VPN problems please help

[hccomps]

Hi, i have a win 2k server as a domain controler also running exchange 2000. I also have a seperate server also running win 2000 server set up as VPN server, DHCP server, and router. Everything is working fine and i can VPN in no problem. The only this is that i have to set up user on both the domin and the VPN server. Is there a way to autenticate from the list of domin users through the VPN server?

 

[tangostar]

Yes domain users shold be able to connect through your VPN.
Have you inabled Dial-up access on the Domain User Accounts?

 

[hccomps]

yes i have but i havent joind the VPN server to the domain. I think what u are saying is that is i join the domain with the VPN server then domain users with dial in access will be able to login with me having to set up an account locally on the VPN server?

 

[tangostar]

I believe so.

 

[hccomps]

ok i joined the VPN server to the domain and now when i try to conect it gets to verifiying my user name and password, waits about 1 min and then gives me The computer you're dialing in to cannot establish a Dial-Up Networking connection.
Check your password, and then try again.

 

[tangostar]

In Routing and remote access did you create a VPN policy that inclueds your protocol and a NAS port type Virtual VPN?

 

[hccomps]

sorry for seaming a little dumb but you lost me there, i am new to VPN. I ran through the wizard and like i said everything worked untill i joined the domain. if i take the VPN server of the domain i can conect again

 

[PMuller]

I am a little new to this as well, but I would like to hazard that if you want your users to be authenticated on a different server than the one they are comming in on, you will need to make sure that you have Active directory running on both server. (I assume you have on your 'main' server, but not on your VPN machine)... If you are using WIN2000 or WIN2003 its probaly a good idea to be using AD anyway... what happens is that your users will automatically be replicated out to the AD on your VPN server and will get authenticated when they log in ... thats the first part.. To allow connection you need to identify the user or users that are going to connect and then look at their properties in the management console.. make sure that you set 'allow access' in the 'Dial-In' tab


the second part is making sure you have your VPN set up correctly.. I expect you have used the Routing and Remote access wizard to set it up...Does your server have one or two network cards? MS recommends using two cards... but I have not got it to work with two (yet)... Use the wizard (in 2000 and select no NIC's when you set it up... - it defaults to the one you have your DNS and fixed ip assignments) .. Something not to forget is to check the policy of the RRAS you set up.. it only has one... check to make sure it is set to enable... it is set to deny by default

If the server is on the same subnet.. and has a fixed ip address try pinging it from your workstation. If that works then use the WINXP connection wizard to create a connection with the IP address of the VPN server...

Once you have it working in house... you can try make the whole thing run over your router.. but thats a whole other ball of wax...

Hope it helps

 

[jcurtiss]

you don't have to have AD running on both servers; but you have to set up IAS (windows version of RADIUS), and i believe you have to do it on the domain controller. then the VPN server will take inbound credentials and bounce them off the domain controller.

 

[PMuller]

I would have to agree with you.. I have not used IAS and when I think about it.. the option is there when you set it up, so I guess that obviates the need for AD, sorry about that..

Peter