Microsoft KB Archive/246478
Unable to Configure PPTP for a Two-Way Trust Between PDCs with Single NIC
The information in this article applies to:
- Microsoft Windows NT Server version 4.0
When you try to configure Point to Point Tunneling Protocol (PPTP) between two servers running Microsoft Windows NT Server 4.0, each functioning as a primary domain controller (PDC) and each having only a single network adapter installed, you are not successful, although a two-way trust relationship is already established between the servers.
In addition, you may receive one or more error messages when you attempt to resolve this issue by any of the following means:
- Adding the Microsoft IPX/SPX (Internetwork Packet Exchange/Sequenced Packet Exchange) protocol.
- Changing the addresses configured for the Remote Access Service (RAS) assigned static address pool.
- Trying to use Transmission Control Protocol/Internet Protocol (TCP/IP) and the net use command to a share on the opposite computer.
- Configuring a single virtual private network (VPN) to dial only one-way, associating the server network basic input/output system (NetBIOS) name with the IP address that the PPTP server assigns to the client VPN connection, and then trying to use the net use command from the PPTP client to a share on the PPTP server.
- Adding the Windows Internet Name Service (WINS) to each of the servers, to assist in NetBIOS name resolution.
This behavior can occur when the servers each have only one network adapter installed with no additional dial-up connection to a wide area network (WAN), and therefore do not have either of the two configurations Microsoft recommends for a PPTP tunneling server.
To resolve this issue, use one of the two configurations Microsoft recommends:
- A server with only a single network adapter, which is connected to the local area network (LAN), but with a dial-up connection to a WAN.
- A server with two network adapters, one configured for PPTP to dial out to a WAN node and the other connected to the LAN.
To work around the limitation of both servers' having only one network adapter and no additional RAS dial-up device, give each network adapter a second, arbitrary IP address. Because of the complexity of this workaround, the instructions for it are organized as five procedures to be performed on both servers:
- Setting up the required configuration
- Providing two or more VPN interfaces correctly configured for RAS
- Verifying basic TCP/IP connectivity
- Adding a second IP address to the network adapter
- Setting up the two-way trust relationship
IMPORTANT: Attempting to use only one network adapter on a PPTP server without an additional dial-up device presents special configuration problems that you may or may not be able to overcome. Please fully explore using the options Microsoft recommends before attempting this procedure, and be aware that Microsoft cannot guarantee the results of following this procedure.
Setting up the required configuration
Install the necessary networking software on each server, and then make sure both servers have the necessary configurations:
- Make sure that Windows NT Server 4.0 and the latest service pack are installed.
- Configure the server as the PDC of its domain.
- Install NetBIOS Enhanced User Interface (NetBEUI) and TCP/IP, and then configure the servers to use these protocols. You do not need to use NetBEUI on your local LAN, but you do need to configure RAS to use it over your private tunnel connection.
- Install PPTP.
- Download and apply the latest PPTP hotfix. You can obtain it at:
Providing two or more VPN interfaces correctly configured for RAS
Make sure that each server has at least two correctly configured VPN interfaces. VPNs for use with PPTP are configured in the RAS setup when you install PPTP; the following procedure explains how to add a VPN to RAS after you install PPTP:
Specify the number of VPNs you want to make available to PPTP:
- In Control Panel, double-click Network, and then click the Protocols tab.
- Click Point To Point Tunneling Protocol, and then click Properties.
- In the Number Of Virtual Private Networks box, type or click the number of VPNs you want to use, and then click OK.
- When you are prompted to install the RAS Setup program, click OK.
For each VPN you want to configure in RAS Setup:
In the RAS Capable Devices box, click the VPN, and then click OK.
In the Remote Access Setup dialog box, click the VPN, and then click Configure.
Click to select the Dial out and Receive calls check box, and then click OK.
In the Remote Access Setup dialog box, click the appropriate VPN, and then click Network.
Under Dial Out Protocols, click NetBEUI and TCP/IP.
Configure the NetBEUI protocol:
- Click Configure, next to NetBEUI.
- Click Entire Network, and then click OK.
Click Configure, next to TCP/IP.
Click Entire Network.
Configure a static address pool, using a unique range of arbitrary IP addresses that are not in use on your network:
- Click Use Static Address Pool.
- In the appropriate boxes, type the beginning and ending IP addresses of the static pool, and then click OK.
Click to select the Require Microsoft Encrypted Authentication check box, and then click OK.
IMPORTANT: Remember to repeat the procedure in step 2 for each VPN that you need to configure.
Click Continue, click Close, and then click Yes to restarting the server.
