Windows Remote VPN no DNS

VPN no DNS KB ID 0001402

Problem

I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows. They would connect fine but I could not resolve any FQDNs for my domain?

VPN no DNS Solution

By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN. 

Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?

Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?

Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!

Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command. 

From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!

How Do I Fix this VPN no DNS?

Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;

VPN no DNS On Your Physical Adapter;

Start > ncpa.cpl {enter}  > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.

On Your VPN Connector;

Start > ncpa.cpl {enter}  > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK. 

Now your DNS look-ups should behave!

Related Articles, References, Credits, or External Links

NA

Windows: Cisco ASDM ‘This app can’t run on your PC’

‘This app can’t run on your PC’ KB ID 0001574

Problem

Whys isn’t Java dead yet? 🙁 Anyway, I tried to connect to a clients ASDM today, and from my Windows 10 machine, I got the following error;

Windows 11

Windows 10

This app can’t run on your PC
To find a version for your PC, check with the software publisher.

‘This app can’t run on your PC’ Solution

Make sure you have installed Java (www.java.com) and also make sure you are using an Intel (Not ARM based processor)

If you are launching straight for the desktop open the properties of the ASDM shortcut, and look at the ‘Target‘ value.

Change it to;

[box]

C:\Windows\system32\wscript.exe invisible.vbs run.bat

[/box]

Apply > OK.

Try again.

If you are launching from the ‘Start Menu’ Open the file location of the shortcut;

Windows 11

Windows 10

 

And change the target to “C:\Windows\system32\wscript.exe invisible.vbs run.bat“. > Apply > OK.

Related Articles, References, Credits, or External Links

NA

Windows: Join Azure AD (AAD)

KB ID 0001596

Problem

With more people looking at Microsoft 365 (as opposed to Office 365), then the amount of people who want to Join Azure AD with their Windows machines is only going to go up. This is how to join your Windows and BYOD client devices to Azure AD.

There are essentially 3 WAYS to Join Azure AD.

  • Azure AD Join: Used for corporate assets. Windows Only! (Can be managed by Intune) Users log in with their Azure AD account only.
  • Azure AD Registration: Used for BYOD devices Windows/macOS/Android etc. (Can be managed by Intune). Users log in with their local credentials.
  • Hybrid Azure AD Join: Used for corporate assets you want to manage with GPO (or SCCM). Windows Only. These assets will be in a local (traditional on-premises domain).-WARNING: These devices require periodic sight of your on-premises AD, (or they become unusable). The Local domain needs to be connected to Azure AD with an Azure AD Connector.

Solution

 

Join Azure AD: Azure AD Join

Start > Settings > Accounts..

Access Work or School > Connect.

STOP! If you put your credentials in here you will Not join the machine to Azure AD you will perform an Azure Workplace Join (or be Azure Registered) that’s NOT WAHT WE WANT > Select “Join This Device to Azure Active Directory‘.

Enter your Azure AD/Office 365 Credentials > Next.

Join.

Done.

The machine will now show that it’s connected to.Azure AD

Note: The login screen now changes to ‘Sign in to: Your Work or School account‘.

Join Azure AD: Azure AD Register

Start > Settings > Accounts..

Access Work or School > Connect.

Enter your O365/M365/Azure credentials

Then after authenticating you ‘should’ see this.

How To Leave / Disconnect From Azure AD

Same place as above, select the connection and simply click ‘Disconnect‘.

Join Azure AD: How To Hybrid Join Azure AD

To Hybrid Azure AD join your machines to Azure AD, (this means they will already be in you local (traditional on-premises) domain, and then ‘additionally’ joined to Azure AD also. So your local domain needs to be syncing to Azure AD with Azure AD Connect. And you machines need to be Windows 10 (or Windows 8 with some additional requirements!)

You configure Hybrid Azure AD Join on the Azure AD Connector, like so;

Locate Your Azure AD Connect Server

Launching Azure AD from the Azure AD connect icon, will pause replication and allow you to make changes, locate ‘Configure Device Options’

 

Next >authenticate to Azure > Next.

