VPN in a member server which also is an Exchange

[Guest]

I just switched over my VPN server from my main DC to my member server which
is also an exchange box. All this in 2003. I did it because I was having lots
of problems with my main DC having RAS installed and this was creating
another PPP adapter and was screwing up browsing capabilities

I now have RAS installed in my exchange box member server and every time I
go to do a browstat status, the results says that browsing is not active in
the domain


can you guys Help?

 

[Robert L [MS-MVP]]

what's the master browser status, if you use browstat in the DC?

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
I just switched over my VPN server from my main DC to my member server which
is also an exchange box. All this in 2003. I did it because I was having lots
of problems with my main DC having RAS installed and this was creating
another PPP adapter and was screwing up browsing capabilities

I now have RAS installed in my exchange box member server and every time I
go to do a browstat status, the results says that browsing is not active in
the domain


can you guys Help?

 

[Guest]

C:\browstat status

Status for domain XXXXXX on transport
\Device\NetBT_Tcpip_{7F95D44F-7483-4887-871B
-C3CCFDE1FEEA}
Browsing is active on domain.
Master browser name is: MEMBER01
Master browser is running build 3790
3 backup servers retrieved from master MEMBER01
\\MEMBER01
\\DC02
\\DC01
There are 5 servers in domain XXXXXX on transport
\Device\NetBT_Tcpip_{7F95D44
F-7483-4887-871B-C3CCFDE1FEEA}
There are 2 domains in domain XXXXXX on transport
\Device\NetBT_Tcpip_{7F95D44
F-7483-4887-871B-C3CCFDE1FEEA}

Status for domain XXXXXX on transport
\Device\NetBT_Tcpip_{3FEAE60B-C123-4038-982C
-664D2A62CE0C}
Browsing is NOT active on domain. Status : 6118
Master name cannot be determined from GetAdapterStatus.

C:\
*****************************************************

When I use the browstat status anywhere else in the network, I get DC01 for
the master browser..... anywhere else including DC01 and DC02. My DC01 is the
main DC which also has all the 5 fsmo roles, so I did the registry hack on
how to force it to always be the domain master browser.

This output is from the member server which is also an exchange box and has
the RAS/VPN service running. This service used to be in my DC01 but was
causing too many problems because of master browser being multi-homed which
is a bad idea.

The bottom part of the output,

Status for domain XXXXXX on transport
\Device\NetBT_Tcpip_{3FEAE60B-C123-4038-982C
-664D2A62CE0C}
Browsing is NOT active on domain. Status : 6118
Master name cannot be determined from GetAdapterStatus.

only comes out when there is a user connected to the VPN. So when there is
no one connnected thru the VPN, the output comes out without this bottom part
and reports that the domain master browser is indeed my DC01, which is
right... but this output as you can see reports that the domain master
browser is my member server itself.

Please help... any other questions please just let me know and I will
provide all the details you might need

thanks

 

[Bill Grant]

Running any DC as a remote access server is going to give you browsing
problems. As soon as a remote user connects and the server gets a second IP
(for the "internal" interface) your machine is multihomed.

Either

1. Disable Netbios over TCP/IP on the internal interface (as described in KB
292822).

or

2. Put the remote users in their own IP subnet and route them through the
RRAS server (as described in KB 830063).

 

[Guest]

Bill, thank you so much for the input... and I apologized for not being too
clear... as usual in my explanations... but my RAS/VPN is running in a
member server. It used to run in my DC and that type of setup is known to be
problematic. That is why I have RAS/VPN running in a member server, and my
questions are based on that.

 

[Bill Grant]

Having it on a member server which is not a DNS server solves the DNS
type problems discussed in the KBs, but it doesn't solve the
Netbios/browsing problems. You still have a multihomed server which has two
IP addresses in the same IP subnet linked to its Netbios name. This causes
all sorts of problems with the computer browser service.

If you don't like either of the solutions recommended in the KB articles
you could just stop then disable the computer browser service on the RRAS
server. This will prevent it from becoming a segment master browser or a
backup master browser. If you are running WINS, delete any entries left
behind referring to this server as a browse master. (Details near the end of
KB 292822) .

 

[Guest]

Bill, once again, thank you for your input.

If you don't like either of the solutions recommended in the KB articles
you could just stop then disable the computer browser service on the RRAS
server. This will prevent it from becoming a segment master browser or a
backup master browser.

Is this the reason why when I do a "browstat status" on this server the
result says that this sever is the Master browser when in it is not? (the
master browser server is my DC1 which has the PDCe)

By disabling the Computer Browser service on this member server (my RAS
server), would I still be able to browse in My Network Places? I need
browsing ability on all PCs/servers....

 

[Bill Grant]

Disabling the computer browser service does not prevent a machine from
browsing. It just prevents it from becoming a browse master. On my home
network (a workgroup) the computer browser service is stopped on all but one
machine. Browsing works fine (unless the master browser machine is stopped!)

The odd results in browstat are probably caused by the multiple
interfaces. Doesn't browstat give you separate results for each interface?

 

[Guest]

Hi Bill, thank you very much for that input. I have stopped and disabled the
Computer Browser service (and also rebooted the server)in my Exchange member
server and now every time I do a "browstat status", it no longer reports that
my Exchange member server is the master browser; it now correctly reports
that my DC1 is the master browser and that the 2 backup browsers for the
domain are DC1 and DC2.

A point I want to make here is that while I had the comp browser service
running and browstat status incorectly reporting that my exchange server was
the master browser, I didn't notice any problems (for instance, my DC1 and
DC2 were working fine, correctly reporting the proper results when browstat
status was ran). So, it seems to me that my exchange member server had this
problem to itself and didnt affect anything else, not even other computers
accessing resources in this exchange server. Also, this exchange member
server was responding to pings.

So, just like you said, the only thing tthat happens when the comp. browser
service is stopped is it prevents the computer from becoming a master
browser, which in my case it worked fine because my master browser is my DC1
and this Exchange member server is my VPN and we didn't want it to become a
"second" master browser because I don't think there can be 2 in the same
subnet.

And lastly,

The odd results in browstat are probably caused by the multiple
interfaces. Doesn't browstat give you separate results for each interface?

yes, it gave me 2 results, one for the physical NIC card and the other I
guess for the PPP adapter that got created as soon as the first VPN
connection was done. Here is the results:

Status for domain XXXXXX on transport
I would assume this is coming from the PPP adapter.. and if so, why does it
say that?