I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows. They would connect fine but I could not resolve any FQDNs for my domain?
VPN no DNS Solution
By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN.
Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?
Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?
Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!
Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command.
From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!
How Do I Fix this VPN no DNS?
Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;
VPN no DNS On Your Physical Adapter;
Start > ncpa.cpl {enter} > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.
Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.
On Your VPN Connector;
Start > ncpa.cpl {enter} > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.
Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK.
Now your DNS look-ups should behave!
Related Articles, References, Credits, or External Links
I had to deploy a Remote Desktop Gateway Server into an existing RDS farm for a client this week, the RDS farm was presenting Windows Desktops (VDI) from Hyper-V. All went well until I tested the Gateway Server Externally, this is the error I got.
Remote Desktop can’t connect to the remote computer ‘server/farm-name} for one of these reasons.
1) Your user account is not listed in the RD Gateway’s permission list.
2) You might have specified the remote computer in NetBIOS format (for example Computer1), but the RD Gateway is expecting an FQDN or IP address format (for example, computer1.fabrikam.com or 157.60.0.1).
Contact your network administrator for assistance.
Solution
This was perplexing because, on the Gateway Servers RAP (Remote Authorization Policy) it was set to allow access to ‘Domain Computers” and allow access for “Domain Users”. Also I was feeding the gateway server the correct FQDN of the internal server farm (farm-name.domain-name.local).
I did TWO things and the problem went away;
Firstly, you might not realise this, but your RD Gateway policies are actually controlled by NPS (Network Policy Server). From administrative tools open the Network Policy Server, management snap-in. Right click the NPS (Local) entry > ‘Register server in Active Directory‘ > OK > OK.
(I agree the following makes no sense, but it worked!) Open the RD Gateway Manager console > Policies > Remote Authorisation Policy > Right click the RDG policy > Properties > Network Resource > I changed the option to ‘Allow users to connect to any network resource‘ > OK.
I then rebooted the server and all worked correctly.
Related Articles, References, Credits, or External Links
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of <domain>. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of <domain> should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task
Cause: One of the server installed certificates that has the “S” attribute (SMTP) has expired, If its the main certificate for the serve then you will need to replace it. However this is common on server that still have a copy of the certificate they self signed and used when exchange was first installed. So you are not using them anyway.
Solution
I’m assuming that the certificates that have expired are not the ones you are using in anger, lets make sure.
1. To see what certificates are being used for what. Launch “Exchange Management Shell” > Issue the following command;
[box] Get-ExchangeCertificate [/box]
2. Above you can see I’ve got three certificates and they all are being used for SMTP, lets make sure they are all in date.
3. Click Start > mmc {enter} > File > Add/Remove Snap-in > Certificates > Add > Select “Computer account” > Next > Accept the default of “Local computer” > Finish > OK > Expand Certificates > Personal > Certificates.
4. Look down the expiration date section and you can see which ones are out of date, compare this list to original one, and you can see which certificates need removing.
5. You can remove the expired certificated from here by right clicking > Delete.
6. OR, you can delete the certificates from within powershell with the following commandlet;
[box] Remove-ExchangeCertificate {thumbnail of certificate} [/box]
7. Then press Y and {Enter} to confirm.
8. Either when you are finished you should be looking more like this.
Note: Without an SMTP certificate with the FQDN of the server you may see Event ID 12014.
Error:
Microsoft Exchange couldn’t find a certificate that contains the domain name <name> in the personal store on the local computer. Therefore it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of <name>. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.
You can simply create a self signed certificate with the FQDN of the server and import it, then set it for SMTP (Note: it WONT overwrite the one you are using). Or click here.
Related Articles, References, Credits, or External Links
You have a Linux client machine, and you want to authenticate to, and log into a Windows domain. I don’t have too much history with Linux, but from what I’ve read this used to be a nightmare. Using Ubuntu (10.10) I did have a couple of hiccups, but I did get there in the end.
Note: The domain controller is a Windows 2008 R2 Server.
