Setting up Routing and Remote Access Server (MS Server 2012 R2)

[duncan-idaho]

Hi AT

I am trying to set up a file server/router box to replace my wireless router. Ignore the wireless part for now, I'll deal with adding an AP later. Essentially, I have a little always-on file server:

FD Node 304 m-ITX case w/ CoolerMaster Silent Pro 450w (41 dollars for an 80plus gold PSU, hoorah!)
Gigabyte H77n-WIFI for the mobo (mITX with dual gigabit lan? Chea)
i5-2500k (not an ideal choice but I already had it laying around)
This is running Server 2012 R2 DC (because why not?) preview

The idea is that it will sit between my modem (Thomson DCM 475) and my switch (which is in fact a Cisco RV220w, only I'm not using the WAN port. I also disabled its' DHCP server and DNS proxy functions). It will be configured as an ActiveDirectory Primary DC, so running DHCP + DNS + AD-DS + RRAS (Directaccess, VPN, routing)

The problem I have been encountering is really basic. When I plug the modem directly into one of the NICs on the file server's motherboard, I can't get a connection to the internet. Modem works fine when plugged into my router, has worked fine in the past directly plugged into my laptop or desktop.
It has an IP address of 192.168.100.1
It assigns an IP address to my server of 169.254.xx.xx
When I manually assign my server's NIC an IP of 192.168.100.x + Subnet 255.255.0.0 + Def Gateway 192.168.100.1, and since it requires DNS I use google's public DNS (8.8.8.8, 8.8.4.4).

Everything seems to work correctly with those settings, except it won't resolve DNS!
Have tried factory resetting the modem to clear its DHCP tables etc, nothing seems to work. I can even connect to the modem's diagnostic page, still no DNS resolution

Anybody see what I am doing wrong?

 

[tomt4535]

Did you power cycle the cable modem when you moved it from the router to the PC? If the cable modem really is just a cable modem(and not some sort of router/modem combo), it should assign you a public IP, not a 192.168.x.x address. Most cable modems can only recognize one MAC address at a time, and when switching between different devices, you need to power cycle the modem.

If you are going to install DNS on the Windows server, you need to put the actual server's IP address as the DNS server IP in the adapter properties. Then inside of DNS, you need to configure your ISP's DNS servers(or google's or whatever) as forwarders. Configure your DHCP server to hand out the IP address of your server for DNS and you should be good to go.

Also, it is a bad practice to put RRAS on the same server as the domain controller and all the other functions. It will totally work, but to be the most secure, it is best to only have RRAS as the only role on that server.

 

[imagoon]

Well the first issue with DNS is that for AD you can not have an AD server or AD managed server / computer pointing to anything other than AD managed DNS. So putting google in your DNS setting of the NIC will not work [correctly.] You need to configure AD DNS and then either use the root servers or use google IPs as forwarder addresses.

I also don't see anything that seems to indicate that the Thomson DCM 475 is router. Are you sure it was giving you DHCP etc?

 

[duncan-idaho]

Well the first issue with DNS is that for AD you can not have an AD server or AD managed server / computer pointing to anything other than AD managed DNS. So putting google in your DNS setting of the NIC will not work [correctly.] You need to configure AD DNS and then either use the root servers or use google IPs as forwarder addresses.

I also don't see anything that seems to indicate that the Thomson DCM 475 is router. Are you sure it was giving you DHCP etc?

I found out about the ad dns thing after posting but thanks for bringing it up.

The 475 is not a router...but correct me if I am wrong, doesn't a cable modem usually have the ability to assign an up to your router (in this case an NIC on an RRAS server? How else would plugging a PC into the modem directly normally work if not?

 

[duncan-idaho]

Did you power cycle the cable modem when you moved it from the router to the PC? If the cable modem really is just a cable modem(and not some sort of router/modem combo), it should assign you a public IP, not a 192.168.x.x address. Most cable modems can only recognize one MAC address at a time, and when switching between different devices, you need to power cycle the modem.

If you are going to install DNS on the Windows server, you need to put the actual server's IP address as the DNS server IP in the adapter properties. Then inside of DNS, you need to configure your ISP's DNS servers(or google's or whatever) as forwarders. Configure your DHCP server to hand out the IP address of your server for DNS and you should be good to go.

Also, it is a bad practice to put RRAS on the same server as the domain controller and all the other functions. It will totally work, but to be the most secure, it is best to only have RRAS as the only role on that server.

I know it is bad practice to mix anything with a PDC...but it seemed simpler than installing hyper-v and three to four vms for a deployment I am only using for myself.

I did not power cycle it persay, skipped right to factory reset. Will try just a plain power cycle tomorrow, might treat it differently somehow..

thanks

 

[drebo]

RRAS makes a pretty terrible router, frankly.

Also, the reason that you aren't getting an IP on your server is likely because your ISP caches the MAC address of whatever's connected to your modem. Typically it's a 4 hour timeout. You can usually call them and they'll reset it.

 

[duncan-idaho]

RRAS makes a pretty terrible router, frankly.

Also, the reason that you aren't getting an IP on your server is likely because your ISP caches the MAC address of whatever's connected to your modem. Typically it's a 4 hour timeout. You can usually call them and they'll reset it.

See, that makes a ton of sense. Will call them now!

I know RRAS is a super inefficient way to set up routing for such a small network, it is really DirectAccess that I am interested in and since it comes as part of the same server role...might as well. I am trying to learn how to do all of this in the microsoft ecosystem, then I'll figure out the Linux way (I have an up to date clearOS iso that I'd use if I wanted routing done right...or just use my really really good Cisco VPN router. This is for learning, not because I think it is the best way)

 

[duncan-idaho]

Got off the phone with ISP, totally unhelpful.
Did a 30/30/30 reset of the modem to make sure it had to bind to a new mac, still no dice. Wtf?

I have no activity of any kind over the modem by default. If I assign a static IP in the same range I can ping and tracert to the modem but no further. Any bright ideas?

 

[Jamsan]

Is there a duplex mismatch? I know when setting PCs (or servers) directly into modems, it typically requires hard setting of speed (100Mbps) and duplex (full) or it can exhibit odd behavior. This isn't too typical in home equipment, but worth a shot.

 

[imagoon]

See, that makes a ton of sense. Will call them now!

I know RRAS is a super inefficient way to set up routing for such a small network, it is really DirectAccess that I am interested in and since it comes as part of the same server role...might as well. I am trying to learn how to do all of this in the microsoft ecosystem, then I'll figure out the Linux way (I have an up to date clearOS iso that I'd use if I wanted routing done right...or just use my really really good Cisco VPN router. This is for learning, not because I think it is the best way)

DA will work behind NAT. There is no reason to remove the router from the mix. DA is also by far not a "beginner" tech. You need a solid understanding of certificates and proper DNS for your home (not on the AD controller but for the internet) and a static IP. Also to self sign you will need to set up and understand a certificate authority.

 

[duncan-idaho]

DA will work behind NAT. There is no reason to remove the router from the mix. DA is also by far not a "beginner" tech. You need a solid understanding of certificates and proper DNS for your home (not on the AD controller but for the internet) and a static IP. Also to self sign you will need to set up and understand a certificate authority.

That is essentially why I am setting one up, I need a reason to learn about certificates!

The DA configuration screen I thought was pretty explicit about needing to be on the edge of the network. When it asks me for a public IP, how do I adjust for the fact that I am behind a router?

 

[imagoon]

That is essentially why I am setting one up, I need a reason to learn about certificates!

The DA configuration screen I thought was pretty explicit about needing to be on the edge of the network. When it asks me for a public IP, how do I adjust for the fact that I am behind a router?

You need a static public IP and there is some forwarding you do. Technet had a pretty good article about it.

 

[duncan-idaho]

You need a static public IP and there is some forwarding you do. Technet had a pretty good article about it.

I am cursed with residential cable, I have already asked for and cannot get a static IP. Dynamic DNS isn't an option?

 

[imagoon]

I am cursed with residential cable, I have already asked for and cannot get a static IP. Dynamic DNS isn't an option?

I think it would work for the certificate part but not really sure about DA itself.