Device Options > Configure Hybrid Azure AD Join > Next.

Next > Select Windows 10 (unless you have Windows 8 then theres some other hoops you have to jump though for that though) > Next

Tick you local domain > Edit  >Authenticate to AD (with an Enterprise Admin account) > Next.

Exit.

Now, be patient and wait it can take a while for your devices to start appearing in Azure, when they do that will look like this;

Related Articles, References, Credits, or External Links

Find The Azure AD Join Type

VMware Fusion: Not Enough Physical Memory

KB ID 0001715

Problem

I upgraded to macOS Big Sur this week, and was surprised everything still worked! That was until I tried to start up my Windows 1o Virtual machine.

“Not enough physical memory is available to power on this virtual machine with its configured settings.”

Solution

Though it took me a while to ‘fix’, the fix is quite straight forward, I was running version 11 (see Below).

As soon as I upgraded to version 12.

Everything worked correctly. Only version 12 is fully supported on macOS Big Sur.

Related Articles, References, Credits, or External Links

NA

Windows In VMware Fusion ‘Cannot Access Shared Folders’

KB ID 0001627

Problem

Every so often I have a problem with the Windows 10 VM that I run on my mac in VMware Fusion, last time I needed to upgrade to Fusion 11.5, before that it was a registry fix. This time I could not access any files or folders on the parent mac.

Network Error
Windows cannot access \\vmware-host\Shared Folders\{Folder-Name}
You do not have permissions to access \\vmware-host\Shared Folders\{Folder-Name}. Contact your network administrator to request access.

Solution

Removing and re-adding the share in VMware Fusion didn’t fix the problem, in the end I had to grant VMware Fusion, ‘Full Disk’ access before the problem ceased.

System Preferences > Security & Privacy > Privacy > ‘Unlock’ > Full Disk Access > Tick ‘VMware Fusion.app”.

Related Articles, References, Credits, or External Links

NA

Error: 0x8007232B DNS Name Does Not Exist

KB ID 0001622

Problem

Seen when attempting to ‘Activate’ a Window machine;

Error: 0x8007232B DNS name does not exist

Solution

The reason for this error is the Windows machine has looked for a KMS (Key Management Server) in its local DNS, and not found one. This is because (out of the box) it has a Windows KMS licence code installed. Now if you have a KMS server you need to work out why you cant see it, I’ve covered troubleshooting KMS in link below;

Using a KMS Server

So if you don’t have a KMS server and dont wish you deploy one, you need to change, the Windows activation code on this machine to a MAK (Multiple Activation Key) instead,  Note: you will get these keys from the Microsoft Volume Licence Service Center. Then from an administrative command window;

[box]

slmgr -ipk 12345-ABCDE-12345-ABCDE-12345
slmgr -ato

[/box]

Related Articles, References, Credits, or External Links

NA

Sysprep Was Unable to Validate

KB ID 0001535

Problem

While building a new Windows 10 machine to be used as a template, I ran Sysprep to generalise the installation, and got this;

Sysprep was not able to validate your Windows Installation.
Review the log file at
%WINDIR%\System32\Sysprep\Panther\setupact.log for
details. After resolving the issue, use Sysprep to validate yout
Installation again.

Solution

What I did was Google the error, instead of looking at the log file, and read a post that said this can happen if the reference machine has not been activated, and went down a blind alley because THATS NOT TRUE of course you can generalise a newly deployed ‘non-activated’ reference machine.

When I finally read the error log, I found the following;

[box]

Package Microsoft.LanguageExperiencePacken-GB_17763.6.14.0_neutral__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
Failed to remove apps for the current user: 0x80073cf2
Exit code of RemoveAllApps thread was 0x3cf2.

[/box]

This problem is being caused by an app, (Windows has suffered with this since Windows 8!) I’ve highlighted the app name above, yours may have a different name, but the fix is the same. We need to remove that app, and stop Windows connecting to the internet to install more app shenanigans!

Disconnect the reference machine from the internet by disconnecting its NIC, (below I’m using a VMware VM).

