Archive for the ‘Networking’ Category

Remote Site Monitoring Alert

On occasion there may be a need to be notified if a remote server is off-line due to an Internet outage, router issue, power outage, or server down.  There are many excellent services that will monitor and alert you, but most are intended for multi-site and/or multi-server configurations and require a monthly fee.  You might just want to monitor a single site and be notified if it fails.

I had this situation and therefore decided to write a simple script to accomplish the task.  I am not a programmer so I am sure this could be improved upon, but it works.  Feel free to add suggestions or alternatives in the comments section, I am sure we would all be interested.

Basically there is a batch file that makes use of a free little utility called http-ping by www.CoreTechnologies.com which runs every ‘X’ minutes using a scheduled task and verifies if the site is accessible.  If not, a simple VBS script sends an e-mail alert.

Http-ping does need to be able to access an http or https server, which could be a web server, Exchange (OWA), a router management page, or one of many other possibilities.

To configure simply create a folder such as C:\SiteMonitor and place in it; the batch and VBS script below, and http-ping .  You will have to download http-ping from http://www.coretechnologies.com/products/http-ping/

Batch file:

@echo off
:: Enter the directory location (e.g. C:\SiteMonitor\)
Set Directory=C:\SiteMonitor
:: Enter the address of the site to ping (e.e. 123.123.123.123/Exchange:443 or server.domain.com/Exchange:443)
:: (The first example should be used if you need to know if the public IP has changed)
Set Site=123.123.123.123/Exchange:443
::
If Exist %Directory%\PingResult.txt Del %Directory%\PingResult.txt
%Directory%\http-ping.exe %Site% >> %Directory%\PingResult.txt
findstr /M "Reply" %Directory%\PingResult.txt
If %errorlevel%==1 GoTo EMAIL
GoTo END
:EMAIL
cscript %Directory%\SendAlert.vbs
:END

VBS script:

' VBS script to send an alert via e-mail
Dim SMTPserver, Sender, Recipient, Subject
' Set client specific variables
SMTPserver = "smtp.ISPname.abc"
Sender = "alert@SomeDomain.abc"
Recipient = "me@MyDomain.abc"
Subject = "Alert off-line"
Message = "An automated script has determined the server at is currently off-line."
' Send E-mail
       set objMessage = CreateObject("CDO.Message")
       objMessage.Subject = Subject
       objMessage.Sender = Sender
       objMessage.To = Recipient
       objMessage.TextBody = Message
       objMessage.Configuration.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = SMTPserver
       objMessage.Configuration.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
       objMessage.Configuration.Fields.Update
       objMessage.Send
       set objMessage = Nothing

Customize scripts:

When complete save the batch file as something similar to SiteMonitor.bat.  In the batch file you need to set two variables; the “Directory” where you saved the files, and the “Site” htpp-ping is to test.  The site can be a FQDN or an IP, and needs to point to a server  or router.  In some cases you need to add the port number. Some examples include:

http://www.mysite.abc
remote.domain.abc:443
router1.DDNSservice.abc:8080  (router)
remote.domain.abc/OWA   (Exchange port 80)
123.123.123.123/Exchange:443

In my case the site I wanted to monitor had a dynamic IP.  I needed to be alerted if the public IP changed due to a service used by the site that would not work with a DDNS service.  Therefore I used the last example above.

The VBS script needs to be saved as SendAlert.vbs or change the name used within the batch file to match.  In the VBS script you need to set the following 5 variables as per the examples in the script; SMTPserver, Sender, Recipient, Subject, Message.

Schedule:

Finally, you need to schedule a task to run the batch file every half hour (or your time frame).   The following is an example as to how to do so with Vista/Server 2008 and newer.  Similar can be done under Control Panel, Scheduled Task in XP/Server 2003 and earlier.

