How to add an additional Domain Controller from a remote office to the SBS domain - Part 3 By Marina Roos branch office, rras vpn, firewall gpo When the branch office server has successfully joined the SBS network and when replication has succeeded, there are still a few steps that will need to be done on the SBS server as well as on the Branchoffice server to finish the Branch Office setup. Table of contents How to add an additional Domain Controller from a remote office to the SBS domain - Part 3Common errors and warnings, ISA alertAdd remote subnet in SBS Windows Firewall PolicyAdd remote subnet in the Default website in IISAdjust the TCP/IP service settings in the Branchoffice serverRRAS on SBS with ISA 2004Overview domain TERMS This document and what comes with it are provided as-is with blunt warning: Use at your own risk, buyer beware. You break your system; you own the resolution as well. We have no liability for what you do, or can't do, or fail to do with this information. Your entire protection is to start over again with a protected backup, or from protected system. If you don't want to accept this idea, please don't use this document. In this third part of the series "How to add an additional Domain Controller from a remote office to the SBS domain" we will review some common events and errors that will always appear whenever a SBS server is rebooted. Those can be safely ignored, as long as no other errors or warnings show up after both servers are fully up and running. The Directory Services event log is very important and it should not show any errors or warnings on the remote Branchoffice server ever. It will also have the steps to create an email alert when the RRAS VPN connection is down. The next step will be to modify the SBS Windows XP Firewall GPO so it will include the remote subnet in a few settings. We will then modify the Default Website in IIS to include the remote subnet. You will have to mind though, that each time you would need to rerun the CEICW wizard, you will have to correct the IIS settings manually again. If you have run the SBS BPA tool on a SBS server that has the Windows 2003 SP2 installed, you will have been noted to adjust a few registry settings for the TCP/IP service. It is a good thing to make those same changes on the remote Branchoffice server as well and the complete steps will be described. RRAS on a SBS server which has ISA 2004 installed, is behaving a bit different from a common server without ISA. This is because most settings in RRAS are being dictated by ISA 2004 and there are not many settings you can change without it being reset by ISA every time the ISA services are being restarted. This also has consequences for WINS and DNS and the behavior is being described as well as some solutions. You will have to realize though, that when you browse the Network Neighborhood from the SBS network, you will never see the remote machines appear. In the remote office however, you will see the SBS machines appear in Network Neighborhood. This is totally due to using this kind of site-to-site VPN connection with RRAS and ISA 2004. The last page has a graphical overview of the ComputerWorks network with the public and private IP's that have been used in this series of articles. The contributions from Justin Crosby from Microsoft CSS were very valuable for the last chapter and I want to thank him again. Common errors and warnings, ISA alert Every time that the SBS server is rebooted, you will get error 2087 in the Directory Services event log, because the VPN connection with the remote DC isn’t up yet, thus it can’t find that DC. This is perfectly normal though, and as long as there are no other errors or warnings in the Directory Services event log on the SBS server, all is fine. Every time that the vpn connection from the Remote DC has been initiated, you will see the 5050 event from IAS in the Application log of the SBS server. The Directory Service event log is important on both servers. If it has any warnings or errors, review them carefully. The replication will take place every 180 minutes. If the vpn connection is broken, it will not be for another 3 hours before the Directory Service event log will start showing the following warnings and errors: However, with ISA 2004 we can send an alert to warn us that the vpn connection is down, so we can investigate why it is down and fix it. Here is how to create that alert. Open the ISA 2004 MMC and select Monitoring in the left pane and tab Connectivity in the right pane. Click the Create a new Connectivity Verifier: Type name like RRAS VPN Connection Branch and click Next: In the Monitor connectivity to this server or URL field, type in the server name of the remote DC or use the Browse button to find the Branchoffice server name. In the Group type used to categorize this connection verifier click the drop down box and select Active Directory. In the verification method leave the LDAP selected and click Next: A summary appears and click Finish to have th connectivity verifier created: Click the Apply button to apply the changes to ISA: After the changes have been applied successfully, click OK: Select tab Alerts: Click Configure Alert Definitions in the right pane. Scroll down and select the No connectivity alert and click Edit: Select tab Actions, select Send email and fill in the SMTP details: Use the Test button to see if you have the SMTP details right: Click OK and check if you did receive the test email. With tab Events you can define when to send an alert. Leave it unchanged for now (depending on how often you will receive this alert you can adjust it): Click OK twice, click Apply to apply the changes to ISA, click OK after it has successfully applied the changes. Close the ISA 2004 MMC. Add remote subnet in SBS Windows Firewall Policy To be able to manage the remote computers and to make sure file and printer sharing will be in the Windows XP Firewall exceptions