Windows Server 2012 Essentials PPP RAS Adapter Registration in DNS

Today, I was looking at an issue where one of my clients at home was reporting that the server was unavailable yet other clients were working perfectly fine. The client in question was a Surface Pro tablet running Windows 8.1. This issue turned out to be the Routing and Remote Access PPP RAS Adapter registering in my Windows Server 2012 Essentials domains’ DNS in addition to my local network adapter. Here’s how to spot the issue and to resolve it.

My server is named BGWSE1 and lives on a static IP Address of 10.10.10.201 in a 255.255.255.0 /24 subnet.

On the client I pinged the server by IP address to verify that it was indeed online and was able to be returned by the client which it was. I then tried to ping the server by name which returned a response also, but it wasn’t on the first pass that I noticed that the IP Address was different. The IP Address returned was 10.10.10.30. Strange I thought to myself as this is an IP Address inside my DHCP scope which I run on the server using the start address of 10.10.10.10 and an end address of 10.10.10.50.

I logged on to the server and looked in the DNS Management Console and sure enough, there was a second DNS A record registered for the server with the IP Address of 10.10.10.30 but where had this come from as the timestamp on the record was static and not a date and time stamp as seen on most records. I deleted the record as I knew I didn’t want it there and I refreshed the console and no sooner as I had refreshed the console, the record re-appeared.

Running ipconfig from the server, I saw a second network adapter for the PPP RAS connection with, you guessed it, 10.10.10.30 as it’s IP Address.

I Bing search later and the problem now appears to be resolved thanks to a Microsoft Support KB Article which dated back to Windows Server 2003 entitled Name resolution and connectivity issues on a Routing and Remote Access Server that also runs DNS or WINS (http://support.microsoft.com/kb/292822). I have only actually followed step one which is to add the record to the DNS service parameters to instruct the DNS service to only publish a given IP Address for the server. I’ve restarted the DNS and Routing and Remote Access services multiple times since making the change and the secondary DNS A record for my server BGWSE1 has not re-appeared.

 

Windows Server 2012 Essentials Initial Admin Thoughts

I spend my days working with Windows Servers and more increasingly Windows Server 2012. Whilst I may not know everything there is to know (and who does after all), I like to think I know quite a bit on the subject and therefore my understanding of what’s good and proper is generally sound. Once the installation of Windows Server 2012 Essentials completed I was drilling through some of the back-end interfaces to dig up parts of how it worked and was strung together and these are my opinions based on those views as an administrator.

Active Directory Domain Services (ADDS)

As we know, Windows Server 2012 Essentials unlike Windows Home Server 2011 creates a domain. It does this with the greatest of ease for the end-user driving the install, but with ease, you lack control, evident here.

The domain is created with a Windows Server 2012 Domain and Forest Functional Level which is good, however the Active Directory Recycle Bin feature, added in Windows Server 2008 R2 ADDS is disabled which I think it should be to help people out who accidently delete users or computer accounts.

The domain is created with a .local domain suffix which for me is not nice as they can end up causing you problems depending on what you are trying to do with the domain environment. If you read some of the literature for Office 365 they don’t support federation using ADFS with .local domains.

The case sensitivity of the installer has big implications on the domain name created. I personally like to see a lowercase domain name (FQDN) with an uppercase Pre-Windows 2000 domain name (NetBIOS) but the installer uses the same name for both. From my previous post on installing Windows Server 2012 Essentials, whatever you type in the Internal Domain Name text field will be used for both, so be careful with that. You can change the Pre-Windows 2000 domain name using Active Directory Users and Computer (ADUC) or the PowerShell Cmdlets, but whether this will have implications for the Dashboard and other Essentials functionality is not clear without testing.

When new users and computers are added/connected to the domain using the dashboard and the client computer connector software, the new objects are placed in the Users and Computers containers respectively. I tried using redirusr and redircmp to move the new object creation to an OU, but this didn’t work and everything still hits the containers. Manually moving the objects later seems to cause no issues, but I think it’s very bad that the installer doesn’t at least create initial OUs for these objects as objects in containers can’t be linked to GPOs.

In Active Directory Sites and Services, no IP Subnets are configured to link to the site and the site is left with the standard name of Default-First-Site-Name. I don’t see any problems in renaming this and adding the subnets.

DNS

The DNS role is installed as a requirement for ADDS. The installation is basic, very basic. One Forward Lookup Zone is created for the DNS domain name specified in the installer, but no Reverse Lookup Zone. No Forwarders are configured so all recursive lookups will be hitting the Root Hints servers unless you are configuring the Essentials server to use the ISP router as its DNS server, which brings the next point, linked to DHCP. Clients will be receiving DHCP leases normally from a self-bought or an ISP router which will be configuring the clients with itself as the sole DNS server.

Unless the connecter client does something very nasty like configure a static DNS server on the NIC in use for the Essentials server, how will it be able to resolve DNS records on the server as it will be relying on the records from the router?

Lastly on DNS is that Scavenging is disabled, so if you do use DHCP and have your clients leasing addresses directly from the Essentials server (which I would recommend) then the stale records won’t get cleaned up.

Certificate Authority (CA)

The installer configures an Enterprise Root CA on the server which is an online root and issuing CA in this instance. Anyone who knows PKI knows that an online root CA is bad news. I know it’s the only option as you can’t expect people to drop two servers, one to remain powered off for it’s life as an offline root CA, but doesn’t stop it from being horrid.

The most annoying thing here is the name that the CA is given. [DomainName]-[ServerName]-CA. This is totally unfriendly and looks ghastly in any of your certificates. The CA isn’t configured to grant the account you specify as the administrator account during the installer as a KRA or a DRA so hope that nobody in your house or office tries to be clever and EFS encrypt their documents before losing the private key to open them.

Network Access Protection (NAP)

This role is installed to assign policy for the VPN and Remote Web Access. The administrative console for it is not installed to keep your blind to its configuration, but you can easily install this using Server Manager by adding the RSAT Feature for NAP.

Remote Desktop Services (RDS) Gateway

This component is used for the Remote Web Access. As with NAP, the console is not installed to keep you in the dark, but you can again install this using Server Manager by adding that RSAT Feature for RDS Gateway Tools.

Oddbox

Other random bits and pieces I noticed whilst poking around where as follows:

  • Memory Usage for the base install is 1.4GB and CPU Usage while idle was 4% on my Hyper-V 3.0 VM from my Core i3 desktop PC. It will be interesting to see how my physical AMD E-350 Zacate Home Server processor handles it or how the processor in the HP Microserver would fare?
  • No Group Policy Objects are configured aside from the two default domain policies. Do not rename either of the default policies as options in the Dashboard update the configuration of the policies and if the dashboard is looking for them based on name and not GUID, then you will hit problems.
  • The Server Backup feature  within the dashboard relies on a dedicated and assigned local disk. There is no option for making use of Windows Azure Cloud Backup which is now supported in the Windows Server 2012 iteration of Windows Server Backup. I think Microsoft are missing a trick here as there are other 3rd parties already cashing in on the cloud backup market a la Windows Home Server 2011, such as Cloudberry.
  • Deleting any of the default server shares such as Recorded TV or Company (if you aren’t a company and you aren’t using Media Center for Live TV Archiving to the Essentials Server) for example causes warnings of missing folders in the Dashboard and causes Critical status alerts in the alert panel. There is a workaround for this courtesy of  Philip Churchill at http://www.mswhs.com/2012/09/remove-default-shares-in-ws2012-essentials/.

Redirecting Windows Home Server 2011 Remote Web Access for Internal Clients

Windows Home Server 2011 features an impressive remote access site allowing you access to your digital media as well as remote access to your home computers. One of the components which allows all of this functionality to work is the Client Connector. This software element, installed on the client computers (which can be PCs or Macs for the record) enables the Home Server to backup your systems, along with enabling the features required on your system for the RemoteApp Remote Desktop Services connections to remote onto your PC from anywhere online.

In the Home Server Launchpad, the main user facing element of the Client Connector, there is a link for Remote Web Access which directly launches a browser session to the Windows Home Server 2011 Remote Web Access site, after you have configured your free homeserver.com domain with Microsoft and GoDaddy (this is configured using the Windows Home Server 2011 Dashboard).

In a normal home scenario with a router from your ISP or that you purchased elsewhere, clicking the Remote Web Access link will launch the Home Server Remote Web Access site using the homeserver.com domain you registered as the URL. In my not-so-normal home network, I use a Cisco PIX firewall as my edge device means I have a problem.

Unlike a router, the PIX cannot route packets back through the same interface where the packet was initially received.

This sentence from the Cisco PIX Frequently Asked Questions explains the problem in one. Clicking the Remote Web Access link launches the browser session to the correct URL, however because that URL resolves to the Internet IP associated with the outside interface on the PIX means the traffic flow is not permitted back through the firewall.

Being a Windows Systems Administrator, I like things on Windows, which means I prefer to run my infrastructure services like DNS and DHCP on the Home Server instead of allowing the router to do it. The DNS role in Windows Server 2008 R2 (the foundation for Windows Home Server 2011), and the DNS role in any Windows Server operating system for that matter allows you to create multiple zones for multiple domains to which the server will respond with DNS resolutions, and this is where the fix derives from.

The fix, or trick as the case may be, is to use DNS to reroute the client computer by resolving the homeserver.com domain name to the internal IP address of the Home Server, and away from the Internet side of the network, which ultimately will improve the performance of the Remote Web Access interface too.

On the Home Server, launch the DNS Manager console from Administrative Tools.

image

In the console, right-click on Forward Lookup Zones, and select New Zone.

In the New Zone Wizard on the Zone Type panel, select the Primary Zone option,

On the Zone Name panel, enter the full domain name that you specified in the Domain Name Setup Wizard from the Home Server Dashboard (in this example, I’m using server.homeserver.com).

On the Zone File panel, you can leave the default option to Create a New DNS Zone File.

On the Dynamic Updates panel, leave the option set to Do Not allow Dynamic Updates. This will help to prevent any rogue clients on the network from poisoning the DNS zone and directing your clients to the wrong IP address.

imageimageimageimageimage

On the Completing the New Zone Wizard panel, verify that you can specified the homeserver.com domain correctly. and then select Finish to complete the wizard.

Back in the DNS Console, your new zone will be visible. In the new zone, right-click and select New Host (A or AAAA).

image

In the New Host dialog, leave the Name field blank and in the IP Address field, specify the IP Address of your Home Server. This IP Address should either be statically assigned to the Home Server, or it should be configured as a DHCP Reservation on whatever device is running your DHCP Server on the network (although if the Home Server is your DHCP Server, then this should obviously be static).

Congratulations. Your internal clients will now be able to access the Home Server Remote the Web Access site, using the Client Connector user interface as Microsoft had intended, without a single packet touching the outside interface of your server.

If in your home network, you are using the router to perform DNS queries on your behalf, but your router prevents connections through the same interface that the connection was initiated as the PIX does, you could also implement this trick using the DNS HOSTS file, however this would need to be performed on a per client basis editing the HOSTS file. Using this example, the HOSTS file line item would be configured as follows:

192.168.1.100   server.homeserver.com   # Windows Home Server

Remember to flush your DNS cache on the clients using ipconfig /flushdns before testing your work regardless of whether you used the DNS or the HOSTS file methods to implement it.

DNS Exploit Now Officially Breeched

Recently a DNS exploit was discovered by Dan Kaminsky. This exploit was reportedly so big that he decided to keep the details close to hand until everyone had a chance to plug their DNS servers, however this plan failed somewhat and details of it got online.

Whilst most people fixed their DNS some major players like AT&T and Apple are still yet to fix the issue, and the first released reports of the exploit being performed came to light today.

http://www.theregister.co.uk/2008/07/31/dns_cache_poisoning_goes_wild/

Whilst there are incidents prior to this known by Dan Kaminsky he has signed NDA’s to keep the details quiet.

Lets hope people start to look more seriously at fixing this one huh.