All of my previous posts concerning Server 2012 (including those ones on LifeHacker) have been rather…high level focusing more on what you can achieve with it rather than some concrete examples. I’ll admit this can be almost wholly attributed to laziness as I’ve had Server 2012 running on my home machine for quite some time now and just haven’t bothered installing any additional features on it. However one of my close friends is in the throes of setting up his own aerial photography business (using UAVs, super cool stuff) and offered up his home server as a guinea pig for a Server 2012 install, provided I give him a working VPN in return.
Challenge accepted.
Initially I thought that I’d install DirectAccess for him as it’s a pretty awesome piece of technology and implementing it appears to be a hell of a lot easier than it was on 2008¹. However the requirements for this were quite high for a VPN setup that would have at most a couple users, requiring a whole bunch of infrastructure that would serve no other purpose. In a rather strange coincidence one of my favourite Microsoft blogs, 4SysOps, wrote a post detailing the installation method for a SSTP VPN (one that tunnels over HTTPS) mere days before I was slated to go out and do the install for him.
Installing Server 2012 went incredibly smoothly and apart from a strange graphics card issue (the NVIDIA card he had in there didn’t seem to be able to regulate its fan without drivers, leading to it to lock up when it overheated) there were no problems. Following the guide was for the most part successful with everything going the way you’d expect it to. However there were a couple gotchas that we ran into along the way that I thought I’d detail here in case anyone got snagged on them.
We had several routing issues thanks to DNS entries taking far too long to expire, something we could have avoided with a little bit of forward planning. You can test the VPN internally by just using the local IP address however you probably won’t be able to get in as the SSL cert won’t match, but it is handy to test if all the plumbing is set up. However the most frustrating issue was that everything would seem to connect but would then immediate drop us out. Thankfully there were some events generated that allowed us to research this problem further but I’m not a big fan of the solution.
The error we were getting was something like “Error 720: The user <username> connected to port <server> has been disconnected because no network protocols were successfully negotiated”. There are numerous posts detailing this exact error and after trying many of the solutions the only one that worked was this one. Essentially it looks like, at least with SSTP VPNs, relaying DHCP requests doesn’t seem to work at all which is what causes this error. Setting up a static pool of IP addresses, and excluding it on the DHCP server, allowed us to connect in without a hitch.
It appears that this issue is a hangover from previous versions of Windows Server as the Routing and Remote Access console looks like it’s straight out of 2003 without much modification to it (apart from the Network Policies section). Now I’m not going to say that it needs a revamp, indeed once we got around that particular issue it worked perfectly, but it could use a little love.
Overall I’m pretty happy with my first real world Server 2012 install as I was able to get a technology that I had no previous experience with (VPNs) up and running in a matter of hours with little more than patience and a whole bunch of Googling. I’m now tempted to give DirectAccess a go at home as I’ve been meaning to set up a lab for a while now and being able to demonstrate some of Server 2012’s capabilities anywhere I have an Internet connection would just be plain awesome. That might be a little while off though as next week I’ll be in New Orleans, knee deep in TechEd goodness.
¹I can remember reading about it when it was first released and thinking I’d give it a go but nearly every install guide had DO NOT USE IN PRODUCTION plastered all over it. This doesn’t seem to be the case anymore as there are many production ready guides available and they’re all pretty easy to follow.