Since RRAS will allow you to assign addresses from a pool of addresses that you define this will allow you to exclude that range of addresses from your DHCP server. Then use DHCP relay to get the DHCP options to the client. Then since windows 2000 creates 256 devices. Reconfigure the number of devices to something more realistic like 8, or 16 devices.

Anonymous User 1/21/2005 10:15:07 AM

Good article but I have a few additional comments which I think people will find useful.

Firstly, I think quoting "the RRAS server leases IP addresses in blocks of 10" is potentially confusing because it implies 10 addresses will always be leased from your DHCP server with the default setting. In actual fact, if you have less than 10 RAS ports configured, 10 addresses are *not* leased - the Win2K leasing behaviour then defaults back to the NT4 behaviour which is <number of ports +1>. So for example if you're using only 5 PPTP ports, your DHCP server will lease only 6 addresses when your RRAS loads.

I know this has confused people before, who only have a few ports configured and their DHCP server is not behaving as they thought it should after reading documentation such as this - so I thought I would point it out.

Also your article implies the registry subkey InitialAddressPoolSize already exists with a default value of 10 and you simply have to edit it - whereas in fact you must first create it and then set the value you want.

And lastly, an important difference between NT4 RAS and Win2K RRAS when it comes to DHCP leases is that Win2K supports APIPA by default. This means that if it cannot contact a DHCP server on loading it will resort to allocating addresses from the APIPA range (169.254.x.x) - which means that RAS users will be allocated an IP address successfully, but they will not be able to communicate beyond your RRAS server. Your only clue to this remote access failure will be in the RRAS server's event log. This is "intelligent" only if remote clients do not need access to the rest of your network. If however, your remote clients need access beyond your RRAS server then I recommend disabling APIPA on the RRAS server.

Carol Bailey 3/6/2001 10:24:16 AM

I regularly read Sean Daily's Remote Possibilities column in Windows 2000 Magazine. I have a question about our RRAS server setup. Our remote users dial in to our server through an 800 number. We just looked at one of our bills: Several users stayed online for more than 500 minutes at a time, surfing the Web. Is there any way we can let our users connect to our servers, read their email, and access their files but limit any other use?



­Jubel Easaw 12/1/2000 3:30:45 PM

Yes, you can, but you'll need to implement some mechanism for controlling access to Internet resources on your network. For example, you might assign RAS users IP addresses from a fixed (i.e., static) pool, then filter those IP addresses so that they can't access the Internet on the router or firewall on your network. Another solution is to utilize a gateway device that can restrict access based on policies (e.g., the user account, how the user is accessing the network), such as Microsoft's new Internet Security and Acceleration Server 2000. Many other firewall products on the market also provide these types of features.


­--Sean Daily

Sean Daily 12/1/2000 3:08:53 PM