Solution
Notes
1. The commands needed to install the “likewise-open5” package, and join the domain, (assuming the FQDN of the domain is domaina.com and the user name you are using to join the domain is administrator).
2. Then to allow users to logon from the Ubuntu welcome screen,
[box]sudo nano /etc/samba/lwiauthd.conf[/box]
3. Add the following line (the file will probably be empty), to Save press CTRL+X, then Y, then {enter}.
[box]winbind use default domain = yes[/box]
4. Then reboot.
[box]sudo reboot[/box]
5. To allow sudo for the domain user(s),
[box]sudo nano /etc/sudoers[/box]
Locate the line that reads “#Members of the Admin group may gain root privileges and do the following:”. Below that, type the following (assuming the domain name is domaina and the user is a member of the domain admins group, domain^users also works).
[box]%domainadomain^admins ALL=(ALL) ALL[/box]/p>
Problem 1
Error: Lsass Error [code 0x00080047]
9502 (0x251E) DNS_ERROR_BAD_PACKET – A bad packet was received from a DNS server. Potentially the requested address does not exist.
This plagued me for a while, I tried everything I read online (like making sure that my time was correct – which it wasn’t (see below), making sure firewalls were off (they were), make sure your DNS has a reverse lookup zone (mine has), and finally make sure there are no existing DNS records for the IP address you are connecting with (mine did so I deleted them). None of these fixed the problem, to fix it is annoyingly simple.
FIX
Firstly make sure that the Ubuntu client is looking at your domain DNS server, for it’s DNS, the following command will tell you,
[box]cat /etc/resolv.conf[/box]
Then get the domain syntax right, in my case the domain name.
If you would like to add your domain user(s) to the welcome screen click here.
Update 04/01/12
Attention: PeteNetLive – Suggestion
Message: Hi,
Thanks very much for you YouTube and description of joining Ubuntu to a domain. There was however one step extra that I needed to do to enable to logon screen to show users other than the local use and the guest account. To do this I had to add the following line to /etc/lightdm/lightdm.conf
greeter-show-manual-login=true
I was joining Ubuntu 12.10 to the domain so maybe it is specific to 12.10 since you didn’t experience it but it would be good to add it to your article along with the other fixes to issues.
Thanks again.
From: Roland Elferink
Related Articles, References, Credits, or External Links
After my recent DNS troubles, I was checking my mail server’s (MX) records, and got a warning about not having any reverse lookup records (PTR) configured properly. I telnetted to the mail server on port 25, and saw it was responding with the servers host-name.
I know my records are correct for the FQDN of the server, I just needed to change its welcome banner.
Solution
Change the Postfix Welcome Banner by Editing The Postfix main.cf File
1. Connect to the server via SSH, (or open a terminal session). Logon as, (or su to) root.
2. Execute the following command;
[box]
nano /etc/postfix/main.cf
[/box]
3. Locate and edit the myhostname value, to match your servers public FQDN.
4. Once you have saved and exited nano, restart the Postfix service with the following command;
[box]postfix stop && postfix start[/box]
Change the Postfix Welcome Banner Using Webmin
1. Connect to the Webmin console > Postfix Mail server > General Options.
4. Scroll down to internet host-name of this mail system > Edit to match your servers public FQDN > Save and Apply.
5. Stop then Start Postfix.
Related Articles, References, Credits, or External Links
While attempting to launch a web app from a Windows Server 2012 Remote Desktop Services (Terminal) server. Clients were greeted with the following;
RemoteApp Disconnected The remote computer could not be found. Please contact your helpdesk about this error.
Solution
1. On the Server, Start > RD Gateway Manager > Locate your server > right click > properties > Server farm > Type in the FQDN of the server* (Your remote clients must be able to resolve this name!) > Add > Make sure it gets listed as ‘OK’ > Apply > OK.
*Note: This assumes you have one RDS server, if you have many then obviously enter the FQDN of the one fulfilling the RD Gateway role.
2. Start > Internet Information Services (IIS) Manager > Expand the server > Sites > Default Web Site > RDWeb > Pages > Application Settings.
3. Open DefaultTSGateway > Set its value to the FQDN of the RD Gateway server (as above) > OK.
One of the often overlooked tasks of a PKI deployment is setting your Certificate Services CRL. For smaller deployments, with only one server then you don’t have to worry about how this will be designed (though a CRL does not have to be hosted on a Certificate Services server). In my test environment I only have one PKI server so everything will be going on that one box, In more complex environments you may have multiple root and subordinate PKI servers writing to your CRL (you may even have multiple CRL’s).
Solution
I would consider this a ‘post’ certificate services install task, so I’m assuming you already have that installed and configured.
1. Launch the Certification Authority management console > Right click the server-name > Properties > Extensions tab.
2. With CRL selected > Add > Type into the location http://crl.{your-domain-name}.{your-domain-extension}/crld
Note: You can use https:// but you may need to add a certificate in IIS manager and select ‘require TLS’ for the crld virtual directory.
3. In the variable section, select then ‘Insert’ the following onto the end of the URL;
Note: Is ‘should’ look like http://{FQDN-Of-Server}/crld/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
4. With the CRL entry you have just created selected > Enable the following two options;
Include in CRL’s. Clients use this to find Delta CRL locations.
Include in the CDP extension of issues certificates.
Apply > OK > Yes.
5. Change the ‘Select extension’ drop down to ‘CRL Distribution Point (CDP)’ > Add > Type in a UNC path as follows ‘{Server-name}crldist$ > Then select and inset the variables onto the end of the path, (like you did above);
<CaName>
<CRLNameSuffix>
<DeltaCRLAllowed>
And then (as above) add .crl onto the end of the path > OK.
6. With the CDP selected > Select the following options;
Publish CRL’s to this location
Publish Delta CRL’s to this location
Apply > OK > Yes.
Windows DNS Requirements for CRL
7. So that your clients can resolve the name of the CRL you have just created, they need to be able to resolve the name you just created. On your DNS server open the DNS management console > Expand server-name > Forward Lookup Zones > {your-domain-name} > Right click > New Host (A or AAAA) > name crl > IP address = The IP address of the IIS server that will host the CRL > Add Host > Close DNS Manager.
Windows IIS Requirements for CRL
8. On the web server, open the Internet Information Services (IIS) Manager console > Expand and select your server-name > right click > Add Virtual Directory >Set the alias to CRLD.
9. Under ‘Physical path’ select the browse button > Select the C: Drive, (or another drive if you wish) > Make New Folder > Call the folder CRLDist > OK > OK.
10. Select server-name > Directory Browsing
Note: If you are serving other services from this web server, you might wish to only set directory browsing on the CRLD virtual directory.
11. Enable.
12. Select the CRLD directory (Click refresh if you cant see it) > Configuration Editor.
13. Navigate to System.webServer > security > RequestFiltering.
Note: On older versions of IIS, it’s under ‘System.webServer > security > authentication > RequestFiltering.’
14. Change allowDoubleEscaping to ‘True’ > Apply.
Windows Folder Permission Requirements for CRL
15. Navigate to the folder you just created (i.e C:CRLDist) > Right Click > Properties > Sharing > Advanced Sharing > Select ‘Share this folder’ > Add a dollar symbol to the end of its name i.e. CRLDist$.
Note: This simply creates a ‘hidden’ share, that cannot be seen when browsing the server shares.
Note: In Addition, Set the Windows NTFS Permissions for the Server(s) to Full Control also.
16. Permissions > Object Types > Add in Computers > OK > Enter the name of the server(s) that need to write to the CRL > OK.
17. Grant the Full Control permission to the sever(s) you just added > Apply > OK.
18. Back at the Certificate Services server > Launch the Certification Authority management console > Revoked Certificates > Right click > All Tasks > Publish > New CRL > OK.
19. If you check the folder you created earlier, you will see it now contains the CRL files.
Related Articles, References, Credits, or External Links
Seen when trying to connect the Windows 8 mail client to Exchange 2010 (that is using a self signed certificate).
Error
Unable to connect. Ensure that the information you’ve entered is correct.
