I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows. They would connect fine but I could not resolve any FQDNs for my domain?
VPN no DNS Solution
By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN.
Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?
Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?
Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!
Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command.
From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!
How Do I Fix this VPN no DNS?
Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;
VPN no DNS On Your Physical Adapter;
Start > ncpa.cpl {enter} > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.
Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.
On Your VPN Connector;
Start > ncpa.cpl {enter} > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.
Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK.
Now your DNS look-ups should behave!
Related Articles, References, Credits, or External Links
With more people looking at Microsoft 365 (as opposed to Office 365), then the amount of people who want to Join Azure AD with their Windows machines is only going to go up. This is how to join your Windows and BYOD client devices to Azure AD.
There are essentially 3 WAYS to Join Azure AD.
Azure AD Join: Used for corporate assets. Windows Only! (Can be managed by Intune) Users log in with their Azure AD account only.
Azure AD Registration: Used for BYOD devices Windows/macOS/Android etc. (Can be managed by Intune). Users log in with their local credentials.
Hybrid Azure AD Join: Used for corporate assets you want to manage with GPO (or SCCM). Windows Only. These assets will be in a local (traditional on-premises domain).-WARNING: These devices require periodic sight of your on-premises AD, (or they become unusable). The Local domain needs to be connected to Azure AD with an Azure AD Connector.
Solution
Join Azure AD: Azure AD Join
Start > Settings > Accounts..
Access Work or School > Connect.
STOP! If you put your credentials in here you will Not join the machine to Azure AD you will perform an Azure Workplace Join (or be Azure Registered) that’s NOT WAHT WE WANT > Select “Join This Device to Azure Active Directory‘.
Enter your Azure AD/Office 365 Credentials > Next.
Join.
Done.
The machine will now show that it’s connected to.Azure AD
Note: The login screen now changes to ‘Sign in to: Your Work or School account‘.
Join Azure AD: Azure AD Register
Start > Settings > Accounts..
Access Work or School > Connect.
Enter your O365/M365/Azure credentials
Then after authenticating you ‘should’ see this.
How To Leave / Disconnect From Azure AD
Same place as above, select the connection and simply click ‘Disconnect‘.
Join Azure AD: How To Hybrid Join Azure AD
To Hybrid Azure AD join your machines to Azure AD, (this means they will already be in you local (traditional on-premises) domain, and then ‘additionally’ joined to Azure AD also. So your local domain needs to be syncing to Azure AD with Azure AD Connect. And you machines need to be Windows 10 (or Windows 8 with some additional requirements!)
You configure Hybrid Azure AD Join on the Azure AD Connector, like so;
Every so often I have a problem with the Windows 10 VM that I run on my mac in VMware Fusion, last time I needed to upgrade to Fusion 11.5, before that it was a registry fix. This time I could not access any files or folders on the parent mac.
Network Error
Windows cannot access \\vmware-host\Shared Folders\{Folder-Name}
You do not have permissions to access \\vmware-host\Shared Folders\{Folder-Name}. Contact your network administrator to request access.
Solution
Removing and re-adding the share in VMware Fusion didn’t fix the problem, in the end I had to grant VMware Fusion, ‘Full Disk’ access before the problem ceased.
System Preferences > Security & Privacy > Privacy > ‘Unlock’ > Full Disk Access > Tick ‘VMware Fusion.app”.
Related Articles, References, Credits, or External Links
Seen when attempting to ‘Activate’ a Window machine;
Error: 0x8007232B DNS name does not exist
Solution
The reason for this error is the Windows machine has looked for a KMS (Key Management Server) in its local DNS, and not found one. This is because (out of the box) it has a Windows KMS licence code installed. Now if you have a KMS server you need to work out why you cant see it, I’ve covered troubleshooting KMS in link below;
So if you don’t have a KMS server and dont wish you deploy one, you need to change, the Windows activation code on this machine to a MAK (Multiple Activation Key) instead, Note: you will get these keys from the Microsoft Volume Licence Service Center. Then from an administrative command window;
While building a new Windows 10 machine to be used as a template, I ran Sysprep to generalise the installation, and got this;
Sysprep was not able to validate your Windows Installation.