Verifying basic TCP/IP connectivity
Verify that there is basic TCP/IP connectivity between the two servers before you attempt to configure a connection that uses PPTP:
- Make sure that the router is able to pass GRE 47 packets and also that TCP/IP port 1723 is open on the router.
- Test the connectivity between the two servers by using the ping command.
Adding a second IP address to the network adapter
Add a second, arbitrary IP address to the network adapter on each server, freeing the original IP address to be the dialing number for the VPN connection. You can either:
- add the address to your existing network adapter
- add the Microsoft Loopback Adapter (a virtual adapter), and then add the address to that.
The following two sets of steps give instructions for these alternative methods. However, these methods are not supported PPTP configurations, and Microsoft cannot guarantee the results from following either procedure.
On each server, replace the IP address your network adapter uses with a second, arbitrary IP address, and use the original valid IP address to create a VPN connection:
Add a unique, arbitrary IP address to your network adapter, one that is not in use on your network:
- In Control Panel, double-click Network, and then click the Protocols tab.
- Click TCP/IP Protocol, and then click Properties.
- Click the IP Address tab, and then click Advanced.
- In the IP Addresses group, click Add, and then type the arbitrary IP address in the IP Address box.
- In the Subnet Mask box, type the default subnet mask for the IP address class.
- Click Add.
Under IP Addresses, click the original IP address, and then click Remove.
Restart the computer to bind TCP/IP to the arbitrary network adapter IP address.
Add the original valid IP address to the network adapter as a secondary IP address.
NOTE: Once NetBIOS is no longer bound to the original IP address that is valid on the local LAN, clients on the local LAN cannot make NetBIOS connections to that interface.
On each server, add the Microsoft Loopback Adapter, and then configure it with an arbitrary IP address:
Install the Microsoft Loopback Adapter:
- In Control Panel, double-click Network.
- On the Adapters tab, click Add.
- Click MS Loopback Adapter, and then click OK.
- Type the path to the setup files, click Continue, and then click Close.
Configure the Loopback Adapter:
- In the Adapter list, click MS Loopback Adapter.
- In the IP Address box, type an arbitrary IP address that is not in use on your network.
- In the Subnet Mask box, type the default subnet mask for the IP address class, and then click OK. You do not have to type the default gateway address.
When you are prompted to restart the computer, click Yes.
Setting up the two-way trust relationship
Add an entry to the Lmhosts file on each server, and then configure the two-way trust:
Create an Lmhosts file entry to associate the new, arbitrary network adapter IP address with the opposite server's NetBIOS name, using the #PRE and #DOM:<opposite domain name> options, along with an entry for the <opposite domain name> 0x1c entry.
The server you connect to has the NetBIOS name Batman and is the PDC of the domain Gotham. Batman is using an arbitrary IP address of 184.108.40.206. Add the following lines in the Lmhosts file on your server:
220.127.116.11 Batman #PRE #DOM:Gotham 18.104.22.168 ''Gotham \0x1c'' #PRE
- Replace 22.214.171.124 with the IP address of the opposite PDC.
- Replace Batman with the NetBIOS name of the opposite PDC.
- Replace Gotham with the name of the opposite Windows NT domain.
IMPORTANT: Correct spacing of these entries is imperative. There must be a total of 20 characters between the quotation marks. These 20 characters are the domain name plus the appropriate number of spaces to pad up to 15 characters plus the backslash (\) plus the NetBIOS hex representation of the service type (0x1c). To help you know where the sixteenth character is, copy this pattern line to your Lmhosts file:
# IP Address ''123456789012345*7890''
Line up the quotation marks in the comment line with those in this pattern line by adding or removing spaces from the comment line, and place the backslash on the sixteenth column (the one marked with the asterisk in the pattern line). You must use spaces between the name and the backslash; do not use the TAB key.
To preload the Lmhosts file, type the following at the command prompt and press ENTER:
The -R must be uppercase. After carrying out the command, you should receive the following message:
To verify the NetBIOS name cache, type the following at the command prompt, and then press ENTER:
The -c must be lowercase.
- On each server, use the opposite server's original valid IP address as the dialing number to create a VPN connection. That is, Server A now dials in to Server B, and Server B now dials in to Server A.
- Follow the standard procedures for setting up a two-way trust in User Manager for Domains. After a delay for completing the trust each way (it may take as long as five minutes), you should receive the following message:
For additional information about using the Lmhosts file, please see the following articles in the Microsoft Knowledge Base:
Q180094 How to Write an LMHOSTS File for Domain Validation
Q163409 NetBIOS Suffixes (16th Character of the NetBIOS Name)
Additional query words: nt 4.0 point tunneling protocol primary domain
Keywords : nt 4.0
Version : winnt:4.0
Platform : winnt
Issue type : kbprb
Last Reviewed: January 26, 2000