vpn connects but can't register with domain

[Simon]

I've just set up a home (win2k SP4) VPN connection to our office win2003
server. The VPN connects fine, and I can ping machines on the network by IP
and DNS name, and they can ping me. The problem comes when I try to join the
domain (My Computer -> properties -> Network Id -> Change). I type in the
domain name (full name, not netbios - the netbios name doesn't actually get
recognised which is another issue) and the 'enter a username and password
with permission to join the domain' box pops up. No matter what I type in
here I get the message

'The network location cannot be reached'

when I try and authenticate. I've tried user names qualified with the domain
name and everything.

I've tried this KB article here
http://support.microsoft.com/default.aspx?scid=kb;en-us;329866 but the
TCP/IP NetBIOS helper server IS running... I get the same error if I try and
map a network drive to one of the remote PCs as well. Any suggestions?

TIA

Simon

 

[Pegasus]

I've just set up a home (win2k SP4) VPN connection to our office win2003
server. The VPN connects fine, and I can ping machines on the network by IP
and DNS name, and they can ping me. The problem comes when I try to join the
domain (My Computer -> properties -> Network Id -> Change). I type in the
domain name (full name, not netbios - the netbios name doesn't actually get
recognised which is another issue) and the 'enter a username and password
with permission to join the domain' box pops up. No matter what I type in
here I get the message

'The network location cannot be reached'

when I try and authenticate. I've tried user names qualified with the domain
name and everything.

I've tried this KB article here
http://support.microsoft.com/default.aspx?scid=kb;en-us;329866 but the
TCP/IP NetBIOS helper server IS running... I get the same error if I try and
map a network drive to one of the remote PCs as well. Any suggestions?

TIA

Simon

What is your own IP address? What is the address of the server you're
trying to reach?

 

[Simon]

hi Pegasus,

I don't want to give that away on a public newsgroup )

 

[Pegasus]

So you're reluctant to publish your internal IP address,
yet you post your external address for all to see? It is
217.158.28.35, located somewhere in the UK. If you
don't have a firewall then you better think about installing
one now. See if my guess is correct: www.whatismyip.com

 

[Phillip Windell]

You simply have to include a WINS and DNS Server in the VPN Dial-Up
Connection's settings. WINS will give the netbios naming and both WINS and
DNS work together to help properly "find" the domain to be able to join it.
These could also be received via DHCP with a little extra work, but it is
just as simple the let the IP# and Mask come via DHCP but statically assign
the WINS and DNS, then you don't have to worry about it.

It is a good idea to have "Netbios over TCP/IP" enabled on both the client
and the DC's, but usually it already is enabled.

The internal IP range you use is no secret. We all use the same numbers and
everyone knows what those are because they are established by RFCs. These
addresses are not "reachable" from the Internet anyway. I many case we
*must* know them to help with internal LAN routing issues.

 

[Simon Storr]

That's not our IP but you're right about UK... I've used that site b4 and it
doesn't give my ip ;o). I have a hardware firewall at both ends, the VPN is
getting through.

 

[Simon Storr]

You are both right about internal ips, sorry for being so paranoid ) I am
behind a hardware firewall at both ends. I've added the DNS and WINS server
ip's (192.168.254.5) but it makes no difference . I am getting assigned an
IP (192.168.254.71 usually) from the server through the VPN connection.
Here's a summary of the VPN settings -

Options - Display progress while connecting, prompt for name and password
checked, include logon domain not checked
Security - typical settings - require secured password, require data
encryption
Networking - VPN Server - automatic, components, TCP/IP, File & Print
sharing, Client for MS networks
TCP/IP settings -
obtain IP automatically
use DNS server 192.168.254.5
advanced -use default gateway on remote network
DNS - 192.168.254.5
append primary and connection specific DNS suffixes
append parent suffixes of primary DNS suffix
DNS suffix - blah.local
register connections addresses in DNS - not checked (tried
checking it)
WINS - 192.168.254.5
LMHOSTS lookup - unchecked
Sharing - disabled
Security - tried ipsec on or off (we're not using it AFAIK)

Simon

You simply have to include a WINS and DNS Server in the VPN Dial-Up
Connection's settings. WINS will give the netbios naming and both WINS and
DNS work together to help properly "find" the domain to be able to join it.
These could also be received via DHCP with a little extra work, but it is
just as simple the let the IP# and Mask come via DHCP but statically assign
the WINS and DNS, then you don't have to worry about it.