Review the log file at
%WINDIR%\System32\Sysprep\Panther\setupact.log for
details. After resolving the issue, use Sysprep to validate yout
Installation again.
Solution
What I did was Google the error, instead of looking at the log file, and read a post that said this can happen if the reference machine has not been activated, and went down a blind alley because THATS NOT TRUE of course you can generalise a newly deployed ‘non-activated’ reference machine.
When I finally read the error log, I found the following;
[box]
Package Microsoft.LanguageExperiencePacken-GB_17763.6.14.0_neutral__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
Failed to remove apps for the current user: 0x80073cf2
Exit code of RemoveAllApps thread was 0x3cf2.
[/box]
This problem is being caused by an app, (Windows has suffered with this since Windows 8!) I’ve highlighted the app name above, yours may have a different name, but the fix is the same. We need to remove that app, and stop Windows connecting to the internet to install more app shenanigans!
Disconnect the reference machine from the internet by disconnecting its NIC, (below I’m using a VMware VM).
Run a PowerShell window, (as Administrator) and execute the following command, (obviously use the name of your offending app rather than mine if it’s different!).
Windows 10 machine, (with Latest Java installed), while attempting to launch the ASDM you see;
Windows cannot find ‘javaw.exe’. Make sure you typed the name correctly, and then try again.
Solution
I should have fixed this a lot quicker than I did, because the error message was a lot more descriptive in older versions of Windows and the ASDM! This is the same problem seen on Windows 8.
You still need to install the x32 bit versions of Java! once you do it will work fine.
Related Articles, References, Credits, or External Links
I recently did a migration for an engineering company, about a week later I got an email from them to say, “We have a new Windows 10 PC, and it can’t connect to the ‘N’ Drive?” I asked them to send me a screenshot, the error was;
You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
Some Googling told me that windows 10 (build 1803) had removed SMB1, and like most people who see this for the first time, I got thePowerShell to turn it on, client was happy end of problem right?
Well yes and no, ‘SMB1 is Bad‘, very bad in fact, enabling SMB1 is a bit like removing the windows from your house because your too hot, yes it solves the problem, but now anyone who wants to jump into your house can do so, at any time of the day!
OK What’s Changed?
With Windows 10 (Build 1803) SMB1 has been completely disabled. If you try and connect to a device/share that’s using it you will see the same error my client did.
However if you have an earlier build of Windows 10, and you simply let it update, (Including the 1803 July Security update), that will continue to work.
I tried to replicate this on my test network, like the client I had a 2008 R2 file server, and connected to it from a new Windows 10 and an old(er) updated Windows 10 machine. Everything worked? In fact to replicate the clients error, I had to manually disable SMB2 and force SMB1? That’s strange I thought, so I checked the clients server;
As you will discover (below) the DWORD highlighted disables SMB2 and forces the server to use SMB1. Now the server does not ship like this, and I doubt very much anyone did this manually, so where did it come from? Well as an educated guess, the software that runs on this server needs SMB1. (They have some older Linux machines and machinery that logs are collected from).
Solution
As Microsoft says;
Warning: We do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.
So the steps I outline below, are so you can actually do some troubleshooting, to see what’s wrong. The third law of engineering states ‘Just because you can do something, does not necessarily mean you should‘ That being said, I appreciate we operate in the real world. If your line of business software needs SMB1 you cant shut down production while the vendor fixes their ‘poorly written, and relying on 30 year old protocol‘ code. Or, what you are connecting to might not be a Windows machine at all! It might be an appliance tha’ts old, with no firmware to update it to SMB2/3, and there’s no budget to replace it.
