Active Directory/VPN madness

-tk-tk Detroit, MI USA Icrontian
edited May 2004 in Science & Tech
ok I did some searching and couldn't find the answer, so maybe you guys can help, here's the rundown:

The client has an AcitveDirectory domain, all win2k/XP clients. The network worked perfectly until I set up one of the servers to be a VPN server using win2k Routing and Remote Access. The vpn is PPTP since all the remote clients are win2k, and the vpn server behind a nat server. All they needed was "dial in" access for two home users. So I go in and configure RRAS to allow remote access, and enabled dial in access for the two accounts that need to get in. I'm having two problems:

1. the only user I can get logged into the vpn is the one thats a memeber of the Administrators and Domain Admins group, and the administrator account. When the other (non-admin)account tries to log in, I get an authentication error (username/password is invalid on the domain).

2. The morning after I set up the server, no one on the network could get to any of the file/print servers.
I got it working by changing (in the domain security policy)"Allow users to acces this computer from the network" to the "Everyone" group. to It seems as though the remote access policy was dictating the group policy for the whole domain, totally bypassing the active directory group policy, but after I change it everything worked.

I checked the the Microsoft KB, my little Win2k VPN book, and everywhere else on the internet, and none of the answers I found helped, so I'm at a loss.



  • ShortyShorty Manchester, UK Icrontian
    edited May 2004
    NAT server or firewall?

    Are you using ISA for proxy/NAT?
  • -tk-tk Detroit, MI USA Icrontian
    edited May 2004
    its like this:

    internet---->firewall/NAT box(OpenBSD)---->switch
    >VPN server/the rest of the network

    BTW: the VPN server does have 2 NICS, one with a real static IP and one on the internel net with a privite IP.
    I also forgot to mention that the inbound home users are NATed too.
  • ShortyShorty Manchester, UK Icrontian
    edited May 2004
    You could theoretically drop the public static and allow port 1723 to the VPN box via a pigeon port-forward on the BSD box, just assign the static as a secondary IP to the BSD rig.

    The windows VPN client isn't the most robust client ever. Also check that the NAT clients are behind routers that allow VPN passthrough.

    That's some thoughts there..

    Anyway you can put a serial dialup modem on the box and test that the RAS server is actually behaving as it should?
Sign In or Register to comment.