Solution
This is a right pain! My Exchange 2010 server is using a self signed certificate, and even though the Windows 8 client trusts my domain CA, and it has imported the cert that Exchange is using, it still would not work.
I Know the cert is OK, Outlook Web Access and Outlook work fine without reporting any certificate errors. I even put the CAFQDN in the Windows 8 hosts file in case it needed to see that (because I read that the problem is related to the client not being able to see the CA’s certificate revocation list).
The only way I found to cure this problem, and let me successfully connect to Exchange, is to remove the self signed certificate and use a purchased certificate.
I had to work out how to do this for a client, and as is my modus operandi, I’ll try and save you some of the pain I endured,
Products Used
System Center Configuration Manager 2007 SP2 Windows Server 2008 R2 SQL 2008 R2 (At time of writing neither officially supported or not supported on SCCM)
Note: I was originally going to use SQL 2005 – hence the reason the SQL servers name is SCCM-SQL2005, however I bit the bullet and used SQL 2008 R2 instead.
Solution
Step 1: SCCM Domain pre install work.
1. Create two groups in Active Directory.
a. sccm administrator group SCCM-ADMIN b. sql administrator group SQL-ADMIN
2. Add both groups to the Domain Admin’s group.
3. Create two new users: sccmadmin and sqladmin.
4. Add sccmadmin to SCCM-ADMIN group and add sqladmin to SQL-ADMIN group.
c. Windows Authentication. d. IIS6 Metabase compatibility. e. IIS6 WMI compatibility.
3. Add the following “server Features”:
a. Background Intelligent Transfer Service. b. Remote Differential Compression.
4. If you are NOT running Windows Server 2008 R2 Download and install WebDav (already included in Windows Server 2008 R2). If you are running R2 skip to the next step.
5. Server Manager > Roles > Web Server (IIS) > Add Role Services > WebDAV Publishing > Next > Close.
6. To enable WebDav > Start > Administrative Tools > Internet Information Services (IIS) Manager > Expand {server name} > Sites > Default Web Site > WebDav Authoring Rules.
7. Select Enable WebDav (On the right hand side).
8. Select add authoring Rule > All Content > All Users > Permissions > Read > OK.
9. Select the rule you have just created > WebDav Settings.
10. Change “Allow Anonymous Properties Queries” to True > Change “Allow Custom Properties” to False > Change “Allow Property Query with Infinite Depth” to True > Change “Allow hidden files to be listed” to True > Apply.
12. From the WSUS installation choose “Full server installation” > DO NOT accept the default “Use the existing IIS Default Web site” > Use “”Create a Windows Server Update Services 3.0 SP2 Web site” (Note: this will use port TCP 8530 by default).
Step 3: SCCM Install SQL Server.
1. From the SQL install media run setup.exe > Installation > “New Installation or add features to an existing Installation” > OK.
2. Enter product Key if applicable > Next > “I accept…” > Next > Install > Next > Next.
5. On the Server configuration Page > Select “Use the same account for all SQL Server services > Select the User you created originally (sqladmin) > Set the SQL Server Agent and SQL Server Database Engine Startup type to “Automatic” > Next.
6. Accept “Windows Authentication” > Add in your SCCM-ADMIN group and SQL-ADMIN group > Next > Next > Next > Install.
7. When it’s completed click close.
Step 4: Prepare Active Directory for SCCM
1. Extend the schema > From the install media > SMSSETUP > BIN > 1386 > extadsch.exe
2. Check the above was successful by opening the c:extADsch.txt file it should say “”successfully extended the Active Directory Schema”.
3. We now need to create some active directory objects go to a domain controller > Start > Administrative tools > ADSI Edit > Action > connect to > leave everything on its defaults > OK.
4. Expand the Default naming context > Expand your domain name > Right click “system” > New > Object > Container > Next.
5. Call it “System Management” > Next > Finish > Close ADSI Edit.
6. Still on the domain controller > Start > dsa.msc {enter} > View > Advanced.
7. Expand “system” > Locate the container you created “System Management” > right click it and select properties > Security Tab > Add > Object Types > Tick Computers > OK.
8. Click Advanced > Find Now > Locate and add the SCCM-ADMIN group you created earlier > Also add the SCCM Server itself > OK.
9. Grant allow “Full Control” to both the SCCM admin group and the SCCMserver.
10. Now click advanced > Select the SCCM-ADMIN group > Edit.
11. Change the “Apply to” section from “This object only” to “This object and all descendant objects” > OK > Apply > OK.
12. Repeat the above for the SCCM-Server object.
Step 5: Install SCCM
1. Log on as the sccadmin user.
2. From within the SCCM setup media run splash.hta > Run the Pre requisite checker > Enter the SQL Server name > SCCM server name and the FQDN of the SCCM server > OK.
3. Note If you cannot talk to the SQL server then check that the Windows firewall is not blocking you (on the SQL server Start > run > firewall.cpl > Turn it off).
4. All being well it should say “All required pre requisite tests have completed successfully” > OK.
5. Re-run Splash.hta > This time choose > Install configuration Manager 2007 SP2 > Next > “Install Configuration Manager site Server > Next.
6. Tick “I accept these License terms > Next > Custom Install > Next > Primary Site > Next > Next > enter unlock code is applicable > Next > Accept/change the install directory > Next > Enter a Site code and friendly name > Next.
DO NOT ever try and change this code and don’t forget it!!
7. Change the Site mode to “Configuration Manager Mixed Mode” (Native mode requires certificate services and considerably more work). > Next.
8. Accept the defaults (everything except NAP) > Next.
9. Enter your SQL server name > Next > Next > Next > Next > Next.
10. Select a location to install the updates to > Next.
11. Updates will download this may take some time > when finished it should say it was successful > OK > Next.
12. It will run the pre requisite check again > when finished click begin install.
13. When finished click Next > Finish.
14.Now you need to send out the clients and configure SCCM, I’ll cover that in a later article.
Related Articles, References, Credits, or External Links
You will see this error in one of two scenarios, firstly it’s a new Exchange Installation and you have yet to create a send connector, or your send connector(s) do not cover the DNS name of the recipient the message giving you the error was destined for.
Identity: DC2012Unreachable412316860424
Subject: inter domain
Internet Message ID: <afea4f1a2aa14c2788d872070ae6a5dd@DC2012.PNL.com>
From Address: Administrator@pnl.com
Status: Ready
Size (KB): 4
Message Source Name: SMTP:Default DC2012
Source IP: 192.168.1.0
SCL: -1
Date Received: 11/26/2012 2:04:33 PM
Expiration Time: 11/28/2012 2:04:33 PM
Last Error: A matching connector cannot be found to route the external recipient
Queue ID: DC2012Unreachable
Recipients: name@domain-name.com;2;2;A matching connector cannot be found to route the external recipient;16;<No Matching Connector>
Usually you will have a send connector that covers “*” (that’s everything) so you either need to create that or a connector specifically for this problem domain name.
Solution
1. Launch the Exchange Admin Center https://localhost/ecp > Mail Flow > Send Connector > Click the Add icon.
2. Give it a sensible name and set it’s type to Internet.
3. By default it will select where to send the email based on the DNS name of the recipient, however some people route all their mail via a smart host, (this can be a server or IP address at your ISP or a mail filtering provider). If you use a smart host you will probably already know, in most cases you will want the default option of ‘MX record associated with recipient domain’ > Next.
4. Select the Add Icon > To create a ‘Default Send Connector’ that will cover ALL external domains, then set the FQDN to an asterisk, (for a domain specific connector simply enter the FQDN for that domain). > Save > Next.
5. Add > Now select the server(s) that will use the connector > OK > Finish.
Note: This is a great feature, if you have multiple sites, and multiple Exchange servers you can set the Exchange server at your main site as the default sending server. That’s great for solving mail flow problems caused by reverse DNS lookup failures.
6. At this point I’d either restart the Exchange services, or simply reboot the server.
Related Articles, References, Credits, or External Links