Open the Task scheduler under Control Panel / Administrative tools, click on Task Schedule Library, and on the right select Create a Basic Task.  Assign the task a name and you can enter a description if you like.  Make sure you also select “Run whether the user is logged on or not”.

image

Configure the “Trigger” options as per the following image:

image

In the “Actions” pane choose to start a program, and point to your batch file:

image

You can then complete the wizard accepting defaults.  Your monitoring service should now be complete.  If you want to test, change the “Site” variable in the batch file to a non existent IP or FQDN, and you should get an alert the next time it runs.  Note if troubleshooting the results of the last http-ping are recorder in the directory you created as a text file named PingResult.txt

Convert SBS 2003 to a virtual server

I recently needed to virtualize an SBS 2003, that is to say convert it from a physical machine to a virtual machine on a Hyper-V host.  I have done SBS conversions to VMware hosts in the past with with little or no problem, but converting to Hyper-V, my preference , was a little more involved.  I first Googled the task and found many suggestions which based on the various articles and instinct, using Microsoft’s disk2vhd was the simplest solution.  I was wrong.  The first run on a test machine using a single disk worked well but did require several ‘tweaks’, and then when I added the data drives, which may have been unrelated, I ran into many problems, especially when I tried installing the Integration Services components.  Though disk2vhd has worked well for me with other operating systems in the past, for some reason the HAL in this case caused problems.

I am not suggesting the following is the best method, or even a good method, but perhaps it will be of some help to those attempting the same task.   I have posted the steps that worked flawlessly for me on a test server, trail run, and final move.  All of the following was done remotely.

Note: The process will require re-activation of the SBS license.  If SBS is an OEM version; it is a licensing violation to install on different hardware or virtualize, the activation will probably fail, and if it does Microsoft will not assist.

  • If working remotely you will need to maintain access at least to the Hyper-V host throughout entire process.  You can use RDP, VPN, LogMeIn, or any of a dozen other alternatives, but make sure it is in place and working, your existing RWW is about to stop functioning until complete.
  • Clean up the initial machine:  Remove the second/WAN NIC if present (not the LAN NIC) and run the CEICW (Configure e-mail and Internet Connection Wizard). Note that making network changes remotely can be risky, you can loose access.
  • Run the SBS 2003 Best Practices Analyzer and resolve any problems. 
  • Presumably you do not want e-mail delivered to the server, or remote users accessing the server,  during the move, so log onto the router and disable port forwarding on the necessary SBS ports 25, 443, 444, 1723 and 4125, for now.
  • Download and run the free VMware converter tool.   When running the tool make sure you right click on the program icon and choose “run as administrator”, if not you will receive an error; “A general system error occurred: Crypto Exception: error:02001005:system library:fopen:Input/ output error:unable to load C:\ProgramData\VMware\VMware vCenter Converter Standalone\ssl\rui.crt”. 

image

  • Clicking Next will deploy the conversion agent

image 

  • In the “Destination System” window choose destination type as “VMware Workstation or other VMware virtual machine” and “VMware Server 2.x”.  The destination file location path must be to a network share, even if on the local machine.  I also found if running VMware Converter on the Hyper-V server, due to limited name resolution services running and not being a domain member, using the IP in conjunction with the user name worked best, such as 192.168.123.123\UserName, even if it is the local machine.  This was a simple workaround for the common credential error received by many; “The operation could not be completed for username due to incorrect user credentials”

image

  • Review the specifications for the resulting VM as to how much RAM is to be assigned (SBS 2003 is limited to 4GB), number of processors, and if you want to change/increase disk sizes.

image

image

  • In my experience the tool took less than 3 hours to convert about 100GB of files on 2 drives using a 10/100 mbps network, a relatively small site.
  • Next download and run the Starwind’s free V2V conversion tool . This will allow you to convert the vdmk file, or files, created by the VMware converter to vhd files which will be compatible with Hyper-V.  If you have more than one vdmk, you will need to convert one at a time. You only need the vdmk’s, the other config file/s created by the VMware converter are not necessary.

image 

  • When running the tool, point to the vdmk file and choose to convert to “MS Virtual PC” format.  You can also choose whether the resulting vhd (Hyper-V disk) is to be a “pre-allocated” or “growable” image.  These are Starwind’s terms for a “fixed size” or “dynamically expanding” disk.  The former, “fixed” is recommended on domain controllers, but not a requirement on recent Hyper-V servers.

