I’m in the process of migrating from Windows Server 2012 R2 Essentials to Windows Server 2016 Standard with the Essentials role. It is astonishing and somewhat concerning how poorly documented the 2016 version is and how difficult it can be to find solutions.
Part of my normal procedure for setting up 2012 R2 Essentials was to add a static IP address pool to Routing and Remote Access so the VPN could get IP addresses even through DCHP is hosted on my router. For 2012 R2, this is well documented under error 720 at https://blogs.technet.microsoft.com/sbs/2014/06/11/troubleshooting-common-vpn-issues-on-windows-server-2012-r2-essentials/.
What Failed
In PowerShell, I ran this command
Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT
then opened the RRAS management UI:
Huh? “Legacy mode is disabled”? I guess can’t access RRAS options that way. (I never found a way to enable Legacy Mode.)
The message says to “use RemoteAccess PowerShell cmdlets”, so I started poking around in the RemoteAccess Module reference:
https://technet.microsoft.com/en-us/itpro/powershell/windows/remoteaccess/remoteaccess
Get-RemoteAccessHealth
tells me I have a Services error:
Couldn’t figure out how to get details on that error in PowerShell, but I found that there is a separate console for RemoteAccess administration, which tells me that Rasman is not running:
Under the Services console, sure enough, the Remote Access Connection Manager is not only stopped, it’s Disabled:
I enabled the service and tried to start it. Got this error:
Log Name: System
Source: Service Control Manager
Date: 8/3/2017 3:35:19 PM
Event ID: 7024
Description:
The Remote Access Connection Manager service terminated with the following service-specific error:
{TDI Event Pending} The TDI indication has entered the pending state.
Good grief. This is going nowhere fast. I’m backing out of this rabbit hole while I still can—and ignoring the RemoteAccess Services error.
Later I realized I might as well uninstall the useless RRAS console:
Remove-WindowsFeature –Name RSAT-RemoteAccess-MGMT
What Worked
Finally I was able to track down the PowerShell command to change from DHCP to Static IP addressing and assign an IP range: Set-VpnIPAddressAssignment. To add an IP range (make sure it’s excluded from DCHP on your router):
Set-VpnIPAddressAssignment -IPAssignmentMethod "StaticPool" -IPAddressRange "30.1.1.10", "30.1.1.30" -PassThru
That command also supports setting an IPv6Prefix
, but I left that off and it shows up as empty.
Once I’d done that, a laptop with the Essentials connector installed, running outside my LAN, was able to establish a VPN connection.
For reference, if you ever take DHCP off the router and put it on the server, you’ll probably want to remove the static IP pool and change the assignment method back to DHCP:
Set-VpnIPAddressAssignment -IPAssignmentMethod "Dhcp" -PassThru
To check the IP Assignment Method without changing it:
(Get-RemoteAccess).IPAssignmentMethod
To check the IP range without changing it:
(Get-RemoteAccess).IPAddressRangeList
To see additional info about your Remote Access setup, including the installed certificate:
Get-RemoteAccess
Update November 14, 2017
Glenn at Glennopedia has posted a couple of great articles on this topic:
- This one covers setting up Remote Access using PowerShell, including updating the certificate.
- This one describes how to re-deploy the VPN in legacy mode so you can manage it through a GUI.
Update December 26, 2020
RRAS on a DNS server (as is any Essentials server) may register a second IP address in DNS. See this article on how to tell DNS to ignore the second IP.
You are a genius. Hours of searching and hair pulling. Works perfectly. I needed to share resources on a port of the server only with specific Ip addresses and this was a requirement.
Thanks a million
If you already have static IPs, the set command won’t work. You have to add the range. If your new range overlaps with the old range, you have to remove the old range before adding the new range. However, you have to keep at least one range, so you have to add a temporary range before and then remove it later when your actual new range is added :-D
Example:
In my case our router DHCP assigns IPs from 192.168.178.20 – 192.168.178.200
The VPN server was configured with a static pool 192.157.178.104 – 192.168.178.247
Because the VPN range overlapped with the DHCP range we had to change VPN static pool to 192.168.178.201 – 192.168.178.247:
Add-VpnIPAddressRange -IPAddressRange “192.168.178.101”,”192.168.178.103″
Remove-VpnIPAddressRange -IPAddress “192.168.178.104”
Add-VpnIPAddressRange -IPAddressRange “192.168.178.201”,”192.168.178.247″
Remove-VpnIPAddressRange -IPAddress “192.168.178.101”
Restart-Service RemoteAccess
I set the static ip pool, because I wasn’t able to access remote resources when connected via VPN. However, these steps didn’t solve the problem. I researched for hours without success. Now it turned out, that a simple server reboot was the solution :-D I didn’t reboot, because I already restarted the “RemoteAccess” service.
Uli, I don’t quite follow your example. Does the Remove-VpnIPAddressRange command only require that you specify the first IP in the range?
Since you wanted to change the range, I wonder if it would have been simpler to temporarily revert to DHCP mode with
Set-VpnIPAddressAssignment -IPAssignmentMethod “Dhcp” -PassThru
then set the new range.
Yes, you’re right. You have to keept at least a single range. You cannot change a range but just add and remove it. You cannot add a range which overlaps with another range. Thus my workaround with multiple add and remove commands.
However, without validating, I think your approach of temporarily switching to “dhcp” will work and will be simpler. It just didn’t come to my mind ;-)
I had to set the manual range, because even though the DHCP Server service is installed and running on the 2016 WSE, it does not assign an IP within the LAN-range in Remoteaccess.
When setting the manual range, I can connect, and I get an address within that range, but I cannot see any other devices on the network. Nor ping the server-name, only its IP-address replies.
Is there a powershell command to set what DNS address(es) the remoteaccess clients should be assigned?
@JO, I’ve never looked before, but I don’t see a DNS setting in the list of properties when I run Get-RemoteAccess, so I’m guessing there is no way to set that. What you are describing sounds like a kind of device isolation, to keep devices from seeing each other. I don’t have a VPN running right now to test if that’s normal. After connecting, when you run ipconfig /all, what DNS server(s) are shown?
Thanks a million Mark Berry! Took me hours to diagnose my problem and finally land on your page. The Powershell commandlet worked perfectly and allowed me to continue using DHCP from my Untangle UTM. An old thread, but still a very helpful.