Run a PowerShell window, (as Administrator) and execute the following command, (obviously use the name of your offending app rather than mine if it’s different!).

[box]

Get-AppxPackage –Name *LanguageExperience* | Remove-AppxPackage

[/box]

Then you should be able to run Sysprep successfully. 

DON’T FORGET to reconnect the NIC if you are creating a template, once the machine has shut down.

Related Articles, References, Credits, or External Links

NA

ASDM on Windows 10: ‘Cannot find Javaw.exe?’

KB ID 0001478

Problem

Windows 10 machine, (with Latest Java installed), while attempting to launch the ASDM you see;

Windows cannot find ‘javaw.exe’. Make sure you typed the name correctly, and then try again.

Solution

I should have fixed this a lot quicker than I did, because the error message was a lot more descriptive in older versions of Windows and the ASDM! This is the same problem seen on Windows 8.

You still need to install the x32 bit versions of Java! once you do it will work fine.

Related Articles, References, Credits, or External Links

NA

SMB1 Is Dead? (Unfortunately Not Yet)

KB ID 0001461

Problem

I recently did a migration for an engineering company, about a week later I got an email from them to say, “We have a new Windows 10 PC, and it can’t connect to the ‘N’ Drive?” I asked them to send me a screenshot, the error was;

You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

Some Googling told me that windows 10 (build 1803) had removed SMB1, and like most people who see this for the first time, I got thePowerShell to turn it on, client was happy end of problem right?

Well yes and no, ‘SMB1 is Bad‘, very bad in fact, enabling SMB1 is a bit like removing the windows from your house because your too hot, yes it solves the problem, but now anyone who wants to jump into your house can do so, at any time of the day!

OK What’s Changed?

With Windows 10 (Build 1803) SMB1 has been completely disabled. If you try and connect to a device/share that’s using it you will see the same error my client did.

However if you have an earlier build of Windows 10, and you simply let it update, (Including the 1803 July Security update), that will continue to work.

I tried to replicate this on my test network, like the client I had a 2008 R2 file server, and connected to it from a new Windows 10 and an old(er) updated Windows 10 machine. Everything worked? In fact to replicate the clients error, I had to manually disable SMB2 and force SMB1? That’s strange I thought, so I checked the clients server;

As you will discover (below) the DWORD highlighted disables SMB2 and forces the server to use SMB1. Now the server does not ship like this, and I doubt very much anyone did this manually, so where did it come from? Well as an educated guess, the software that runs on this server needs SMB1. (They have some older Linux machines and machinery that logs are collected from).

Solution

As Microsoft says;

Warning: We do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

So the steps I outline below, are so you can actually do some troubleshooting, to see what’s wrong. The third law of engineering states ‘Just because you can do something, does not necessarily mean you should‘ That being said, I appreciate we operate in the real world. If your line of business software needs SMB1 you cant shut down production while the vendor fixes their ‘poorly written, and relying on 30 year old protocol‘ code. Or, what you are connecting to might not be a Windows machine at all! It might be an appliance tha’ts old, with no firmware to update it to SMB2/3, and there’s no budget to replace it.

Windows 10 Enable SMB1

Use the following PowerShell;

[box]

Get-WindowsOptionalFeature -Online –FeatureName smb1protocol
Enable-WindowsOptionalFeature -Online –FeatureName smb1protocol

[/box]

Again this is a temporary fix! As soon as possible disable it again.

[box]

Disable-WindowsOptionalFeature -Online –FeatureName smb1protocol

[/box]

Windows Server (Enabling/Disabling SMB1 & SMB2)

As with most things, SMB status is set in the registry (see above).

Enable or disable SMBv1 on the SMB server;

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Enable or disable SMBv2 on the SMB server;

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Note:  You must restart the computer after you make these changes.

But things are much easier done with PowerShell, to see the settings;

[box]Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}[/box]

Note: Above SMB1 is enabled SMB2 is Disabled.

WARNING: To test this properly, I’d suggest converting this server to a VM and testing on a copy, or cloning the server, (if it’s already virtualised), then you can try out some non-destructive testing, to make sure your applications still work. Ideally start by enabling SMB2 and disabling SMB1 to test.

[box]Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 –Force
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force[/box]

Remember to reboot!

 

If your application still works great, ‘you didn’t need SMB1 anyway‘, sit back, light your pipe, and admire your handiwork!

If not, try with both Protocols enabled. (To be fair, security-wise this is just as bad as having SMB1 only, as all the ‘good bits’ in SMB2 can still be bypassed by using SMB1!) But at least (from a user perspective) your new Windows machines will connect via SMB2.

Remember to reboot!

 

Related Articles, References, Credits, or External Links

NA

Windows ‘Always On’ VPN Part 1 (Domain and PKI)

KB ID 0001399

Problem

Always On VPN was a bit of a misnomer when it was released, as it was only really ‘on’ when a user logged on. So when comparing it with ‘Direct Access‘ it didn’t have the capacity to ‘Manage Out’. With the release of Windows 10 (1709) this has been rectified with ‘Device Tunnels’, (more on that later).

The solution uses RAS, NAP (NPS), and PKI (Certificate Services). Obviously Active Directory is a requirement, and in addition I’ve also got a file server setup just for ‘testing’ access to domain resources.

Note: The VPN setup, (on everything, apart from the Windows 10 clients), is just the same as it ever was. This technology is for copying VPN settings from a Windows 10 client, and then being able to put those settings on other Windows 10 clients, so that when a user logs on, the VPN connects (User Tunnels), or when a machine gets a network connection it connects (Device tunnels).

Step 1: Active Directory Work

You will need to setup some security groups in AD, I’m going to use;

  • VPN-NPS-Servers
  • VPN-RAS-Servers
  • VPN-Users

Note: You can of course use ‘domain users’ if you are rolling this out domain wide.

Add your NAP/NPS server(s) to the VPN-NPS-Servers group, (remember you need to add computers to the search criteria, or you wont find them).

Add your RAS server(s) to the VPN-RAS-Servers group.

Add your domain users(s) to the VPN-Users group.

Step 2: PKI (Certificate Services)

PLEASE: Don’t just race forward and install Certificate Services. Every domain certificate problem I’ve ever had to worked on has been the result of someone ‘just lashing it in’. Take the time to do it properly, and think about your domain PKI design, consider things like, Offline Root CA’s, Multi-Tier Sub CA’s, CRL, and OCSP.

Luckily, I’ve spent a ton of time already on Certificate services, look though the following article;

Microsoft PKI Planning and Deploying Certificate Services

If you are simply setting this up on the test bench, or for a POC, (in a non-production domain). Then add the role from Server Manager.

These are the roles I deploy, but for this solution you only really need the Certification Authority, role.

Note: If you are interested what the other roles do, then search for them above, (I’ve blogged about NDES, and the Enrollment Web Services before).

Step 3: Certificate Templates

You will need to create and publish three certificate templates;

  • VPN-User (Based on the User Template)
  • NPS-Servers (Based on the RAS and IAS Template)
  • VPN-Servers (Based on the RAS and IAS Template)

VPN-User Certificate: Open the certificate services management console > Certificate Teplates > Manage > User > Duplicate Template.

General Tab

  • Template Display Name: VPN-User
  • Publish certificate in Active Directory UNTICK.

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work)
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work)

Request Handling Tab:

Allow private key to be exported: UNTICK

Cryptography Tab:

  • Provider Category: Key Storage Provider
  • Providers: First: Microsoft Platform Crypto Provider, Second: Microsoft Software Key Storage Provider.

Note: Theres two because the first one requires a TPM chip, if the client machine does not have one the procedure fails. By allowing ‘Microsoft Software Key Storage Provider’ if will ‘fall-back’ to that option, if there is not TPM chip.

Security Tab:

  • ADD: VPN-users: GRANT: Read, Enrol, and Autoenroll.
  • DELETE: Domain Users

Note: In a test environment, you may also want to UNTICK the option ‘Include e-mail name in subject name‘ on the Subject Name tab or you may see this problem.