image

  • I found the V2V conversion took about 60-70% as long as the previous P2V step. Once completed if you need the drive space you can delete the .vdmk and other files created by the VMware Converter tool.
  • Using the Hyper-V management console you can now create a new VM using the wizard.  When doing so  presumably you want the maximum RAM, so set to 4000 MB, leave the network adapter as “not connected”, under “Connect Virtual Hard Disk” choose “Use an existing virtual hard disk” and select your system disk (disk containing the C: partition) created by the P2V/V2V steps above, under “Installation Options” select “Install an operating system later”, and click finish.
  • Next, open the settings console for the newly created VM.  It will have added a network adapter, remove it and add a legacy network adapter but again if the existing SBS is still powered up on the same network segment choose “not connected”, if you have multiple physical or virtual processors (cores) adjust the number of processors, if you have multiple disks add the others, and review the remaining settings.

image

  • You are ready to start up the new VM.  Boot the Virtual SBS and log in.  Ignore any offers to discover and add new hardware.  You will be a notice you have 3 days to activate.  I recommend waiting until complete before doing so.  As mentioned do not install any hardware, but you may be prompted at different stages to reboot which you should do.  Note that you will have no mouse for this or the next 4 steps.
  • Manually configure the server’s NIC with the LAN IP, Gateway, and DNS pointing to its LAN NIC IP.  You can keep the same IP as the previous server if using the steps I have outlined.
  • Run the “Change Server IP Wizard” located under Server Management / Internet and E-mail, and keep the same IP as you just set.  The wizard will likely tell you it failed and you should run again due to inaccessibility to the LAN.  You can ignore.
  • Run the CEICW (Configure E-mail and Internet Connection Wizard) angin located under Server Management / Internet and E-mail, and make no changes, just accept the existing configurations.
  • Install the Hyper-V Integration Services by clicking “Insert Integration services Start Up Disk” under “Action” on the menu bar.  Allow this to complete and reboot as requested.  This can take a little while to run sometimes.
  • After reboot you may want to do some tweaking such as changing display size settings. 
  • You may also receive a message after rebooting; “At least one service or driver failed during system startup”.  Though this could be anyone of a dozen services, reviewing the event logs may show a parallel port service error.  To resolve this, on the VM from a command line run;  sc config parport start= disabled
  •   If not automatically removed, uninstall the VMware vCenter Converter Standalone Agent, using add/remove programs in the contol panel.
  • Flush the DNS, NetBIOS, and arp cache to be safe using  “ipconfig  /flushdns”, “nbtstat  –R”, and “arp  –d  * “
  • At this point you should be able to shut down the old server.  You may want to verify WakeOnLan is enabled and record the MAC address if you think you might have to remotely restart.  If so, you can download Solarwind’s Wake-On-LAN tool.
  • You can now enable the Virtual NIC on the SBS by choosing the physical NIC (Virtual Switch) to which you want to associate the Virtual NIC, in the settings configuration of the VM.
  • Perform any internal testing such as access to other LAN resources, Internet access, printer availability, services by clients are working such as redirected My Documents, and anything else with which you might be concerned.
  • Assuming all is well you can now forward the ports on the router to the new Virtual SBS to allow incoming e-mail and remote access by users.
  • Test e-mail reception, and finally activate the server through windows Activation process.

Deploy Windows VPN using GP Preferences

With the addition of Group Policy Preferences, released with Server 2008 and newer, it is possible to easily and automatically deploy a Windows VPN client to domain joined computers.  You might want to do so for a specific group of computers such as mobile users with notebooks.

  • First, within the Active Directory Users and Computers console, create an OU in which you will place the computers to which you wish to deploy the VPN client. This would normally be a sub-OU of your Computers OU.  For our Example I’ll call it Mobile Computers
  • Next open the Group Policy Management console, locate the OU, right click on it and choose “Create a GPO in this Domain and Link it here”

image

  • Name the new GPO

image

  • Then right click on the new GPO and choose edit

image

  • Browse to Computer configuration | Preferences | Control Panel Settings | right click on Network Options | choose New, VPN Connection

