Cincinnerdi Tech Stuff

A mind-numbing read if ever there was one

Archive for the ‘RRAS’ Category

First 10 Steps: A new Win Server ON the net

leave a comment »

Installing a new server using one of the old IGM PC 300GL and two NICs. Want to try putting this thing right ON the net.

1. Install – This being an R2 version install of WinSrv2003 (thought the Build is still 3790 Service Pack 1) it asks for a 2nd disk to be inserted after you’ve logged in as administrator for the first time. I permitted this.

2. Update – There is then a window that informs you to download updates, then turn on automatic updates. Done. It then reported that any ports would be opened. Hmm.

Let’s go check Windows Firewall. Interesting is is OFF BY DEFAULT and states “Windows Firewall can’t run because … ICS is not running.” It then suggests you turn it on. I did.

Now I’ll go down an plug it directly onto the internet. First I’ll setup the NIC for DHCP. I did this and received an IP of 65.26.xx.xx/24.
Looks good so far. Now let’ kill the extra control over IE.

Now let’s go online to GRC.com and check for file sharing over the net and open ports. It reported 100% STEALTH. Great!
Now to setup DHCP on the other NIC. I plugged it into a switch with no other computers plugged in. I setup that other NIC for a static 172.16.1.1/24.
I did not setup a gateway or DNS. I renamed the NICs RED and GREEN to make it clear.
And went into the Advanced tab of Windows firewall to kill the firewall on the internal NIC.
3. Optimize Page file – I went and setup the swap file on drive C: which is another disk (an XP install is on it)
5. Update – changed CD/ROM drive to drive letter Z:
4. i386 on disk – Tried to copy the i386 folder to drive E: but it failed at about 90% because it is only 512MB So, I ended up putting it on D:.

5. Config server – Whoa, I then went to setup DHCP and it want to do the whole thing for me. Hmmmm? I could / should have skipped most of step 2 above.
I’d like to do it all on my own, but I guess I should see what happens when I let it.
This means I didn’t need to do that Firewall setup. Here goes. I chose the first option.
I decided to give this the name risky.local:
Let her rip. But holdon, I get a message from RRAS saying I’ve got to turn off the Firewall. Yikes, it turns out almost ALL of the above would have been done automatically. Not sure why they would have you plug your computer in to the ISP in the meantime without ANY firewall. I tried to keep the NIC unplugged, but of course it wanted it to be “up.” Hmm. Hope this goes fast. I guess I could have kept it plugged into the router that would have provided the DHCP for a time. Oh well.

After much time and access to CD for i386 stuff:
It reports that there is a configuration log “Configure Your Server.log” in Windows\Debug. Salient details there were:

(1/27/2007 6:42:56 AM)
Configurations for Your First Server
The Routing and Remote Access Setup wizard completed successfully.
Preferred DNS server: 172.16.1.1
DHCP installed successfully.
This server has been successfully set up as a domain controller.
Install Active Directory and DNS
Full domain name: risky.local
NetBIOS domain name: RISKY
DNS installed successfully.
DHCP Server successfully authorized.
TAPI directory successfully set up.
An Application Naming Context was successfully set up in Active Directory on this domain controller for use by TAPI client applications. If you later need to demote this machine from being a domain controller, this Application Naming Context should be removed with the TAPICFG utility. The Application Naming Context has the following DNS name: redboot68.risky.local.

So what did this automatic install do? Here are some of the things I found:
I tried to get to Windows Firewall and could not.
I think this is due to RRAS being installed. YES, I found it as the last column:
Ran grc.com’s Shields Up again and all looks okay.

It also setup the default DNS server on GREEN and RED to be 127.0.0.1. Good.

Began setup of an XP client PC to be connected only to this server.

6. File server – Setup on drive E: a RiskyShare folder and share with Full Control SMB permissions and Modify NTFS permissions.

7. Centralized logs – Setup on drive E: a RiskyLogs folder for future use, should I decide to isolate all logs into one spot.

8. Raise Level – A bit later, Raised Domain Functional Level to native 2003

9. Set Default Domain Security Settings – Password Policy – This is stringent by default and I changed minimum aged to 0 so I could change a password immediately.

10. Add OUs and users – I setup an OU RiskyIT, RITUsers and RITCptrs all passwords will be xxxxxxxx

Written by scottledyard

2007, January 27th at 11:19 am

Posted in RRAS, Win Srv 2003

Configuring a VPN on Win Server 3

leave a comment »

This has been a confusing topic for me. My work on Cisco routers, VPN concentrators and clients seems to be unrelated to Windows approach. Plus setting up RRAS is very black-boxy and my textbook give the advice, “Better use the Wizard so it don’t get screwed up.” Thanks.
I wanted to set this up on the slower Win Server and hook it through the ZoomTown ISP via the Linksys router. It has settings to pass through PPTP, LT2P and IPSec. Okay, no configuration there. Just turn it on (it is on by default.)
So lets install another NIC in the second server, redboot69, and, oh yeah, it needs an IP. Wait it needs another network. Okay, the Linux LTSP is using 192.168.0.x/24, main net is 192.168.1.x/24, so lets make this 192.168.2.x/24. Changed Windows DHCP server– No that’s not right it won’t work on a separate net without DHCP Relay. Let’s change the Linksys DHCP to use .2.x. Okay that hands the new NIC a whole set of new parameters. But wait, let’s put that in statically and Windows give the error:

It does NOT want there to be two default gateways.
When it has automatically set this up using DHCP from the router, the route print command gives a goofy setup:
Note there are two default routes (0.0.0.0) So, then I set it up the 2nd NIC without a default gateway and without a DNS, we get:
and a route print of:
Looks better though still not sure what it does with the redundant multicast and broadcast lines. Does it send to both. I guess that’d make sense.
So now it’s on to setting this up. I occurs to me that the ZoomTown IP changes regularly but the RoadRunner IP never does. So, let’s set the main to use the ZoomTown (ZT) router. To do list is:

  • Change the DHCP leases from 2 days to 2 hours so I can make this change effective quickly.
  • Change DHCP option for DNS to have a backup of ZT DNS servers
  • Update the WinSrv203 DHCPTurn off DHCP on the ZT router
  • Change ZT router IP to 192.168.1.1 and turn it off
  • Change WinSrv2003 DNS server to forward to ZT DNS servers (216.68.4.10 & 216.68.5.10) Actually just added these and pushed them to top of list
  • Change RR router IP to 192.168.2.1
  • Removed cable from basement RR router. Turned on ZT router and cabled over to regular hub.
  • Visited workstations with wireless connections and switched default Access Point to “TheLab” instead of “wescott”
  • Unplugged basement PC and plugged in long cord and plugged other end of long cord into common hub upstairs. I will need to move this computer to wireless so i can get it onto .1 network.

Tried to connect to192.168.2.1 from reboot69 and Firefox couldn’t get to it, nor could I ping it. I could pint 192.168.2.69 (itself). Hmm. Downloaded Angry IP and only got:

:

Iw

Written by scottledyard

2007, January 1st at 11:02 am

Posted in RRAS, VPN, Win Srv 2003

%d bloggers like this: