Configure the Routing and Remote Access Service and Demand-Dial Interfaces
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
Use the following procedures to enable the Routing and Remote Access service and to establish a site-to-site connection:
Enable Routing and Remote Access.
Configure the demand-dial interface for the remote site connection.
Configure an additional demand-dial interface for a temporary ISP link.
Enable Routing and Remote Access
When you run the Routing and Remote Access Wizard to enable the Routing and Remote Access service, the choices you make are the same for dial-up routing and for VPN routing.
To enable the Routing and Remote Access service
Note
You can skip step 1 if either of the following is true:
- If this server uses local authentication or authenticates against a RADIUS server.
- If you have administrative rights to add the computer account of the Routing and Remote Access server to the RAS and IAS Servers security group. The wizard automatically adds the computer to RAS and IAS Servers.
Enable the router as follows:
Ask your domain administrator to add the router’s computer account to the RAS and IAS Servers security group for this domain by using the Active Directory Users and Computers snap-in or the netsh ras add registeredserver command.
If this router must access other domains, ask your domain administrator to add the router’s computer account to the RAS and IAS Servers security group of the other domains.
Restart the router for the change to take effect immediately.
Open Routing and Remote Access, select the computer on which you want to enable the Routing and Remote Access service (probably the computer you are currently working on), and then, on the Action menu, select Configure and Enable Routing and Remote Access to start the Routing and Remote Access Wizard. Complete the wizard pages as shown in the following table:
| Wizard Page | Action | ||
|---|---|---|---|
Configuration |
Select Secure connection between two private networks. |
||
Demand-Dial Connections |
Select Yes (to use demand-dial routing to access remote networks). |
||
IP Address Assignment |
Select one of the following:
|
.gif)
NoteWhen the Routing and Remote Access Wizard completes, you might see the message "Windows was unable to add this computer to the list of valid remote access servers in the Active Directory. Before you can use this computer as a remote access server, the domain administrator must complete this task." If you see this message, click OK. Later, after you complete the Demand-Dial Interface Wizard (described next), add the computer account to the RAS and IAS Servers security group.
Configure the demand-dial interface for the remote site connection
The Demand-Dial Interface Wizard appears automatically after the Routing and Remote Access Wizard completes.
To configure the demand-dial interface for a remote site connection
Complete the wizard pages for the Demand-Dial Interface Wizard as shown in the following table.
| Wizard Page | Action | ||
|---|---|---|---|
Interface Name |
Type a name for the remote router that matches the user account name that you created earlier for the remote router. |
||
Connection Type |
Select one of the following: Connect using a modem, ISDN adapter, or other device. Select this option to establish a device-to-device dial-up connection:
-or- Connect using virtual private networking (VPN). Select this option to establish a VPN connection over the Internet:
Do not select the third option, Connect using PPP over Ethernet (PPPoE), because PPPoE is used to link to the local ISP, not to create a device-to-device dial-up link or a VPN tunnel. |
||
Protocols and Security |
|
||
Static Routes for Remote Networks |
To add one or more static routes to define the permanent route between this network and the remote network, click Add, and then, in the Static Route dialog box, do the following:
|
||
Dial In Credentials (for an answering router) |
Type and confirm a password for the local user account.
|
||
Dial Out Credentials (for a calling router) |
Specify the dial-out credentials to connect to the remote router:
Note If this is an answering router that is not also a calling router, you do not need to provide this information. However, the wizard requires that you fill in this page, so type any name, domain, and password.
|
If the Routing and Remote Access Wizard (which ran before the Demand-Dial Interface Wizard) was unable to add the computer to the list of valid remote access servers in Active Directory, you saw the error message "Windows was unable to add this computer to the list of valid remote access servers in the Active Directory. Before you can use this computer as a remote access server, the domain administrator must complete this task." To enable the computer to function as a remote access server, add the computer account for the router to the RAS and IAS Servers security group. If you did not see the error message indicating that the computer had not been added to the valid remote access servers in Active Directory, you do not need to perform this step.
After at least one demand-dial interface exists, you can run the Demand-Dial Interface Wizard at any time to add additional demand-dial interfaces by right-clicking Network Interfaces in the Routing and Remote Access snap-in console tree, and then clicking New Demand-dial Interface. Run the wizard again for the following reasons:
To add other branch office sites, repeat the steps in this procedure for each additional demand-dial interface you want to create.
To establish a temporary link to the local ISP at the branch office in order to create a demand-dial interface for that link, perform the steps as described in the next section.
Configure an additional demand-dial interface for a temporary ISP link
If this is a VPN connection, and you connect your branch office to its local ISP through a temporary link, you must run the Demand-Dial Interface Wizard a second time to create a demand-dial interface for this physical link to the ISP. This link to the ISP can be a dial-up link or a PPPoE link.
Note
If you are deploying a non-VPN dial-up link, or a VPN connection between two sites, each of which connects to its local ISP through a dedicated link, do not perform these steps. Instead, perform the steps in "Configure the Demand-Dial Interface for the Remote Site Connection" earlier in this topic.
To configure a demand-dial interface for a temporary link to the ISP
Open Routing and Remote Access, right-click Network Interfaces, click New Demand-dial Interface, and then complete the wizard pages for the Demand-Dial Interface Wizard as shown in the following table.
| Wizard Page | Action | ||
|---|---|---|---|
Interface Name |
Type an appropriate name, such as Dial_ISP. |
||
Connection Type |
Select one of the following: Select Connect using a modem, ISDN adapter, or other device. Select this option to create a dial-up link to your local ISP:
-or- Select Connect using PPP over Ethernet (PPPoE). Select this option to create a PPPoE link to your local ISP:
Do not select the third option, Connect using virtual private networking (VPN), because this demand-dial interface is for the link to the ISP, not for a VPN tunnel. |
||
Protocols and Security |
Select Route IP packets on this interface (do not select Add a user account so a remote router can dial in). |
||
Static Routes for Remote Networks |
To add a static route for the IP address allocated to the answering router by the answering router’s ISP (or by ICANN):
|
||
Dial-In Credentials |
This page does not appear. |
||
Dial-Out Credentials |
Specify the dial-out credentials used to connect to the local ISP:
|