I have a rather perculiar setup:
First site: forest domain VC, with a win2000 DC acting as RRAS with PPTP VPN.
Second site: child domain ASP, with a win2000 DC acting as RRAS, connecting the two sites with a persistent route.

The persistent VPN tunnel works fine, and on the ASP DC, i can login as VC\Aaron.seet and authenticate just fine being a domain admin and enterprise admin. I can also VPN from home direct to the first site.

However, when it comes to the second site, when I try to authenticate with the account i get hit by

Error 930: The authentication server did not respond to authentication requests in a timely fashion.

Further inspection of the event log in the DC/RRAS shows the same thing
------------------------------------------------------------
Event Type:    Error
Event Source:    RemoteAccess
Event Category:    None
Event ID:    20073
Date:        18/03/2005
Time:        5:48:33 PM
User:        N/A
Computer:    SHINOBU
Description:
The following error occurred in the Point to Point Protocol module on port: VPN3-3, UserName: VC\Aaron.seet. The authentication server did not respond to authentication requests in a timely fashion.
Data:
0000: 000003a2
------------------------------------------------------------

What are the possible causes to this problem? The remote access policy is already in place to allow "ASP\VPN Users" (which includes me). Adding "VC\domain admins" into the policy does not help. If there is some problem trying to across the persistent VPN tunnel to obtain my credentials, then I guess i oughta expect a similar problem if I logon the machine physically, bu  I don't.

---

The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral

I think we can forget about the minor problem above. Now we have a bigger problem.

(sorry if the elaboration below appears odd; was pasted from another email composition)

Last month, site 2 got a new server installed with Windows 2003, with intention to promote it and replace the current win2000 server (_all_ duties). I shall not elaborate the long story of problematic schema update and FSMO role transfers and server hardware due to above setup, but I managed to update the schema at the end of a few (not THE) days and succeeded in allowing the win2003 server a DC promotion.

Now that the win2003 DC was poised for action, its services were configured similar to the win2000 predecessor, and took over all services. The old DC was relegated to another IP address for "retirement". However this setup was not smooth. For a period of time, everything was fine and the users use the trans-network link as per normal. But now, computers cannot always browse computers in the other network, sometimes possible with just IP addresses, and now even IP addresses won't do. I have duplicated a similar setup with a Virtual PC win2003 DC i have at home to connect to network 1, and my home machines can browse the computers just fine.

Now, at the same time the site 2 DC had another problem - the inability to locate the NETWORK SERVICE account, which was discovered to be due to the win2000-based forest domain. The lack of this common account in the 2000 schema prevents the win2003 server from actually finding it. This was further highlighted when my friend installed SP1 (prior to the problem), which inserted these new DCOM errors of unable to properly initiate network-related applications due to lack of NETWORK SERVICE. RTM never showed these errors. So, the server was restored to a pre-SP1 image, but the problems persist. Yesterday, some network 2 computers could randomly access others in site 1, but it was not consistent.

In our searching we find many articles and discussions discouraging putting RRAS and DNS/Master browser together because it is multi-homed. The architectural flaws of NetBIOS are revealed in such a setup (which happen to be the case if you use Small Business Server anyway), and no good fix appears to be at hand. Everything seems to point to this being the prime suspect. But, my (our) question is, if that is the case, shouldn't our original win2000-win2000 setup also exhibit such behaviour? Also, my own home DC and network does not exhibit such a problem either.

That leads me to thinking the NETWORK SERVICE account problem could be the catalyst to all these (meaning how Browser service would actually still work under original conditions is still beyond me). An example of the post-SP1 error
------------------------------------------------------------
Event Type:    Error
Event Source:    DCOM
Event Category:    None
Event ID:    10016
Date:        4/21/2005
Time:        2:24:08 AM
User:        NT AUTHORITY\NETWORK SERVICE
Computer:    MOTOKO
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
------------------------------------------------------------

All these CLSIDs point to network related apps. (huh huh) Unfortunately now we cannot upgrade the network 1 DC to win2003 to see if that fixes the (browsing) problem. What I need is to ask if any of you with in-depth knowledge about the Computer Browser service have anything to say. I did read the Chapter 3 "Windows NT Browsing service" and got a better understanding of what it does but it does not explain what topology setup to use for the Domain Master Browser and Master Browsers for WAN links.

There is also a KB article that states AD actually _replaces_ this legacy service but falls short of explaining just _how_ this is done, so I don't know how to go about completely removing NBT, WINS, and Computer Browser.

Any hints and suggestions appreciated, thanks.

---

The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral