I did:

    - new subnet and site for VPN

    - at RRAS's IPv4 settings for remote connections, I assigned independend scope of adresses, same pool as that subnet for IP

    - I created new primary zone at DNS, but I don't know what I need to do with it

    Situation with DNS is the same - VPN clients aren't updated to DNS table. Please can you advise more. My skills are a little (or much) below those articles.

    Thursday, September 9, 2010 5:49 PM
  • Hi yannara,

     

    Thanks for post here.

     

    If you are using DHCP to distribute addresses for remote connection computers and want to these computers could be resolved from internal ,then you may like configures Dynamic update with modify DHCP properties to achieve the goal.

    Regard how to configures DHCP properties to implement dynamic update ,please reference to session “Configure DNS dynamic updates on a Windows Server 2003-based DHCP server” in the article below:

     

    How to configure DNS dynamic updates in Windows Server 2003

    http://support.microsoft.com/kb/816592

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, September 13, 2010 6:18 AM
  • I found some theoretical help from http://support.microsoft.com/kb/171185 article, but still, there is no best practises or how-to instructions, how this scennario should be configured.

    So, correct me if I'm mistaken, but should the first goal to be is to make the remote clients to get "live" IPs from DHCP server, and not reserve 128 VPN-ports?

    I tried diffrent settings of RRAS, I created DHCP relay to point to real DHCP service. I created subnet, site and scope (should it be super scope?) for IP-pool of VPN clients. Still, when remote client connects, no IP is reserved from DHCP scopes.

    Now I have roles devided like this:
    DC1 = Domain Controller, DNS and DHCP service, in LAN everything works fine and DNS are updated.
    Router server= RRAS service with VPN and routing function. Acting as gateway, so clients navigate to the internet through this machine. DHCP relay now points to DC1, but there is no help of that.

    So is there any how-to or white paper guide for my needs, or can you guys tell me what should exactly stay where?

    One thing which crossed my mind, is to move entire DHCP role from DC to RRAS server.

    Monday, September 13, 2010 5:38 PM
  •   No that is not possible. The client must get its IP address from the server. This is part of the PPP negotiation which sets up the connection. In any case, the IP address in only valid for the duration of the connection, not for the lease time of your DHCP server. If a VPN user logs on for a few minutes, you would not want the user to get an 7-day lease!

       You do not need DHCP relay. You do not need a DHCP scope for the second subnet. You use a static pool in RRAS. You do need a DNS zone for the second subnet. Don't even think about superscopes!

      The remote clients still get their network config from the RRAS server. If you want the remote clients to register their IP addresses in DNS, you will need to have them register directly. DHCP cannot do that on their behalf, because they are not using DHCP.

      If the RRAS server is the default gateway for your LAN, everything should work OK when you enable IP routing in RRAS. All traffic addressed to the "new" subnet will go to the gateway by default routing and VPN will deliver it to the remote client. Traffic for the LAN machines coming from the remotes will come to the RRAS server by default and be deliverd directly on the LAN.

     

      


    Bill
    Tuesday, September 14, 2010 12:34 AM
  • Got it, thank you Bill!

    Just one last question - what I need to do, that RRAS server will really register hostnames for IP adress to the new DNS zone for remote computers? If I just create new DNS zone, nothing happends. How I bind it? Do I need to modify security settings of this zone and add RRAS server to access to write in there?

    Thursday, September 16, 2010 4:20 PM
  •   No, you do not want the RRAS server to register the IP addresses. If they did, every IP address in the pool would point to the server itself. You want the remote clients to register their names and their received IP addresses in DNS.

     


    Bill
    Friday, September 17, 2010 3:57 AM
  • For some reason, remote clients do not register them selves to DNS by default. If I connect same computer to local network, DNS registeration will be updated. Any ideas, what I sould do?

    Friday, September 17, 2010 6:28 AM
  • I ran a command "ipconfig/registerdns" at computer which is connected via VPN. Afrer 15 minutes it returned an error - DNS server refused the update request (Source:DNSApi, EventID:11165). But, as funny as it is, compter attempts to register itself to public DNS server which is ISP. Even that it's DNS server of VPN connection refers to DC's DNS server.

     

    • Proposed as answer by dadie1 Sunday, March 4, 2012 8:04 PM
    Monday, September 20, 2010 2:45 PM
  • Well, now this issue is really solved!

    I had to modify dial-up connection settings to register DNS, like this:

    http://sphotos.ak.fbcdn.net/hphotos-ak-ash2/hs337.ash2/61696_430138710403_145461595403_5491450_2750447_n.jpg

    Thursday, September 23, 2010 2:28 PM