for the remote subnet as well, we will need to modify this policy and add the remote subnet in a few settings. Group Policy Management, expand Group Policy Objects, right click Small Business Server Windows Firewall, Properties. Expand Computer Configuration, expand Administrative Templates, expand Network, Network Connections, Windows Firewall, select Domain Profile. In the right pane right click the Windows Firewall: Allow remote administration exception setting and choose Properties: If this setting is not enabled yet, select the radio button to enable it and add the subnets 192.168.26.0/24,192.168.90.0/24. Then click OK: Select the Windows Firewall: Allow file and printer sharing exception setting and add the subnets, then click OK: Close the GPO MMC. Add remote subnet in the Default website in IIS To be able for the remote office to use servername/connectcomputer to join a new computer and to be able to use the other options in the Default Web site, IIS needs to know that the remote subnet is allowed. Keep in mind though, that every time you rerun CEICW, you will need to modify these IIS settings manually again. Administrative Tools, Internet Information Services Manager, expand server name, select Web Sites. In the right pane right click the Default Web Site and choose Properties: Select tab Directory Security, click the button for IP Address and Domain Name Restrictions which will only show the SBS internal IP range and the 127.0.0.1 address: Click the Add button, select the Group of computers radio button and add the remote subnet 192.168.90.x and click OK: When the remote subnet has been added, it should look like this and you can click OK: Click OK to close the Default Web site properties. You might get the following pop up about the UNCPassword property after adding the remote subnet where you select nothing and click OK: You will get the following pop up after adding the remote subnet: Click the Select All button but then deselect the following nodes with Ctrl+click: ClientHelp, Exadmin, Exchange, Exchange-oma, Exchweb, Microsoft-Server-ActiveSync, Monitoring, OMA, Public, Remote, Rpc and click OK: This will have made sure that the underlying web sites will get the same IP restrictions as the Default Web Site. The non-selected nodes by default have no restrictions on IP addresses, so they don't need to get the added remote subnet, as that is in fact included already. The only exception is the exchange-oma node, this one only has the SBS internal IP (and not the internal IP subnet) and the 127.0.0.1 address restricted. Adjust the TCP/IP service settings in the Branchoffice server The Windows 2003 Service pack 2 has some major changes regarding the TCP/IP service. The SBS BPA tool (which can be downloaded here http://www.microsoft.com/downloads/details.aspx?FamilyId=3874527A-DE19-49BB-800F-352F3B6F2922&displaylang=en and installed on the SBS server only) will have warned you and pointed you to the KB articles to change those settings. If the remote DC has the SP2 installed, it is very good to make those changes there too. The steps on how to do this quick and easy will follow now, as it is possible that you will need some advanced features of the nics as well. First right click each nic on the Branchoffice server in the Network Connections from the Control Panel, choose Properties, then choose Configure: Select the tab Advanced and set all options that have Offload and/or Checksum in it to off or disabled. If you have Receive Side Scaling, set it to off, none or disabled. Click OK and wait until the nic has disabled and disabled itself (it will disconnect you and other users for a minute when doing this on the internal nic, and it will disconnect any remote users when doing this on the external nic). From the command line start regedit and browse to the HKEY_Local_Machine\System\CurrentControlSet\Services\Tcpip\Parameters key. Right click on this parameters key, New, DWORD value: Type DisableTaskOffload and hit Enter two times to change the value from 0 to 1, then click OK: Double click the EnableRSS key and change the value from 1 to 0 and click OK: Do the same for the EnableTCPA and the EnableTCPChimney key. The final result should look like this: Close the registry editor. RRAS on SBS with ISA 2004 When a site to site VPN has been configured in ISA, it will override several settings in the RRAS node. The following settings however, can be changed in RRAS. Of course we will want full logging enabled with RRAS, so the events will show up in the System log. In the Properties of RRAS, tab Logging, check the Log all events (for the actual screen shots, have a look at the RRAS configuration of the remote DC in part 2 of this series). Default it will also have too many ports configured. You can disable the demand-dial routing on the WAN miniport (PPPOE) and the Direct Parallel but the six WAN miniport (L2TP) interfaces will be put back by ISA. Default RRAS configures five VPN PPTP ports and five VPN L2TP ports, but the ISA site-to-site vpn connection will automagically add one port for PPTP and one port for L2TP. So even if you wouldn’t use the SBS server as a VPN server for users, ISA will put back the 12 VPN ports every time ISA is being restarted. ISA also has added the BranchVPN interface and you can’t change its properties. That is, you could try, but ISA will put it back to its defaults whenever the ISA services are restarted. When the site-to-site VPN connection has been up for a little while, you will see some changes in WINS and DNS server on the SBS. The WINS records will change from the internal server IP (192.168.26.2 in our case) to the IP address that the BranchVPN demand-dial got through the Branchoffice server (192.168.90.22). If you double click a WINS record, you will see it has both IP addresses (192.168.26.2 and 192.168.90.22) with the same owner (192.168.26.2). You will see this very same IP address showing up as new Host A (same as parent folder) record in DNS server, Forward Lookup Zone, local AD domain name (computerworks.lan in our case). It also appears in the DomainDnsZones and ForestDnsZones as well as in the gc-node of the _msdcs.computerworks.lan. At the remote DC WINS also has changed. But there the internal server IP (192.168.90.5) has changed to the IP address that the Internal interface got from the RRAS server (192.168.90.22). The remote DC DNS server however, will not show the additional host A records as it does on the SBS server. If we have a closer look in RRAS at the properties of the Remote Router interface on the Branchoffice server and the BranchVPN interface on the SBS server, we can see the following differences in the Networking tab: The Remote Router interface on the Branchoffice server default doesn’t have the File and Printer sharing and Client for MS Networks installed, while the BranchVPN interface on the SBS has both of them installed and checked. If we go into the Properties of the Internet TCP/IP protocol, Advanced, tab WINS, we will see that the Remote Router interface on the Branchoffice server has got NetBIOS over TCP/IP disabled, where the BranchVPN on the SBS has got it enabled. Tab DNS also shows a difference: the Remote Router interface on the Branchoffice has the Register this connection’s addresses in DNS unchecked, whereas the BranchVPN interface on the SBS does have it checked. The only option you can change and which won’t be set back by a restart of ISA services, is this DNS option. To make these modifications on the BranchVPN interface on the SBS server, apply the following steps: Open the RRAS node on the SBS server, expand server name and click the Network Interfaces. In the right pane right click the BranchVPN interface and choose Properties. Select tab Networking: Click Properties of the TCP/IP Protocol and click Advanced. Select tab DNS and uncheck the Register this connection’s addresses in DNS: Click OK and twice more OK. Close the RRAS MMC. Open the DNS server MMC on the SBS server and delete all the obsolete 192.168.90.22 host dns records in the for mentioned locations. In DNS server on the SBS we now have achieved that there won’t be any registering of extra DNS Host A records anymore that are pointing to the IP that the BranchVPN interface is receiving from the SBS server. As the Branchoffice server has got two nics, article 292822 (Name resolution and connectivity issues on a Routing and Remote Access Server that also runs DNS or WINS: http://support.microsoft.com/kb/292822) is the one we will need to apply to the remote server as that will solve a few things for us in WINS and DNS. The steps that will need to be done on the Branchoffice server are as follows: On the Branchoffice server start regedit from the command line and find HKEY_Local_Machine\System\CurrentControlSet\Services\DNS\Parameters key. In the right pane we will add a new String value with value PublishAddresses and add the remote DC internal IP to it: Fill in the remote DC internal IP 192.168.90.5 and click OK: The result should look like this: Then find the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key and add a new DWord key with the name RegisterADnsRecords and value 0: Fill in 0 for the value and click OK. Find the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\IP and add a new DWord key with the name DisableNetbiosOverTcpip and give it the value 1: The result should look like this: Close regedit and restart the DNS server service and the Netlogon service with the Services applet. In the DNS server console we will add host records in the Forward Lookup Zone. Open the DNS server MMC, expand server name, expand the Forward Lookup Zone and right click on the local domain folder (in our case computerworks.lan) and choose Add New Host (A): Leave the Name box empty, type the IP of the Branchoffice server 192.168.90.5 and check the Create Associated PTR record and click Add Host: You should get a successful message and you click OK and Done: When you receive the "(same as parent folder) is not a valid host name. Are you sure you want to add this record?" message, click Yes. Because the Branchoffice server is also a Global Catalog server, we will need to add another host record. Expand the _msdcs.domain.local folder in the Forward Lookup Zones folder and select the GC folder. Right click the GC folder, chose New Host (A): Leave the Name box empty, type the IP of the Branchoffice server 192.168.90.5, check the Create Associated PTR record and click Add Host. When you receive the "(same as parent folder) is not a valid host name. Are you sure you want to add this record?" message, click Yes: You should get a successful message and click OK and Done: You can close the DNS server MMC and we will now clear the WINS database. From Administrative Tools, WINS, expand the server name, right click the Active registrations and click Delete Owner: In the Delete Owner box select the Branchoffice IP 192.168.90.5 and click OK: You will get a warning and you click Yes. The WINS database will be rebuilt automatically. You can close the WINS MMC. Let’s reboot the Branchoffice server and the SBS server. After the reboot check the event logs for errors on both servers. Note: it can take some 15 minutes before Network Neighborhood on the remote DC is showing all the computers. Note 2: on the SBS server you will never see the remote server nor remote computers. This is because ISA is preventing this. You will be able to ping those remote computers, and also map a network drive, but you will never see them in network neighborhood. Overview domain As a picture is worth a thousand words, here is a graphical overview of the ComputerWorks domain. The left side describes the SBS network, and the right side the remote office. The public IP's are only used as an example and do not reflect this network, nor does the owner of the ComputerWorks network own those public IP's.