Install ADDS with RRAS

Situation

• 1 router IPv4 192.168.100.1 no DHCP and IPv6 with DHCP
• 1 dual-core CPU, 16 GB memory, 500 GB SSD and 2 network cards

IP Plan

• 192.168.100.1 - Router
• 192.168.100.100 - HYPER-V ADDS DNS NPAS
• 192.168.100.2 - VM1 ADDS DNS
• 192.168.100.200 - VM2 RRAS

Step-by-Step Plan

1. Install Server 2019 Datacenter
2. Install HYPER-V
3. Create a vSwitch from both network cards
   • vSwitchEXT
   • vSwitchLAN

Network Configuration

vSwitchEXT

• IPv4: 192.168.100.100
• Subnet: 255.255.255.0
• Gateway: 192.168.100.1
• DNS1: 192.168.100.2
• DNS2: 192.168.100.100
• IPv6: disabled !!

vSwitchLAN

• No IPv4 and no IPv6 !!

VM Setup

Create 2 VMs with 2048 MB dynamic startup memory and give them 2 virtual processors.

VM 1 (Domain Controller)

• Needs 60 GB
• Install AD DS
• Install NPAS
• Configure the VPN connection in NPAS
• Use EAP with MS-CHAP secured password
• Give users remote access rights
• Set Allow dial-in access in user properties
• Install a second domain controller on VM1
• VM1 IP: 192.168.100.2

VM 2 (Remote Access Server)

• Needs 60 GB
• Install a standard server on VM2
• VM2 LAN = IPv4 192.168.100.200 and IPv6 off!
• In HYPER-V, give VM2 an additional network card (remote) connected to vSwitchEXT
• VM2 remote = IPv4 off and IPv6 on with DHCP
• Install Remote Access and then VPN only!
• Install an SSL certificate with LetsEncrypt
• Import the .pfx into the personal certificate store
• Select the certificate for SSTP

Routing and Remote Access Configuration

Properties - General

• IPv4 Router: on
• IPv4 Remote access server: on

Properties - Security

• Extensible authentication protocol (EAP): on
• Microsoft encrypted authentication version 2 (MS-CHAP-v2): on
• SSL Binding: LetsEncrypt certificate (import in personal store)

Properties - IPv4

• Enable IPv4 forwarding: on
• Static pool: 192.168.100.30 - 192.168.100.34
• Enable broadcast name resolution: on
• Select LAN adapter

Properties - IPv6

• Unchecked

Properties - PPP

• Checked except BAP or BACP

Properties - Logging

• Log all events

Network Interfaces

• Remote
• Loopback
• LAN
• Internal

Ports Properties

• SSTP: 5 ports RAS/Routing
• Nothing else. This is enough for 5 VPN connections.

Status Overview

IPv4

• Loopback: 127.0.0.1
• Remote: not available
• LAN: 192.168.100.200
• Internal: not available ! (if you don't have RRAS connection)
• DHCP Relay agent: 192.168.100.200 (Internal)

IPv6

• Loopback: ::1
• LAN: not available !
• Remote: internet IPv6 address !
• Internal: not available !

Routes

• No static routes