image

  • Group Policy Preferences will allow you to create a PPTP or L2TP/IPSec connection, but not SSTP.  For simplicity this will outline PPTP.  Under the “New VPN properties” you will want to configure as follows:
  • Action: I recommend “Replace”.  If no connection exists on the client it will “Create”  a new one and if you modify your policy, it will automatically replace the existing one.
  • All Users connection.  This is important if the user wants to connect the VPN before logon so that authentication can take place and policies and logon script be applied.  For details see: Connect to a Windows VPN at Logon
  • Connection Name: Can be anything you like and will be displayed under connections on the user’s PC
  • Address: You can enter the IP or check the box “Use DNS name” and enter the public FQDN of your site
  • Icon:  I would also check the box “Show icon in notification area when connected” to allow the user to view the status of the VPN connection

image

  • Next  under Options there are no requirements to configure any features but you may wish to set redial attempts, idle time settings, or other options.
  • Under Security choose Advanced, Use these other protocols, MS-Chap v2, the default protocol used with Server 2008 and newer

image

  • Networking: Automatic is fine, but in a few cases folk have reported they needed to set this to PPTP
  • Nothing needs to be configured under Common
  • Click OK and your new Policy will be complete and appear in the list of Network Options

image

  • The only remaining step is to run GPupdate /force on the client, while connected to the domain, or at some point reboot.

There is one other parameter you may wish to configure.  When you manually create a VPN connection it automatically enables the “Use Remote Default Gateway” option.  This is a security feature that blocks local network access while connected to the corporate network by VPN.  For more information about the default gateway option please see Access local and VPN network Simultaneously .  You cannot configure this within the policy we created above but you can using a different GP Preference and an .ini file.  Peter Frederiksen has explained this nicely in the following TechNet forum: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/f228d2ae-232d-4572-8eee-60252f6d03a3/

There are other ways to automatically create a VPN client:

Windows 8 connect to VPN before logon

Last year I did an article entitled “Connect to a Windows VPN at logon”.  Rather than duplicate, please refer to that article for details, but It has been pointed out the method outlined is not available in Windows 8.  Actually it is but Win 8 by default alters the standard domain logon that was present since Win NT of pressing “Ctrl+Alt+Del”.  Restore that and you will again have the option to connect to a VPN prior to logon so you authenticate to the domain, and have group policy and logon scripts applied.

To re-enable “Ctrl+Alt+Del” either open the Local Security Policy under Control Panel, Administrative Tools, or open the local Group Policy editor by entering in the “Run” box gpedit.msc.  The location of the policy is in pretty much the same location in both, and setting in one will update the other.

  • In the Local Security Policy editor (control panel) it is located under; Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL
  • In the local Group Policy editor (gpedit.msc) it is located under; Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL

The default state of the policy in Win 8 is “Not Defined” which on a domain joined computer effectively results in enabled.  You need to set the policy to disabled which will force the use of “Ctrl+Alt+Del”.   After doing so, I recommend running from an elevated command prompt  gpupdate /force, though it should not be necessary when editing the local policy.  On that note; you can enforce the use of “Ctrl+Alt+Del” domain wide by creating a GPO on your Domain Controller and editing the same policy.

image

Once you do so, and log off, you will see the familiar “Press Ctrl+Alt+Delete to sign in” message in the top left corner of the logon screen.

image

After pressing “Ctrl+Alt+Del” there will be a small network icon in the lower left corner

VPNCapture2

Click on the network icon and you will be presented with any VPN connection created on that computer.  Note these VPN connections must have been created using the “Allow other people to use this connection” option.  This discussion also applies only to domain joined computers.

image

image

Enter you domain credentials, the VPN will connect, authentication to the domain will be processed, and group polices and logon scripts, including your mapped drives, will be pushed to the client.

 

UPDATE:  Should the PC not be domain joined and you wish to automate the VPN connection, please see: https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/

Access local and VPN network Simultaneously

There are constantly questions in various forums; “how do I maintain internet access through my local router while connected to a VPN”, or “ how do I access my local TCP/IP printer while connected to a VPN”.  It is pretty basic but for those that don’t understand I thought I would address this in a blog so that in future I can just provide a pointer.

There is a security feature in almost all VPN configurations that blocks all local network connections while connected to the corporate network, via a VPN.  This is to provide some degree of security by preventing someone with malicious intent from reaching the corporate server using your PC/Laptop as a stepping stone.   It basically isolates your device from the world around you so that Johnny playing video games in the next room cannot route traffic through your PC to the corporate site.  Or, consider an Internet Cafe’ where you are on the same local network as total strangers.   Either through the shared Wi-Fi connection, or even an “Ad Hoc” wireless connection, the person at the next table could conceivably route packets through your wireless device directly to head office.  Granted, there are many security features in place, or at least there should be, such as firewalls and NTFS security permissions to protect your corporate data, similar to the security corridor from the 60’s & 70’s TV show Get Smart, but the more of these doors left open, the easier it is for hackers.  Everything can be hacked.  If you don’t believe me have a look at the following Ted Talks video by Avi Rubin; “All your devices can be hacked”.

In order to simultaneously access the local and remote VPN network you need to enable a feature called split-tunneling.  Due the security reasons outlined above, I do not recommend enabling this, however in some cases it is necessary or perhaps you just wanted to know why.  If you have an Enterprise VPN solution such as Cisco, Watchguard, Sonicwall, or others, as an end user cannot enable split-tunneling.  It is managed by the VPN appliance and will require the administrator to configure and enable if they see a need to do so.   However if you are using a Windows VPN client you can edit the configuration to allow split-tunneling.  To do so open Control Panel, select Network and Sharing Center, and then choose “Change Adapter Settings”.   This will work on XP and earlier clients as well but the path to the adapters is slightly different.  Locate the VPN/PPP adapter, right click on it and choose properties.  In the resulting window select Networking, highlight Internet Protocol Version 4 (TCP/IPv4) and click properties, click Advanced, and in the resulting window un-check “Use Default Gateway on remote network.  When checked, its default state, it forces all traffic through the remote site.  Un-checking allows access to the local network and gateway.

image

Again remember this is a security feature and should not be reconfigured unless necessary and you are aware of the risks.

Configure Siemens SE567 router to allow VPN access

 

I have been asked a few of times how to configure a BellAliant Siemens SE567 router / modem to allow VPN access to a server, using PPTP.

When accessing a PPTP VPN server through a router, three primary conditions must exist.  Numbers 1 and 2 we can configure, 3 is dependent on your ISP.

  1. The router must be configured to  forward PPTP traffic to the VPN (RRAS) server using port 1723
  2. The router must be configured to allow GRE traffic (Generic Routing Encapsulation).   GRE  like, TCP and UDP, is a protocol.  GRE is protocol 47, not port 47 which is often incorrectly documented.  GRE is not really forwarded like services, but rather enabled.
  3. The ISP must allow PPTP/GRE traffic.  A few ISP’s intentionally block PPTP/GRE traffic.

GRE is enabled in different ways on different routers. Some have an option “Enable PPTP pass-through” others you forward the PPTP service which includes port 1723 and enabling GRE, and still others require specific commands.  The Siemens SE567 requires two rules, one for PPTP and one for GRE.  Generally Bell Aliant does not block this traffic.

Log into the Seimens unit and click “Advanced” at the top, then “Applications” on the left, followed by “Port Mapping Setup” in the menu.

image

First select the application “PPTP” and in the “redirect selected protocol/application to IP Address” box put the IP address of the server, in this case 192.168.2.20, and click “Apply.”

image

Next in the protocol box select GRE and again in the “redirect selected protocol/application to IP Address” box put the IP address of the server.

image

Done !

image

Note:  the other ports shown in the example, 443 and SMTP/25, are unrelated to the PPTP VPN and just there to show other service configurations.

Canadians – Win a Trip for Two to Mexico!

Microsoft Canada has created a great opportunity for free on-line training in Microsoft Private Cloud services, while at the same time entering your name for a chance to win a trip for two to Mexico.  Free evaluation software is available for System Centre 2012, Windows Server 2008 R2 SP1, and Windows Server 2012 RC, as well as 6 free Virtual Academy courses, and 14 guided labs to introduce you to the Microsoft Private Cloud.

Keep in mind contest regulations state; “Sweepstakes is open to individual legal residents of Canada “ so your odds of winning are far greater than with global sweepstakes.

Learn About The Microsoft Private Cloud to Win a Trip for Two to Mexico!

Mexico2Microsoft has released new and exciting products that will change the way IT Pros utilize Virtualization and Microsoft Private Cloud solutions.   Two products which are a part of these great changes are the newly released System Center 2012 and the soon to be released Windows Server 2012.  Both of these solutions were designed to make virtualization and extending to the private cloud simpler and much more efficient.

With these new changes to Infrastructure and the IT world, it’s a great time to learn about these new solutions and keep yourself and your organization ahead of the curve in terms of where technology is headed.  In fact, Microsoft has even added an incentive to learn about their Private Cloud solutions through the Skyrocket Sweepstakes!

Entering is easy!  All you have to do is register, and then download a free TechNet evaluation like Windows Server 2012 RC or System Center 2012 to get started.  Every applicable evaluation you download gives you an entry into the sweepstakes! And the best part is the more evaluations you download, the better your chances.  And what’s the prize you may ask? Oh, just a 7 day, 8 night trip for two to Cozumel, Mexico!

The contest ends September 6th so don’t wait!  Register now!

How to join a Windows Domain using a VPN

There may be occasions where you need to join an off-site computer to an existing domain at a remote office.  Most often this would be in a situation such as a satellite office which is part of a larger corporate network and there is a site-to-site VPN in place.  Though a site-to-site VPN is by far the easiest way to join, it can be done using a Windows VPN client, which will be discussed further on in this article.  The primary problem encountered when joining the domain is DNS, but this is easily dealt with.

Joining the domain using a site-to-site VPN

  • Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection.  If any others exist such as a wireless card, disable until domain joined.  On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
  • Configure the connecting PC’s network adapter either statically or through DHCP to point ONLY to the domain controller at the corporate office for DNS.  Do not add an alternate external DNS server such as an ISP or router as these will often respond first and name resolution will fail.
  • In the NIC configuration, under Internet Protocol Version 4 (TCP/IPv4) properties, click advanced, and under the DNS tab insert the corporate internal DNS suffix, such as CompanyDomain.local in the box entitled “DNS suffix for this connection”
  • image
  • Then join the domain using the traditional method of Computer (formerly My Computer) | Properties | Change Settings |  Change | enter the internal domain name | click OK | and you should be prompted for credentials for an account authorized to do so, a Domain Admin account.  If the Domain Controller is a version of Small Business Server the SBS option to use  http://SBSname/connectcomputer  or http://connect most often will not work.  (more detail and screen shots for the joining the domain process can be found below in the using a VPN client section).
  • If you wish to simultaneously import an existing local user profile, you can use ProfWiz as outlined in the following link which will both join the domain and move the profile. Though the article references SBS, it can be used with any Windows Server Version.  https://blog.lan-tech.ca/2011/05/19/sbs-and-profwiz/

Joining the domain using a Windows VPN client

Joining a domain using a VPN client is a little more involved, but not complicated. This method may work with other VPN clients, so long as they have the option to connect to the VPN before logon, but this explanation uses only the Windows built-in VPN client.  Without the ability to connect before logon, there is very little advantage even if you can join the domain, as you would not actually be authenticating to the domain.  I will assume the server end, RRAS, is configured and working for VPN client connections.

  • Log on to the PC you wish to join the domain with a local administrator account
  • Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection.  If any others exist such as a wireless card, disable until domain joined.  On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
  • Establish a VPN connection.  If not familiar with doing so:
    • From the network and sharing center choose “Set up a new connection or Network”
    • Select “Connect to a workplace”
    • Choose “Use my Internet connection (VPN)”
    • Enter the public facing FQDN of the corporate VPN server such as VPNserver.MyDomain.com and enter a friendly name for the connection, anything you like.  It is also very important to check the box “Allow other people to use this connection” as you will soon have a domain account which will require access to this VPN connection.
    • image
    • Enter a User name, which ideally is the user that will be using the connection once joined to the domain, but can be any user name that is authorized to connect to the corporate network via VPN.  If you use a name other than the ultimate user of the PC they will simply have to change the user name during in the connection wizard, the first time they try to connect.  Enter the password and choose connect.  For security reasons I don’t recommend checking “Remember this password”.
    • image
    • If prompted for a network type after connecting, choose “Work Network”.

  image

  • Presumably you were able to establish a connection.  However while connected if you did an NSlookup from a command line for the server name, you will see it fails. Try an NSlookup for the FQDN of the server, and it will succeed.  Thus, we need to configure DNS for the VPN clientbefore proceeding.
    • image
    • Disconnect the VPN client
    • In the network connections window right click on the VPN/PPP connection and choose properties | Networking tab | highlight Internet Protocol Version 4 (TCP/IPv4) and choose properties | Advanced | DNS tab | and enter the IP of the corporate DNS server under DNS server addresses and the internal domain suffix such as MyDomain.local in the “DNS suffix for this connection box.  If admins need to connect to the remote client PC for administration by name check the box “register this connection’s address in DNS” but I would discourage this as the IP can change frequently and cause issues.  Also on the “IP Settings” tab leave the option “Use default gateway on remote network” checked, at least for now, so that all traffic is forced to the corporate network while the VPN is connected.
    • image
  • Now you can try joining the domain
    • Connect the VPN client
    • Right click on “Computer” (formerly My Computer) and choose properties.
    • In the resulting window select “Change Settings”
    • image
    • Slect “Change” again
    • image
    • Enter the corporate internal Domain name, such as MyDomain.local in the Domain box and click OK
    • image
    • You will be prompted for a domain account with privileges to join a PC to the domain, a Domain Admin.  Enter it and the password and you should receive a message advising you have been joined to the domain.  Be patient it takes a little longer as this is a slow link compared to the LAN.
    • image
    • You now need to reboot the connecting PC.
  • In order to authenticate to the corporate network at logon and work as if on the corporate LAN, you need to connect the VPN before logging on to the PC.  When the PC reboots press Ctrl+Alt+Delete as you normally would, and then choose  “Switch User”
    • image
    • You will then be presented with a new option, a little blue icon in the lower right corner.
    • image
    • Clicking this allows you to choose to connect to the corporate network, by using the VPN.  After entering your credentials you will see the familiar VPN connection automatically start, it will connect, and you will be authenticated to the domain.
    • image
    • Logon is a little slower of course due to the slow link, and the first time you connect it will have to set up the local domain profile.  If you make use of redirected my documents, offline files, or have a lot of group policies logon can take a very long time while they apply and sync.  If logon is too slow, you may want to review options available to the remote user.  You will note that if you now try nslookup <servername> works as it should.

Note:  If connecting from Windows 8, please see the following updated article:  https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/

 

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection. The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:
  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed
Server 2003 / SBS 2003 / SBS 2003 R2:
  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

 

Toast For Our Tables

Remotely change DNS server IP’s

I was recently asked how to change the DNS server IP’s in the NIC configurations of numerous servers, which of course have static IP’s.  Sounds simple right?  Maybe not.

  • You can use Group Policy to do so but apparently it will not work with all O/S’s and it will only work if DNS is working. 
  • You can deploy a script but that requires logon or reboot to apply. 
  • You use psexec and a text file list of servers with something similar to: “psexec @textfilename netsh interface ip set dns name = “Local Area Connection” source = static addr = 1.1.1.1”  however it requires the NIC name be accurate and it is not always named “Local Area Connection”

One proposed great solution is to use a VBS script by Alexxxandre K8L0 on TechNet.  This uses a text file list of server names or IP’s and updates each in the list.  The article can be found in the following link, but since occasionally the links change or articles ‘disappear’ I have posted the content here, but I take no credit for its design: http://gallery.technet.microsoft.com/scriptcenter/Change-fixed-DNS-IP-of-422415c1

Syntax: cscript SetDNSv2.vbs inputfile outputfile dns_ips
Input file: Put IP or Hostname of server line by line on a text file.
Output file: Is a log of return status “Inputed,Host,Adapter,Return Status”
dns_ips: Ips of DNS Servers separated by commas.
Example: cscript SetDNSv2.vbs inputfile.txt outputfile.txt 10.1.0.10,10.1.0.11,10.1.0.10