It is a good idea to have "Netbios over TCP/IP" enabled on both the client
and the DC's, but usually it already is enabled.

The internal IP range you use is no secret. We all use the same numbers and
everyone knows what those are because they are established by RFCs. These
addresses are not "reachable" from the Internet anyway. I many case we
*must* know them to help with internal LAN routing issues.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

hi Pegasus,

I don't want to give that away on a public newsgroup )

network

by in
the type
in but
the

 

[Pegasus]

Perhaps you would now consider answering my original
question. It may hold the key for your problem.

 

[Simon Storr]

OK, please see my reply to Philip's answer. Server ip is 192.168.254.5, my
ip is assigned as 192.168.254.71

Simon

 

[Pegasus]

OK, and what's your PC's native IP (not the one it gets assigned
by the VPN connection).

 

[Simon Storr]

It's assigned thru by adsl connection - at the moment its 10.0.0.25

 

[Simon Storr]

hold on - just done an ipconfig /all and its showing netbios over tcp/ip
disabled, even though its enabled in my main dialup connection..?

 

[Pegasus]

Drats. The symptoms you describe fit very neatly the case
where the IP subnet of the local PC is the same as the
subnet of the VPN server, e.g.

Local PC: 192.168.254.x
Server: 192.168.254.y

This is obviously not the case with your machine. The only
other possibility I can think of is that you have a firewall
somewhere (possibly integrated with your virus scanner)
that blocks port 1723. Furthermore, GRE-packets for
port 47 must also pass through your firewall.

 

[Simon Storr]

My CM is a Speedtouch 540v4 with built-in firewall, I don't have a software
one. I'm a newbie as far as firewalls are concerned, looks like its probably
blocking those ports by default ( Trying to work out how to unblock
them...

 

[Simon Storr]

ok after a telnet session I've unblocked ports 1723 & 47 in and out but its
made no difference

 

[Pegasus]

Unblocking port 47 only helps if your firewall supports GRE
(Generic Routing Encapsulation). My software firewall (Trend
Internet Security) does not, so I am forced to turn it off for
VPN operation.

To test things, I recommend that you get yourself a loan of
an ADSL modem/router (assuming that you're on ADSL).
All of the ones I've seen so far did pass GRE packets, and
because it's a router, you still get basic firewall protection.
This test should help you in homing in on the problem.

 

[Simon Storr]

I am using a Speedtouch 540v4 ADSL modem/router with built-in firewall.

I've found I can terminal-service in to our server through the VPN with no
problems, but I still can't map drives or join the domain without getting
that error (

 

[Pegasus]

I'm afraid I cannot help you any further. Just two suggestions
before I bow out:
- Use a tracer (e.g. Ethereal) to examine your packets. It will
probably tell you what's coming through and what is not.
- Start a new thread in microsoft.public.windows.server.general.
You are more likely to find VPN experts there than here.

 

[Simon]

OK will do. Thanks a lot for all your help

I'm afraid I cannot help you any further. Just two suggestions
before I bow out:
- Use a tracer (e.g. Ethereal) to examine your packets. It will
probably tell you what's coming through and what is not.
- Start a new thread in microsoft.public.windows.server.general.
You are more likely to find VPN experts there than here.


It

 

[Phillip Windell]

You are both right about internal ips, sorry for being so paranoid ) I am
behind a hardware firewall at both ends. I've added the DNS and WINS server
ip's (192.168.254.5) but it makes no difference .

Until you can ping the target machines using the IP# you are wasting your
time on anything else.

Verify that your RRAS is configured properly for this type of VPN by
comparing it to this article.

Microsoft Windows Server 2003 Remote Access/VPN Server Role
http://www.microsoft.com/technet/pr...3/serverroles/remoteaccessserver/default.mspx