WARNING: To test this properly, I’d suggest converting this server to a VM and testing on a copy, or cloning the server, (if it’s already virtualised), then you can try out some non-destructive testing, to make sure your applications still work. Ideally start by enabling SMB2 and disabling SMB1 to test.
If your application still works great, ‘you didn’t need SMB1 anyway‘, sit back, light your pipe, and admire your handiwork!
If not, try with both Protocols enabled. (To be fair, security-wise this is just as bad as having SMB1 only, as all the ‘good bits’ in SMB2 can still be bypassed by using SMB1!) But at least (from a user perspective) your new Windows machines will connect via SMB2.
Remember to reboot!
Related Articles, References, Credits, or External Links
Always On VPN was a bit of a misnomer when it was released, as it was only really ‘on’ when a user logged on. So when comparing it with ‘Direct Access‘ it didn’t have the capacity to ‘Manage Out’. With the release of Windows 10 (1709) this has been rectified with ‘Device Tunnels’, (more on that later).
The solution uses RAS, NAP (NPS), and PKI (Certificate Services). Obviously Active Directory is a requirement, and in addition I’ve also got a file server setup just for ‘testing’ access to domain resources.
Note: The VPN setup, (on everything, apart from the Windows 10 clients), is just the same as it ever was. This technology is for copying VPN settings from a Windows 10 client, and then being able to put those settings on other Windows 10 clients, so that when a user logs on, the VPN connects (User Tunnels), or when a machine gets a network connection it connects (Device tunnels).
Step 1: Active Directory Work
You will need to setup some security groups in AD, I’m going to use;
VPN-NPS-Servers
VPN-RAS-Servers
VPN-Users
Note: You can of course use ‘domain users’ if you are rolling this out domain wide.
Add your NAP/NPS server(s) to the VPN-NPS-Servers group, (remember you need to add computers to the search criteria, or you wont find them).
Add your RAS server(s) to the VPN-RAS-Servers group.
Add your domain users(s) to the VPN-Users group.
Step 2: PKI (Certificate Services)
PLEASE: Don’t just race forward and install Certificate Services. Every domain certificate problem I’ve ever had to worked on has been the result of someone ‘just lashing it in’. Take the time to do it properly, and think about your domain PKI design, consider things like, Offline Root CA’s, Multi-Tier Sub CA’s, CRL, and OCSP.
Luckily, I’ve spent a ton of time already on Certificate services, look though the following article;
If you are simply setting this up on the test bench, or for a POC, (in a non-production domain). Then add the role from Server Manager.
These are the roles I deploy, but for this solution you only really need the Certification Authority, role.
Note: If you are interested what the other roles do, then search for them above, (I’ve blogged about NDES, and the Enrollment Web Services before).
Step 3: Certificate Templates
You will need to create and publish three certificate templates;
VPN-User (Based on the User Template)
NPS-Servers (Based on the RAS and IAS Template)
VPN-Servers (Based on the RAS and IAS Template)
VPN-User Certificate: Open the certificate services management console > Certificate Teplates > Manage > User > Duplicate Template.
General Tab:
Template Display Name: VPN-User
Publish certificate in Active Directory UNTICK.
Compatibility Tab:
Certification Authority: Windows Server 2016 (Though 2012 R2 will work)
Certificate Recipient: Windows 10 (Though Windows 8.1 will work)
Request Handling Tab:
Allow private key to be exported: UNTICK
Cryptography Tab:
Provider Category: Key Storage Provider
Providers: First: Microsoft Platform Crypto Provider, Second: Microsoft Software Key Storage Provider.
Note: Theres two because the first one requires a TPM chip, if the client machine does not have one the procedure fails. By allowing ‘Microsoft Software Key Storage Provider’ if will ‘fall-back’ to that option, if there is not TPM chip.
Security Tab:
ADD: VPN-users: GRANT: Read, Enrol, and Autoenroll.
DELETE: Domain Users
Note: In a test environment, you may also want to UNTICK the option ‘Include e-mail name in subject name‘ on the Subject Name tab or you may see this problem.
