Joining Networks over the Internet with a Gateway to Gateway VPN:
ISA Server to Branch Office ISA Server/Domain Controller – Part 2
by Thomas W Shinder, M.D.
In part one of this two-part article I went over the user account and DNS server configuration on the remote VPN gateway. In this article we’ll finish up by running DCPROMO, change the domain name on the user account, change the DNS zone properties, make some important DNS related Registry changes and finally, install ISA Server at the remote office.
Running DCPROMO on the Branch Office VPN Gateway
Now that we have the DNS server working and the internal interface configured to use this DNS server, we can start the DCPROMO promotion to a domain controller. While it’s not required, I recommend you continuously ping a host on the branch office from a client on the main network. This will keep the link up (although it should always stay up anyhow, since it’s configured to be permanent), and will also help your assistant determine if the link has gone down for some reason.
Make sure the gateway to gateway VPN link is up, and then perform the following steps to promote the remote VPN server:
- Click Start and the click the Run command. Type dcpromo in the Open text box and click OK. Click Next on the Welcome to the Active Directory Installation Wizard page.
- On the Domain Controller Type page, select the Additional domain controller for an existing domain option and click Next. Note the warning on this page: Proceeding with this option will delete all local accounts on this server. All cryptographic keys will be deleted and should be exported before continuing. All encrypted data, such as EFS-encrypted files or email, should be decrypted before continuing or it will be permanently inaccessible. This is serious business, so make sure you head this advice. Click Next.
- Enter a domain administrator’s credentials on the Network Credentials page and click Next.
- Type in the name of the domain in the Domain name text box on the Addition Domain Controller page. Click Next.
- Accept the defaults on the Database and Log locations page (unless you have a reason not to) and click Next.
- Accept the default on the Shared System Volume page (unless you have a reason not to) and click Next.
- Type in the Directory Service Restore Mode password and confirm is on the Directory Service Restore Mode Administrator Page. Click Next.
- Click Next on the Summary page. You’ll see the machine being promoted and the objects copied from the domain controller at the main office over to branch office VPN gateway over the VPN link.
- Click Finish on the Completing the Active Directory Installation Wizard page.
- Click the Restart Now button to restart the server. At this point the VPN gateway link will fail and it won’t come up again until we make changes to the credentials used by the calling VPN gateway.
Change the Domain Name in the Dial-up Credentials on the Calling VPN Gateway
The account we used to allow the calling gateway to connect to the remote gateway is gone. The old account was contained in the local SAM on the remote VPN gateway. Now that the remote VPN gateway is a domain controller, it no longer has a local SAM. You’ll have to use domain account. Fortunately, we created a domain account with the same name of the account we used before. All we need to do is change the domain name.
- On the Local VPN gateway, open the Routing and Remote Access console from the Administrative Tools menu.
- Expand your server name and then click on the Routing Interfaces node in the left pane of the console. Right click on the Demand-dial interface you created for the gateway to gateway link and click the Set Credentials command.
- In the Interface Credentials dialog box, change the name of the Domain from the remote VPN gateway computer name to the NetBIOS name for the domain. Type in the password you configured for this account in the Active Directory. Click OK.
- Ping a host on the branch network from a host on the main office network. This will trigger the demand dial interface to dial up.
Change the DNS Zone to Active Directory Integrated Zones
One of the big advantages to using Active Directory is that you can integrate your DNS zones with the Active Directory. The DNS zones we created earlier were secondary zones. We no longer need to use secondary zones since the DNS server is now a domain controller.
- Open the DNS console from the Administrative Tools menu.
- Expand your server name and then expand the Forward Lookup Zones and Reverse Lookup Zones nodes in the left pane of the console. Right click on one of the zones and click the Properties command.
- In the zone Properties dialog box, click on the General tab. On the General tab, click on the Change button.
- In the Change Zone Type dialog box, select the Active Directory-integrated option and click OK.
- On the General tab, change the All dynamic updates? setting to Only secure updates. Click Apply and then click OK.
- Repeat the procedure for each of zones, so that all the zones under your control are Active Directory integrated.
Remove Bogus DNS Entries and Make Registry Changes
The problem with running a DNS server on the RRAS server is that a load of bogus entries get registered in the DNS. These bogus addresses include the virtual interface address used by RRAS and the address used by the external interface. The DNS server does not need to be aware of these addresses because you’re using this server to resolve private addresses only and you definitely don’t need have the virtual IP address in the DNS server.
Take a look at the figure below. This is the remote VPN gateway and its internal interface IP address is 192.168.10.1 and the external interface IP address is 172.31.0.2. So what are all these other IP addresses? They’re IP addresses that shouldn’t be there! Right click on each of the entries with a bad IP address and click the Delete command.
You got to make a couple of Registry entries to prevent these addresses from coming back.
- Click Start and click the Run command. In the Run dialog box, type regedt32.
- Add the following Registry Value, this entry will prevent all adapters on the VPN gateway/domain controller from dynamically registering in DNS:
Data Type: REG_DWORD
- While the last entry fixes the dynamic update issue, you also need to prevent the DNS server from registering its own interfaces. Use this interface to stop this bad behavior:
Data type: REG_SZ
Range: IP address on the internal interface of the branch VPN gateway
- The following entries will prevent the Netlogon service from automatically registering entries in the netlogon.dns file.
Data type: REG_DWORD
Data type: REG_DWORD
- Restart the Server after making the changes.
Log on and open the DNS console and examine the records. You should not see the same bogus addresses reinserted into any of the zone. If you notice these records are reinserted, it could be that the records were replicated to the DNS server at the main office. If so, delete the bogus DNS resource records from all DNS servers and restart the remote VPN gateway.
Install ISA Server and Run the VPN Server Wizard
The last steps are to install ISA Server and run the ISA Server VPN Server Wizard. The VPN gateway at the main office won’t be able to call the branch office VPN gateway right after ISA Server is installed because there are no packet filters to allow the inbound VPN connections. However, ISA Server’s VPN Server Wizard will automatically create the packet filters required to all the VPN gateway link to succeed.
Perform the following steps to install ISA Server:
- Run the ISAAutorun.exe file on the ISA Server CD. Click the Install ISA Server link on the splash page.
- Click Continue on the Welcome page.
- Enter your CD Key on the CD Key page. Click OK. Click OK on the Product ID page.
- Click the I Agree button on the EULA page.
- Click the Full Installation button on the installation type page. You can always remove the components you don’t want later.
- In this example we are not working with an array, so we’ll select the Yes button on the array warning dialog box.
- On the mode page, select the Integrated mode option and click Continue.
- Click OK on the dialog box warning you that it must stop the W3SVC. Note that when you restart the computer, the W3SVC will restart.
- On the cache settings page, type in a size for your Web cache and click Set. Click OK.
- On the LAT page, click on the Construct Table button. Remove the checkmark from the Add the following private ranges checkbox. Put a checkmark in the checkbox that matches your internal interface. Click OK. Click OK on the dialog box informing you of how the LAT was configured. Click OK.
- Click OK in the Launch ISA Management Tools dialog box. Click OK on the dialog box that says everything worked out OK.
- Install ISA Server Service Pack 1 immediately. After Service Pack 1 is installed, I recommend that you install Feature Pack 1, although its not required. Note that in this lab I have install the Feature Pack.
Now that the ISA Server is installed, perform the following steps to get the packet filters automatically created:
- In the ISA Management console, expand your server name and then right click on the Network Configuration node in the left pane of the console. Click on the Allow VPN client connection command.
- Click Next on the Welcome to the ISA Virtual Private Network Configuration Wizard page.
- Click Finish on the Completing the ISA VPN Server Configuration Wizard page. Click Yes on the dialog box asking if you want to restart the RRAS service.
The gateway connection should be able to connect almost immediately after the packet filters are created.
You must put all internal networks in the LAT. The VPN gateway links internal networks. If you forget to put all internal networks into the LAT, then the Firewall client will believe that remote networks joined by the VPN gateways are external and the Firewall clients will try to send requests to the remote networks out the external interface of the ISA Server.
Conclusion and Summary
In this two-part article we reviewed the procedures required to create a gateway to gateway connection between an ISA Server at the main office with a ISA/domain controller at a remote, branch office. This scenario is common when organizations have a single Windows 2000 Server at the remote site and would like to use that server as a remote domain controller and DNS server to improve bandwidth conditions on the link connecting the branch and main offices.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001438 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom