Malkosha 0 Posted August 21, 2002 We upgraded our DC's from NT4 to Win2K. Everything seems to work ... except for one little problem. Our RRAS is on one of the DC's, and when ever someone RAS's in, they get a DHCP address. This address is then picked up by DNS, and the DC is assigned that address. Of course, all connections to the DC are lost. By deleteing the DNS entry and stop/start the RAS service, the problem is fixed ... until the next time someone RAS's in. Anyone have a clue how to fix this? Share this post Link to post
Four and Twenty 0 Posted August 21, 2002 Quote: We upgraded our DC's from NT4 to Win2K. Everything seems to work ... except for one little problem. Our RRAS is on one of the DC's, and when ever someone RAS's in, they get a DHCP address. This address is then picked up by DNS, and the DC is assigned that address. Of course, all connections to the DC are lost. By deleteing the DNS entry and stop/start the RAS service, the problem is fixed ... until the next time someone RAS's in. Anyone have a clue how to fix this? you could make address of the DC static. You should probably do that anyway. Share this post Link to post
Malkosha 0 Posted August 21, 2002 Thanks but, it is static. What seems to be happening is that DNS asigns the RAS address to a DNS address. This confuses the NT4 machines. Oh .. I forget one important point. This only affects machines that are not Win2K or XP. That is, it only affects Nt4 clients and Win95/98 clients. **edited for spelling errors worse than usual ** Share this post Link to post
majd 0 Posted September 1, 2002 hi i am an MCSE holder and i've found a security hole in ur design, never ever put the RRAS on a DC, because when the user authenticates it will log locally into the DC ,not a very smart thing to do, the RRAS must be a standalone server with its own user scope, the user log into it with certain credentiels (which should have practiaclly no permissions on the network) then they will have to reauthenticate with the DC in order to log into the domain (more secured, and this account should have the desired permissions).hope that u will fix that. try to create in the RRAS a scope of IP addresses that will be handled by the RAS users (make sure that their is no overlapping with ur DHCP scope). hope that i've helped. Share this post Link to post
majd 0 Posted September 2, 2002 i am really impressed with ur respond, it seems that u can't understand english! it was clear that the scope stuff is not related to the security matter , reread and try to understand! bye Share this post Link to post
majd 0 Posted September 2, 2002 what trust relation are u talking about do u know what a STANDALONE server mean? my point was that u shouldn't allow users to access locally on a DC i don't know how u understood it and i don't care about ur CV either. i know what i am talking about and i don't need to put definitions on a 10 lines responce i am assuming that i am talking to people that have a basic of what they are doing. i know what i do and believe me i am not a paper MCSE guy. it seems that u need to refresh ur knowledge man. and the link is great specially to describ what kind of user scopes can be found on A STANDLONE server! BRAVO! that's what i've said go and show it to ur security buddies, maybe they will give u a NEW SECURITY BOOK as a gift for ur great knowledge. "never ever put the RRAS on a DC, because when the user authenticates it will log locally into the DC ,not a very smart thing to do, the RRAS must be a standalone server with its own user scope, the user log into it with certain credentiels (which should have practiaclly no permissions on the network) then they will have to reauthenticate with the DC in order to log into the domain USERS NOW HAVE THEIR PERMISSIONS AND THE ACCOUNTS THAT U WANT THEM TO ACCES THE NETWORK WITH(more secured, and this account should have the desired permissions)" Share this post Link to post
majd 0 Posted September 2, 2002 we can go like this forever i propose that the guy tries both way and then let him be the judge, i am not going to convience u while u are probably 10000 miles away from me, keep ur knowledge for urself and god bless u! that's my knowledge it might not be as great as urs but that's life. thanks for ur time! Share this post Link to post