How To Configure Remote Access VPN Server In Windows Server 2016

VPN stands for Virtual Private Network that has been used for many years to provide remote connectivity and support. VPN is one of the most popular, secure, and cheap technique to connect remote branch offices and remote users over the Internet. There are various VPN authentication protocols such as PPTP, L2TP, SSTP, and IKEv2 that can be used by an administrator for authenticating remote users. Each VPN authentication protocol supports the different level of security. However, in this post, we will just focus on step by step guide to configure Remote Access VPN Server using Windows Server 2016.

Understanding Remote Access VPN Lab Setup

First of all, understand the lab setup topology we are going to use. Ensure that all the systems are configured with the appropriate TCP/IP settings as mentioned in the topology. Also, ensure that the Windows Firewall is turned off on all the systems to avoid any network connectivity issues.

We will use the following systems to complete this lab exercise:

ROUTER1

  • Hosts the Remote Access Server role.
  • Connected to CLIENT1 using 10.0.0.1/8 IP address.
  • Connected to the SERVER2 using 192.168.1.1/24 IP address.
  • Acts as VPN Server.

SERVER2

  • Acts as an internal (private) client and is connected to ROUTER1 using 192.168.1.2/24 IP address and 192.168.1.1 as the Default gateway.

CLIENT1

  • Acts as a remote (Public) client and is connected to ROUTER1 using 10.0.0.101/8 IP address and 10.0.0.1 as the Default gateway.

It is recommended that all of your participating systems of this lab exercise should belong either to the same Domain network or should belong to a Workgroup network. Mixed type of network may create some issues to complete the lab exercise. Here, all systems are based on the Workgroup-based network.

Installing Remote Access Service on Windows Server 2016

In order to configure VPN Server on Windows Server 2016, first, you need to install the Remote Access service role. For this, you need to perform the following steps:

  1. On ROUTER1, launch the Add Roles and Features Wizard.
  2. Click Next and accept the default selections until the Select server roles page displays.
  3. Select the Remote Access server role and click Next.Installing Remote Access VPN Service
  4. Click Next until the Select role services page displays.
  5. Select the DirectAccess and VPN (RAS) and Routing role services and then click Next.Selecting DirectAccess and VPN servcies
  6. On the rest of the pages, accept the default selections by clicking Next. Wait until the installation process completes.

Configure Remote Access VPN Server

In order to configure VPN Server on Windows Server 2016, you need to perform the following steps on ROUTER1.

  1. Open the Routing and Remote Access console by using the Server Manager console.
  2. Click Tools and selecting the Routing and Remote Access option.Opening Routing and Remote Access Console
  3. Select and right-click Server name (ROUTER1) and then select Configure and Enable Routing and Remote Access.Configure and enable routing and remote access services
  4. On the Welcome page, click Next and navigate to the Configuration page. Ensure that the Remote access (dial-up or VPN) option is selected and then click Next.Configure Remote Access VPN Server
  5. On the Remote Access page, select the VPN option and then click Next.Routing and Remote Access Server Setup Wizard
  6. On the VPN Connections page, select the network adapter that is connected to the Public network (Internet) and proceed to next. In this case, Ethernet0 network adapter is connected to the Public system CLIENT1.Selecting VPN Public Internet Connection
  7. On the IP Address Assignment page, select the desired option. If your VPN server is also configured as active DHCP server, select Automatically. If you want to assign IP addresses to the VPN clients using the VPN server, select the From a specified range of addresses option and then click Next.Specifying IP Address Assignment
  8. On the IP Address Assignment page, click New and set the Start and End IP ranges depending on the number of VPN clients your network contains. For example, set the 10.0.0.240 to 10.0.0.245 range for the testing purpose and proceed to Next.Specifying New VPN IP Range
  9. On the Manage Multiple Remote Access Servers page, select the No option as we will configure RADIUS server in a separate article. Click Next and finish the wizard.Finishing Routing and Remote Access Server Setup Wizard
  10. On the Service message box click OK to start the Remote Access service.

Creating VPN User

In order to connect and authenticate to Remote Access VPN server, VPN clients require user credentials. For this, you need to perform the following steps.

  1. Execute the following command on VPN server ROUTER1 to create a test user named as VPNUser1. It will be used by remote users to connect to your VPN server.Creating VPN Test User
  2. Now, type lusrmgr.msc in the Run dialog box and open the Properties of VPNUser1.
  3. Select the Dial-in tab and then select the Allow access option for the selected user.Allow dial-in VPN access

Connecting VPN Client to VPN Server

Now, you have successfully configured Remote Access VPN server. The next step is to test your VPN configuration. For this, you need to perform the following steps on VPN client that is CLIENT1.

  1. Move on to CLIENT1, open the Network and Sharing Center Wizard, and select Set up a new connection or network to create a new VPN connection.Creating a new VPN connection in Windows 10
  2. Select the Connect to a workplace option and then click Next.Connect to workplace VPN option
  3. On the How do you connect to VPN page, select Use my Internet Connection (VPN) option and then click Next.Using Internet VPN connection
  4. On the next page, select I’ll setup Internet connection later and then click Next.How to connect Windows 10 to VPN server
  5. On the Type the Internet address to connect to page, type hostname (if the DNS server is already configured) or simply type the Public IP address of VPN server. In this case, 10.0.0.1 and then click Create.Specifying VPN Server Address
  6. Click the network status icon in the Notification Area and select VPN Connection.Connecting VPN Connection on Windows 10
  7. On the NETWORK & INTERNET screen, select VPN Connection and then click Connect.Add VPN Connection in Windows 10
  8. On the Sign In screen, type the username and password of VPN server that you have previously created and click OK to connect.Authenticating VPN Server
  9. Ensure that you are successfully connected to VPN server.Verify VPN Connectivity
  10. To further verify, type \\192.168.1.2\c$ to test that you are able to access the data of the Private client that is SERVER2.Accessing data using VPN connection

Note: Use the Administrator user if you are unable to access SERVER2 using VPNUser1.

In this post, we have explained how to configure Remote Access VPN Server on Windows Server 2016. You are always welcome to provide your valuable suggestions and feedback. Please use the comment box to share your views. Stay connected with us for more step by step Windows Server 2016 tutorials.

Posted in Windows 10, Windows Server 2016 Tagged with: , , ,

How To Configure Network Load Balancing In Windows Server 2016

High availability is one of the major key points to provide continue services in nowadays. It helps to increase the production and reputation of the service providers. Nowadays, everyone wants the required services on-demand. Organizations use different technologies and solutions to provide high availability and redundancy. Network Load Balancing (NLB) is one of the most popular high availability and redundancy feature used in Windows-based networks. Here, we will explain a detailed step by step guide to install and configure Network Load Balancing in Windows Server 2016.

For this, we will use the following systems. So, please take a quick look to understand the systems and their configurations and roles:

  1. DC1
    • Role: NLB Node1
    • IP Address: 10.0.0.100
  2. SERVER1
    • Role: NLB Node2
    • IP Address: 10.0.0.101
  3. CLIENT1
    • Role: Web client
    • IP Address: 10.0.0.102

Installing the Network Load Balancing Feature on NLB nodes

Perform the following steps on the NLB nodes that are going to participate in the NLB cluster.

  1. Using the Server Manager console, launch the Add Roles and Features Wizard.
  2. Click Next until the Select server roles page is displayed and then select the Web Server (IIS) server role.Installing IIS Web Server Role
  3. On the Select features page, select the Network Load Balancing feature and proceed to next.Selecting Network Load Balancing feature on Windows Server 2016
  4. On the rest of the pages, accept the default selections and complete the installation process.
  5. Using the similar steps, install the Web Server (IIS) server role and Network Load Balancing feature on the second NLB node that is SERVER1.

Configuring Network Load Balancing in Windows Server 2016

After installing Network Load Balancing feature on all the participating NLB nodes, the next step is to configure Network Load Balancing. For this, you need to perform the following steps:

  1. On the Server Manager console of the DC1 NLB node, click Tools and select Network Load Balancing Manager.
  2. Select and right-click Network Load Balancing Clusters and then click New Cluster.Network Load Balancing Manager
  3. On the New Cluster: Connect dialog box, type DC1.mcsalab.local in the Host field and then click Connect. Verify that the Interface name is listed and then proceed to next.Connecting new NLB Cluster Node
  4. On the New Cluster: Host Parameters dialog box, set the priority value as 1. This NLB node will reply the clients’ queries, first. Before clicking Next, also ensure that the default status has set as Started.Configure NLB Prioroty Value
  5. On the New Cluster: Cluster IP Addresses dialog box, click Add to add a new Cluster IP address.

    Note: The Cluster IP address is the new virtual IP address on which the host service, in this case, IIS will run.

  6. On the Add IP Address dialog box, specify a Cluster IP Address such as 10.0.0.250, and click OK.Adding Cluster IP address
  7. Click Next to proceed on the New Cluster: Cluster Parameters dialog box, select a cluster operation mode. For example, Unicast and then click Next.Specifying NLB Cluster Operation Mode
  8. On the New Cluster: Port Rules dialog box, click Finish and wait until the DC1 NLB node is added successfully. The Icon Color of the added NLB node should be green .Adding NLB Cluster node to Network Load Balancing Manager
  9. Select and right-click the added cluster and then select Add Host To Cluster.Adding NLB Host to Cluster
  10. On the Add Host to Cluster: Connect dialog box, type SERVER1, and then click Connect to add one more NLB node.

    Important: If you get the Host unreachable error while connecting SERVER1 as the NLB node, move on to SERVER1 and open the Network Load Balancing Manager console. Repeat the same steps as you used to add the DC1 NLB node.

  11. On the Add Host to Cluster: Host Parameters dialog box, set the priority value as 2 and proceed to next.
  12. Accept the default selections on the rest of the pages and complete the wizard.
  13. Finally, verify that the second NLB nodes DC1 is added successfully.

Configuring Default Website to Test the NLB Configuration

To test the NLB cluster, use an NLB-Aware application such as IIS service role with the Cluster IP address. Hence, we will use the Default Website on NLB node1 (DC1) and NLB node2 (SERVER1). The Website will be mapped with the cluster IP address “10.0.0.250”.

To do so, first, you need to perform the following steps on DC1 (NLB node1).

  1. Open the Internet Information Services (IIS) Manager console.
  2. Expand the Sites node, select and right-click the Default Web Site.
  3. Select Add the Virtual Directory. In the Alias box, type a name. In the Physical path box, type \\DC1\C$\Intetpub\wwwroot and then click OK.

    Actaully, we will add the same shared directory on both the NLB nodes so the same content can be displayed when a NLB node from the configured NLB cluster is failed.

  4. Double-click Directory Browsing and click Enable.
  5. Right-click Default Web Site, select Manage Website and then select Restart.Configure NLB with IIS Server in Windows Server 2016
  6. Close the Internet Information Services (IIS) Manager window.
  7. Repeat the same steps to activate Default Website on SERVER1 NLB node.Configure IIS Server in Windows Server 2016
  8. Optionally, if you want to access the Website through the hostname such as www.mcsalab.local, add the www DNS host record with the 10.0.0.250 IP address.

Verifying Network Load Balancing Configuration

To verify that your NLB Cluster is configured successfully and functioning properly, perform the following steps:

  1. Type 10.0.0.250 in the Internet explorer and verify that you are able to access the Default Website.Testing NLB configuration
  2. Close the Internet Explorer.
  3. On the DC1 node, open the Network Load Balancing Manager window, select and right-click DC1(Ethernet), select Control Host and then select Stop to stop this node temporary.Stopping NLB service
  4. Switch back to CLIENT1 and try again to open the Default Website. The Default Website should still be displayed. However, this time, the SERVER1 NLB node will serve the Website.Validating NLB Configuration In Windows Server
  5. Now, stop the SERVER1 NLB node also and try to reopen the Default Website on the CLIENT1.
  6. Now, it should not be displayed as both the NLB nodes are stopped. However, if you are still able to open the Default Website on CLIENT1, this might be because of cached web pages. To resolve this, reboot the CLIENT1 machine and try again.

That’s all you need to install and configure Network Load Balancing (NLB) in Windows Server 2016. Please drop your queries and suggestions in the comment box, we will catch you soon to take a look.

Posted in Windows Server 2016 Tagged with: , ,

How To Secure Accounts If an RODC is Stolen

In the previous post, we have discussed the benefits of using a Read-Only Domain Controller (RODC). We have also explained how to deploy RODC server. The same topology will be used for this post. So, we recommend you to have a quick look what topology we are going to use. Sometimes things may not go in the way as we expect. For example, what would happen if someone has stolen one of your the entire RODC server? Being a server administrator, it is your responsibility to secure all the user and computer accounts whose password were cached on the stolen RODC. In this post, we will explain how to secure accounts if someone has stolen your RODC server.

Steps To Secure Accounts if the RODC is Stolen

To secure accounts and reset the current credentials that are cached on an RODC if the RODC is stolen, you need to perform the following steps:

  1. Sign in to Primary Domain Controller server and open the Active Directory Users and Computers
  2. Expand the Domain Controllers node to list all the available DCs.
  3. In the details pane, select and right-click the RODC server which has been stolen and then select the Delete option. In our example, it is SERVER1 that we have deployed in the previous post.Secure Accounts if RODC is stolen
  4. Click Yes to confirm the deletion.
  5. In the Deleting Active Directory Domain Controller dialog box, read and understand all the available options carefully. Here, you can select the following check boxes depending on your choice and the types of accounts (users or computers) that have been stolen:
  • Reset all passwords for user accounts that were cached on this read-only domain controller.
  • Reset all passwords for computer accounts that were cached on this read-only domain controller.
  • Export the list of accounts that were cached on this read-only domain controller to this file.
  1. Refer the following figure to understand the preceding options.reset all passwords for user accounts that were cached on RODC
  2. Specify a file name where the RODC cached credentials will be stored and then click Delete. You can refer this file later to reset the credentials of stolen users and computers accounts.
  3. Click OK to confirm the selection. Ensure that the RODC server is removed from the Domain Controllers node in the Active Directory Users and Computers console.
  4. Close the Active Directory Users and Computers console.

That’s all you need to secure accounts if the RODC is stolen. Hope, it helped you and you would share the article to encourage us.

Posted in Windows Server 2016 Tagged with: ,