Issue the certificate template.

Repeat the procedure but this time make a duplicate of the RAS and IAS template.

General Tab:

  • Template Display Name: NPS-Servers.

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Security Tab:

  • ADD: VPN-NPS-Servers: GRANT: Read, Enrol, and Autoenroll.
  • DELETE: RAS and IAS Servers.

Apply > OK > Now make a second duplicate of the RAS and IAS certificate template.

General Tab:

  • Template Display Name: VPN-Servers.

Extensions Tab:

  • Edit > Add > IP Security IKE Intermediate > OK > OK.

Security Tab:

  • ADD: VPN-RAS-Servers: GRANT: Read and Enrol ONLY.
  • DELETE: RAS and IAS Servers.

Subject Name Tab:

Supply In the Request: TICK (Accept the warning).

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Issue Both of the server certificate templates.

Step 4: Group Policies Auto-Enrolment

Again, I’ve written about this before, so for some extra reading on the subject, see the following article;

Deploying Certificates via ‘Auto Enrollment’

In the’ Group Policy Management Console’ create a new GPO, I’m simply linking it to the root of the domain, you can of course link it to the OUs that your RAS and NPS servers live in.

Edit the policy.

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

  1. Configuration Model: Enabled.
  2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
  3. Update certificates that use certificate templates: TICK.

Close and exit the policy editor.

Now Im creating another policy for my USER auto enrolment, (I could have used the same policy above, that’s linked to the root of the domain, but I like to keep them separate, it’s your choice). Anyway just ensure the policy is linked to your USERS.

Edit the policy.

Navigate to: User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

  1. Configuration Model: Enabled.
  2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
  3. Update certificates that use certificate templates: TICK.

Step 5: Testing CertificateDeployment

Remember we are deploying two computer certificates and one user certificate, and they are all based on group membership, so your servers need to be rebooted before they will get their group membership, and your user(s) need to log off and log on. Also bear in mind you might want to force group policy, see the following article;

Windows – Forcing Domain Group Policy

NPS-Servers Certificate: Windows Key+R > certlm.msc > Personal > Certificates > You should have a certificate based on the NPS-Server template.

VPN-Server Certificate: Windows Key+R > certlm.msc > Personal > Certificates > All Tasks > Request New Certificate > Next.

Note: You are doing this one manually, because this certificate does not auto-enrol, that’s because the certificate will need a different common name on it, (the public DNS name of the RAS server).

Next > Click the ‘More information…’ link > In the Subject Name Section, Set the Common name to the private DNS name of the RAS server. In the Alternative name section set the DNS value to the public name  the server > Apply > OK.

 

Enroll > Finish.

You now have a certificate based on the VPN-Server template.

 

VPN-User Certificate: Just a quick note, on the Windows 10 client, run certlm.msc again but this time ensure you have your domain CA server certificate listed in the ‘Trusted Root Certification Authorities’ folder.

Now this console lists computer certificates, and we need to look at user certificates (I could just run certmgr.msc instead), but old habits die hard, so I’ll launch an mmc console > and add a snap-in.

And add ‘certificates’ (Note: If I were an administrator I would be prompted to choose computer or user certificates, as I’m just a user, then current user is selected by default). > OK.

And there’s my certificate based on the VPN-User template.

If you’re struggling, and the user certificate refuses to appear, read my note (above) about e-mail addresses (that’s a very common error that causes auto-enrollment to fail). For troubleshooting look in the Event logs and in the ‘Failed Requests’ Section on your CA server. For all certificates, if something isn’t working then either somethings in the wrong group, the wrong group has been given permissions on the certificate template, or the GPO is linked to the wrong location.

That’s it for Part One, in Part Two I will look at deploying my RAS/VPN server into my DMZ, and having a rant/sneer at Microsofts continuing policy of trying  to bypass my firewall. 

Related Articles, References, Credits, or External Links

A massive thank you to Joseph Moody, and Kevin Kaminski, fellow MVP’s who took the time to reply to my Always On VPN queries.