Issue the certificate template.
Repeat the procedure but this time make a duplicate of the RAS and IAS template.
General Tab:
Template Display Name: NPS-Servers.
Compatibility Tab:
Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
Certificate Recipient: Windows 10 (Though Windows 8.1 will work).
Security Tab:
ADD: VPN-NPS-Servers: GRANT: Read, Enrol, and Autoenroll.
DELETE: RAS and IAS Servers.
Apply > OK > Now make a second duplicate of the RAS and IAS certificate template.
General Tab:
Template Display Name: VPN-Servers.
Extensions Tab:
Edit > Add > IP Security IKE Intermediate > OK > OK.
Security Tab:
ADD: VPN-RAS-Servers: GRANT: Read and Enrol ONLY.
DELETE: RAS and IAS Servers.
Subject Name Tab:
Supply In the Request: TICK (Accept the warning).
Compatibility Tab:
Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
Certificate Recipient: Windows 10 (Though Windows 8.1 will work).
Issue Both of the server certificate templates.
Step 4: Group Policies Auto-Enrolment
Again, I’ve written about this before, so for some extra reading on the subject, see the following article;
In the’ Group Policy Management Console’ create a new GPO, I’m simply linking it to the root of the domain, you can of course link it to the OUs that your RAS and NPS servers live in.
Edit the policy.
Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.
Update certificates that use certificate templates: TICK.
Close and exit the policy editor.
Now Im creating another policy for my USER auto enrolment, (I could have used the same policy above, that’s linked to the root of the domain, but I like to keep them separate, it’s your choice). Anyway just ensure the policy is linked to your USERS.
Edit the policy.
Navigate to: User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.
Update certificates that use certificate templates: TICK.
Step 5: Testing CertificateDeployment
Remember we are deploying two computer certificates and one user certificate, and they are all based on group membership, so your servers need to be rebooted before they will get their group membership, and your user(s) need to log off and log on. Also bear in mind you might want to force group policy, see the following article;
NPS-Servers Certificate: Windows Key+R > certlm.msc > Personal > Certificates > You should have a certificate based on the NPS-Server template.
VPN-Server Certificate: Windows Key+R > certlm.msc > Personal > Certificates > All Tasks > Request New Certificate > Next.
Note: You are doing this one manually, because this certificate does not auto-enrol, that’s because the certificate will need a different common name on it, (the public DNS name of the RAS server).
Next > Click the ‘More information…’ link > In the Subject Name Section, Set the Common name to the private DNS name of the RAS server. In the Alternative name section set the DNS value to the public name the server > Apply > OK.
Enroll > Finish.
You now have a certificate based on the VPN-Server template.
VPN-User Certificate: Just a quick note, on the Windows 10 client, run certlm.msc again but this time ensure you have your domain CA server certificate listed in the ‘Trusted Root Certification Authorities’ folder.
Now this console lists computer certificates, and we need to look at user certificates (I could just run certmgr.mscinstead), but old habits die hard, so I’ll launch an mmc console > and add a snap-in.
And add ‘certificates’ (Note: If I were an administrator I would be prompted to choose computer or user certificates, as I’m just a user, then current user is selected by default). > OK.
And there’s my certificate based on the VPN-User template.
If you’re struggling, and the user certificate refuses to appear, read my note (above) about e-mail addresses (that’s a very common error that causes auto-enrollment to fail). For troubleshooting look in the Event logs and in the ‘Failed Requests’ Section on your CA server. For all certificates, if something isn’t working then either somethings in the wrong group, the wrong group has been given permissions on the certificate template, or the GPO is linked to the wrong location.
That’s it for Part One, in Part Two I will look at deploying my RAS/VPN server into my DMZ, and having a rant/sneer at Microsofts continuing policy of trying to bypass my firewall.
Related Articles, References, Credits, or External Links
A massive thank you to Joseph Moody, and Kevin Kaminski, fellow MVP’s who took the time to reply to my Always On VPN queries.