Windows 2000 DHCP Server and VPN

[Bob]

We want to install Windows 2000 DHCP Server (on a PC used
as a server) and VPN at our office.

I "think" setting up the server and 30 or so workstations
can be completed without too much trouble.

a) I believe the W2K CD will basically walk me through
the install, and the step-by-step info from Microsoft
Windows 2000 web site covers DHCP server and client set-
up fairly well. Appears straightforward and not too hard.

After W2K Server install and reboot, we will

b) set-up server as domain host and add 1-3 clients as
users; I estimate anywhere from 2 to 4 hours to do this
part (?).
The remainder of workstations will be added after VPN
test. (about 27 PC's, estimate 15-20 minutes per PC?)

Once the network is up and running, I'm not really sure
what we do next; how to set-up the VPN?

A major concern is having the W2K DHCP Server (PC) handle
the VPN duties.
c1) Can the W2K DHCP Server be the VPN server also?
(maximum 5 remote VPN users)
c2) Stability?
c3) Internet still accessible to workstations?
c4) Filters?

d1) Is VPN a set-up option from the W2K CD on initial
install?
d2) Is it a smart option?
- OR -
d3) is this done later somehow?; by W2K Admin Tools?

Here is some general info about our current set-up.
Workstations mostly running Windows 2000, a few are still
running Windows 98
We will be removing Windows NT server and Novell 4.0
server, after W2K DHCP Server up.

Number of clients; 30 or so PC's; and no expected growth
over next 5 years.
Remote VPN clients; Maximum of 5 remote access VPN
clients.

Server Hardware for Windows 2000 Server:
PC used for server duty; Generic Intel MB and Processor,
Seagate HD's mirrored.

Current Internet gateway;
Efficient Networks series 5800 (supplied by SBC). (think
it may be a Cisco)
The router will be configured to allow VPN by SBC
- OR -
we will purchase Cisco 831 router and we will configure
it.

If you have any advice, see any problems with this set-
up, or know where I can find some more detailed
instructions on the internet; especially setting up VPN,
I would be extremely grateful. Our budget, as you can
see, is limited. Thanks for your time.

 

[Steven L Umbach]

From what you describe I am assuming you want to make the Windows 2000
Server a domain controller, but not sure. If you are going to use it also as
a domain controller it is critical that you configure dns correctly for the
domain controller and the Windows 2000 computers you want to make domain
members. Since you have some Windows 98 computers you will also want to use
wins since they rely totally on netbios name resolution and be sure to make
the domain controller a wins client even if it is also the wins server. Wins
will also make vpn connection browsing work better. DHCP will not be a
problem on the server with those amounts of computers. If you are going to
create an Active Directory domain read the link below on how to configure
dns including how to configure forwarders for your ISP dns servers in order
for your computers to correctly use dns for Active Directory and internet
name resolution.

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

Ideally if you are using a domain controller, you do not also want it to be
a remote access/vpn server. The main problem is that "browsing" in My
Network Places may be inconsistent since the domain controller will be the
master domain browser also. A lot of small businesses however do have there
servers do double duty however. If your internet router is a NAT type
device, you only need on nic in your server and then you need to port
forward vpn traffic to your vpn servers internal IP address on the lan. When
you enable the ras with the Remote Access Management Console and the wizard
starts select the last option for custom only if you are going to using one
nic on it as that will allow vpn to be configured for one nic. Have all
computers point to the NAT router as their default gateway and you will have
no problem with internet access. For vpn, you will want to use pptp unless
you are going to configure a Certificate Authority on your network to issue
computer certificates as l2tp requires the use of computer certificates on
server and client. L2tp will also not work over NAT when using a W2K server.
Pptp uses port 1723 tcp and protocol 47/gre sometimes referred to as pptp
pass-through on some routers. Be sure to configure your client vpn
connectoids to use pptp as network type in properties and not auto as auto
will try l2tp first in W2K. See the links below for more info. --- Steve


http://support.microsoft.com/default.aspx?scid=kb;en-us;308208
http://support.microsoft.com/default.aspx?scid=kb;en-us;810761
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/rmotevpn.mspx