‘Set DNS By k8l0
‘By k8l0
If WScript.Arguments.Count = 3 Then
    strInputFile = WScript.Arguments.Item(0)
    strOutputFile = WScript.Arguments.Item(1)
    strNewDNS = WScript.Arguments.Item(2)
Else
    wscript.echo “Sintaxe: cscript SetDNSv2.vbs inputfile.txt outputfile.txt 10.1.98.64,10.1.98.36,10.1.18.24”
    wscript.quit
end if    
 
On error resume next
 
Const ForReading = 1
Const ForAppending = 8
 
Set objFSO = CreateObject(“Scripting.FileSystemObject”) 
Set objTextFileIn = objFSO.OpenTextFile(strInputFile, ForReading)
Set objTextFileOut = objFSO.OpenTextFile(strOutputFile, ForAppending, True)
 
wscript.echo “Host        Adapter        Return Status”
wscript.echo “—-        ——-        ————-”
objTextFileOut.WriteLine(“Inputed,Host,Adapter,Return Status”)
 
Do Until objTextFileIn.AtEndOfStream 
    strComputer = Trim(objTextFileIn.Readline)
    
    Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)
    Set colNicConfigs = objWMIService.ExecQuery(“SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True”)
    
    For Each objNicConfig In colNicConfigs
        If Not IsNull(objNicConfig.DNSServerSearchOrder) Then
            strReturn = “”
            arrNewDNSServerSearchOrder = Split(strNewDNS,”,”)
            intSetDNSServers = objNicConfig.SetDNSServerSearchOrder(arrNewDNSServerSearchOrder)
            If intSetDNSServers = 0 Then
                strReturn = “””” & “Replaced DNS server search order list to ” & strNewDNS & “.” & “”””
            Else
                strReturn = “Unable to replace DNS server search order list.”
            End If
        Else
            strReturn = “DNS server search order is null. Nothing changed!”
        End If
        
        strDNSHostName = objNicConfig.DNSHostName
        strIndex = objNicConfig.Index
        strDescription = objNicConfig.Description
        strAdapter = “Network Adapter ” & strIndex & ” – ” & strDescription
        wscript.echo strDNSHostName & VBTab & strAdapter & VBTab & strReturn
        objTextFileOut.WriteLine(strComputer & “,” & strDNSHostName & “,” & strAdapter & “,” & strReturn)
        Next
Loop 
 
objTextFileIn.close
objTextFileOut.close
 
wscript.echo “Finished!!!”

Remote PC firewall on or off ?

I was asked; “how can I tell from a command line if the firewall is enabled on a PC on our network, using a command line?”

Netsh is a very powerful tool for querying and setting the status of most anything network related. There are both the ‘netsh firewall’ and ‘netsh advfirewall’ options depending if XP, or Vista and newer.  I will deal with the advanced firewall as it is commonly used with Vista and Win 7 these days. The following command will return the available options:

C:\>netsh advfirewall show

The following commands are available:

Commands in this context:
show allprofiles – Displays properties for all profiles.
show currentprofile – Displays properties for the active profile.
show domainprofile – Displays properties for the domain properties.
show global    – Displays the global properties.
show privateprofile – Displays properties for the private profile.
show publicprofile – Displays properties for the public profile.
show store     – Displays the policy store for the current interactive session.

As you are aware the Advanced firewall can be set differently for domain, home, or public networks.  We are concerned with how it is set now, while on our network so we will use the show currentprofile option.  The result returns numerous details. By piping the results to the find command we can limit the output and simply determine if the Windows firewall is on or off  ( note: /I ignores case of the text in quotes):

C:\>netsh advfirewall show currentprofile |find “State” /I
State                                 OFF

Chances are you will not want to run to the machine to check so you can make use of Sysinternals/Microsoft’s PSexec to run netsh, or any command, on a remote machine.  You will need to run this with admin privileges for the remote machine. Therefore it is generally done from the server using a domain admin account.

C:\PSTools>psexec \\PC1 netsh advfirewall show currentprofile |find “state” /I

PsExec v1.98 – Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals – http://www.sysinternals.com

Starting netsh on PC1…ice on PC1…
State                                 OFF
(the output will often end with the following when run remotely: netsh exited on PC1 with error code 0.)

PSexec can be downloaded for free from: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Tag Cloud