Adding computers to domain across a VPN connection?

M

Mike

Hi folks,

I was finally able to get the necessary funds to purchase VPN client
licenses for our Sonicall devices so I can get remote users authenticated to
my domain.
When I set up my remote users originally I didn't have this option, so I
used remote desktop, and just set up the users computers as stand along
machines - no domain authentication.
Now, if I travel to a remote site, I would like to set up the VPN client and
make the computers part of the domain. Has anyone done this, and is this
even possible? Some users have notebooks, and I could wait until they are at
our main office and make them domain members then, and that way the setup is
on the corporate network proper, but they don't travel here that often, and I
would like to make a trip to these sites and set them up. Any advice or
suggestions?

Mike
 

My Computer

B

Bill Sanderson

I've added machines to SBS domains, both under SBS-2003, and SBS 2008, via a
VPN connection without issue.

In my case they've been using the built-in Windows VPN connectivity with the
tunnel terminating at the SBS server, but I don't think your situation
should be different.

If in doubt, try it out with a laptop at some point when you can easily take
it into the office and do it right if it fails.


"Mike" <[email protected]> wrote in message
news:[email protected]

> Hi folks,
>
> I was finally able to get the necessary funds to purchase VPN client
> licenses for our Sonicall devices so I can get remote users authenticated
> to
> my domain.
> When I set up my remote users originally I didn't have this option, so I
> used remote desktop, and just set up the users computers as stand along
> machines - no domain authentication.
> Now, if I travel to a remote site, I would like to set up the VPN client
> and
> make the computers part of the domain. Has anyone done this, and is this
> even possible? Some users have notebooks, and I could wait until they are
> at
> our main office and make them domain members then, and that way the setup
> is
> on the corporate network proper, but they don't travel here that often,
> and I
> would like to make a trip to these sites and set them up. Any advice or
> suggestions?
>
> Mike
>
 

My Computer

A

Ace Fekay [MVP-DS, MCT]

"Mike" <[email protected]> wrote in message
news:[email protected]

> Hi folks,
>
> I was finally able to get the necessary funds to purchase VPN client
> licenses for our Sonicall devices so I can get remote users authenticated
> to
> my domain.
> When I set up my remote users originally I didn't have this option, so I
> used remote desktop, and just set up the users computers as stand along
> machines - no domain authentication.
> Now, if I travel to a remote site, I would like to set up the VPN client
> and
> make the computers part of the domain. Has anyone done this, and is this
> even possible? Some users have notebooks, and I could wait until they are
> at
> our main office and make them domain members then, and that way the setup
> is
> on the corporate network proper, but they don't travel here that often,
> and I
> would like to make a trip to these sites and set them up. Any advice or
> suggestions?
>
> Mike
>


I do this all the time with my clients. Matter of fact they will drop their
laptops off to me at home, and I will configure them, then either they pick
them up or I drop them off. I even have to configure their air cards, too.

Make sure the VPN IP config it provides to the VPN clients has your WINS and
DNS addresses only (no ISP DNS, or it won;t work). If your SBS is using an
ISP's DNS (this is a very common misconfiguration due to an admin not
understanding AD and its reliance on its own DNS server), it MUST be removed
from the SBS ipconfig, as well as from the DHCP Scope or Server Options
(option 006). Otherwise, expect numerous issues.

Keep in mind, (obviously) the VPN has to be established firt prior to adding
it to the domain. To do this, the VPN client must be configured to come up
and be available to connect to the VPN PRIOR to logging into the laptop or
desktop at the remote location, or the initial restart then logging into the
domain with the domain admin account won't work. Many VPN clients work hand
in hand with Windows to offer the connection capability when the logon GINA
window appears. Connect first, then logon.

Once you've joined the machine to the domain and restarted, connect to the
VPN, then logon with the domain admin account. Make sure you can connect to
resources, etc. Then logoff. If the VPN cuts off during logoff, either
reconnect to the VPN or configure the VPN client to stay active when logging
off. This depends on the client if this is possible. Then logon as the
domain user account, making sure they can access all resources as if they
were in the office. If name resolution does not work, then you have to look
at your DNS and/or WINS settings depending on how you want to connect
(single name or FQDN).

Also, you want to configure the VPN connection to use the local gateway and
not the remote gateway. This way any non-company connections (say you are on
IE) does not all go through the tunnel. In Windows client, you can simply
uncheck the box that says use remote gateway. For Cisco, it's a setting on
the PIX or ASA side to use split-tunneling. I don;t know what it is in
SonicWall.

I hope that helps as a starter.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
 

My Computer

M

Mike

Thanks gentlemen. I will try this from home this weekend and make sure I
don't have any hiccups. Then try it on a "real" user.

Mike


"Mike" wrote:

> Hi folks,
>
> I was finally able to get the necessary funds to purchase VPN client
> licenses for our Sonicall devices so I can get remote users authenticated to
> my domain.
> When I set up my remote users originally I didn't have this option, so I
> used remote desktop, and just set up the users computers as stand along
> machines - no domain authentication.
> Now, if I travel to a remote site, I would like to set up the VPN client and
> make the computers part of the domain. Has anyone done this, and is this
> even possible? Some users have notebooks, and I could wait until they are at
> our main office and make them domain members then, and that way the setup is
> on the corporate network proper, but they don't travel here that often, and I
> would like to make a trip to these sites and set them up. Any advice or
> suggestions?
>
> Mike
>
 

My Computer

J

James Hurrell

On 06/01/2010 18:38, Ace Fekay [MVP-DS, MCT] wrote:
depending on how you want to connect

> (single name or FQDN).
>
> Also, you want to configure the VPN connection to use the local gateway and
> not the remote gateway. This way any non-company connections (say you are on
> IE) does not all go through the tunnel. In Windows client, you can simply
> uncheck the box that says use remote gateway. For Cisco, it's a setting on
> the PIX or ASA side to use split-tunneling. I don;t know what it is in
> SonicWall.
>
> I hope that helps as a starter.
>
Out of curiosity how do you manage Windows Updates for domain attached
clients?
 

My Computer

A

Ace Fekay [MVP-DS, MCT]

"James Hurrell" <"j_a_hurrell at hotmail com"> wrote in message
news:[email protected]

> On 06/01/2010 18:38, Ace Fekay [MVP-DS, MCT] wrote:
> depending on how you want to connect

>> (single name or FQDN).
>>
>> Also, you want to configure the VPN connection to use the local gateway
>> and
>> not the remote gateway. This way any non-company connections (say you are
>> on
>> IE) does not all go through the tunnel. In Windows client, you can simply
>> uncheck the box that says use remote gateway. For Cisco, it's a setting
>> on
>> the PIX or ASA side to use split-tunneling. I don;t know what it is in
>> SonicWall.
>>
>> I hope that helps as a starter.
>>
> Out of curiosity how do you manage Windows Updates for domain attached
> clients?


How do I (myself) manage them? For internal client machines, I use WSUS 3.0.
Same for VPN clients that frequently come in. However, if the clients are
always remote users and they are joined to the domain, then I would create a
separate WSUS GPO to have the remote users get their updates directly from
Microsoft's servers instead of saturating the company WAN link. If they are
not joined, then they can't be managed.

Ace
 

My Computer

K

kj [SBS MVP]

Ace Fekay [MVP-DS, MCT] wrote:

> "James Hurrell" <"j_a_hurrell at hotmail com"> wrote in message
> news:[email protected]

>> On 06/01/2010 18:38, Ace Fekay [MVP-DS, MCT] wrote:
>> depending on how you want to connect

>>> (single name or FQDN).
>>>
>>> Also, you want to configure the VPN connection to use the local
>>> gateway and
>>> not the remote gateway. This way any non-company connections (say
>>> you are on
>>> IE) does not all go through the tunnel. In Windows client, you can
>>> simply uncheck the box that says use remote gateway. For Cisco,
>>> it's a setting on
>>> the PIX or ASA side to use split-tunneling. I don;t know what it is
>>> in SonicWall.
>>>
>>> I hope that helps as a starter.
>>>
>> Out of curiosity how do you manage Windows Updates for domain
>> attached clients?
>
>
> How do I (myself) manage them? For internal client machines, I use
> WSUS 3.0. Same for VPN clients that frequently come in. However, if
> the clients are always remote users and they are joined to the
> domain, then I would create a separate WSUS GPO to have the remote
> users get their updates directly from Microsoft's servers instead of
> saturating the company WAN link. If they are not joined, then they
> can't be managed.
> Ace

Picking a nit with the last Ace. Workgroup and other domain joined clients
still can be WSUS managed just not have there WSUS settings handled by a
single domain GPO. Workgroup machines can get the WU settings from a variety
of means and other domain members can use the WSUS server from another
domain. There's no trust or domain boundry restriction on WSUS clients.


--
/kj
 

My Computer

A

Ace Fekay [MVP-DS, MCT]

"kj [SBS MVP]" <[email protected]> wrote in message
news:[email protected]

> Ace Fekay [MVP-DS, MCT] wrote:

>> "James Hurrell" <"j_a_hurrell at hotmail com"> wrote in message
>> news:[email protected]

>>> On 06/01/2010 18:38, Ace Fekay [MVP-DS, MCT] wrote:
>>> depending on how you want to connect
>>>> (single name or FQDN).
>>>>
>>>> Also, you want to configure the VPN connection to use the local
>>>> gateway and
>>>> not the remote gateway. This way any non-company connections (say
>>>> you are on
>>>> IE) does not all go through the tunnel. In Windows client, you can
>>>> simply uncheck the box that says use remote gateway. For Cisco,
>>>> it's a setting on
>>>> the PIX or ASA side to use split-tunneling. I don;t know what it is
>>>> in SonicWall.
>>>>
>>>> I hope that helps as a starter.
>>>>
>>> Out of curiosity how do you manage Windows Updates for domain
>>> attached clients?
>>
>>
>> How do I (myself) manage them? For internal client machines, I use
>> WSUS 3.0. Same for VPN clients that frequently come in. However, if
>> the clients are always remote users and they are joined to the
>> domain, then I would create a separate WSUS GPO to have the remote
>> users get their updates directly from Microsoft's servers instead of
>> saturating the company WAN link. If they are not joined, then they
>> can't be managed.
>> Ace
>
> Picking a nit with the last Ace. Workgroup and other domain joined clients
> still can be WSUS managed just not have there WSUS settings handled by a
> single domain GPO. Workgroup machines can get the WU settings from a
> variety of means and other domain members can use the WSUS server from
> another domain. There's no trust or domain boundry restriction on WSUS
> clients.
>
>
> --
> /kj
>


Good nit pick. :-) You;re right. But as far as GPOs and non-joined machines,
they won't be able to be administered with a GPO, but directly, you're
right. I was thinking on the lines of "GPO."

:-)

Ace
 

My Computer

K

kj [SBS MVP]

Ace Fekay [MVP-DS, MCT] wrote:

> "kj [SBS MVP]" <[email protected]> wrote in message
> news:[email protected]

>> Ace Fekay [MVP-DS, MCT] wrote:

>>> "James Hurrell" <"j_a_hurrell at hotmail com"> wrote in message
>>> news:[email protected]
>>>> On 06/01/2010 18:38, Ace Fekay [MVP-DS, MCT] wrote:
>>>> depending on how you want to connect
>>>>> (single name or FQDN).
>>>>>
>>>>> Also, you want to configure the VPN connection to use the local
>>>>> gateway and
>>>>> not the remote gateway. This way any non-company connections (say
>>>>> you are on
>>>>> IE) does not all go through the tunnel. In Windows client, you can
>>>>> simply uncheck the box that says use remote gateway. For Cisco,
>>>>> it's a setting on
>>>>> the PIX or ASA side to use split-tunneling. I don;t know what it
>>>>> is in SonicWall.
>>>>>
>>>>> I hope that helps as a starter.
>>>>>
>>>> Out of curiosity how do you manage Windows Updates for domain
>>>> attached clients?
>>>
>>>
>>> How do I (myself) manage them? For internal client machines, I use
>>> WSUS 3.0. Same for VPN clients that frequently come in. However, if
>>> the clients are always remote users and they are joined to the
>>> domain, then I would create a separate WSUS GPO to have the remote
>>> users get their updates directly from Microsoft's servers instead of
>>> saturating the company WAN link. If they are not joined, then they
>>> can't be managed.
>>> Ace
>>
>> Picking a nit with the last Ace. Workgroup and other domain joined
>> clients still can be WSUS managed just not have there WSUS settings
>> handled by a single domain GPO. Workgroup machines can get the WU
>> settings from a variety of means and other domain members can use
>> the WSUS server from another domain. There's no trust or domain
>> boundry restriction on WSUS clients.
>>
>>
>> --
>> /kj
>>
>
>
> Good nit pick. :-) You;re right. But as far as GPOs and non-joined
> machines, they won't be able to be administered with a GPO, but
> directly, you're right. I was thinking on the lines of "GPO."

Agreed.


>
> :-)
>
> Ace

--
/kj
 

My Computer

A

Ace Fekay [MVP-DS, MCT]

"kj [SBS MVP]" <[email protected]> wrote in message
news:[email protected]

>>>
>>> Picking a nit with the last Ace. Workgroup and other domain joined
>>> clients still can be WSUS managed just not have there WSUS settings
>>> handled by a single domain GPO. Workgroup machines can get the WU
>>> settings from a variety of means and other domain members can use
>>> the WSUS server from another domain. There's no trust or domain
>>> boundry restriction on WSUS clients.
>>>
>>>
>>> --
>>> /kj
>>>
>>
>>
>> Good nit pick. :-) You;re right. But as far as GPOs and non-joined
>> machines, they won't be able to be administered with a GPO, but
>> directly, you're right. I was thinking on the lines of "GPO."
>
> Agreed.
>
>

>>
>> :-)
>>
>> Ace
>
> --
> /kj
>


:-)
 

My Computer

J

James Hurrell

On 07/01/2010 17:06, Ace Fekay [MVP-DS, MCT] wrote:

> "James Hurrell"<"j_a_hurrell at hotmail com"> wrote in message
> news:[email protected]

>> On 06/01/2010 18:38, Ace Fekay [MVP-DS, MCT] wrote:
>> depending on how you want to connect

>>> (single name or FQDN).
>>>
>>> Also, you want to configure the VPN connection to use the local gateway
>>> and
>>> not the remote gateway. This way any non-company connections (say you are
>>> on
>>> IE) does not all go through the tunnel. In Windows client, you can simply
>>> uncheck the box that says use remote gateway. For Cisco, it's a setting
>>> on
>>> the PIX or ASA side to use split-tunneling. I don;t know what it is in
>>> SonicWall.
>>>
>>> I hope that helps as a starter.
>>>
>> Out of curiosity how do you manage Windows Updates for domain attached
>> clients?
>
>
> How do I (myself) manage them? For internal client machines, I use WSUS 3.0.
> Same for VPN clients that frequently come in. However, if the clients are
> always remote users and they are joined to the domain, then I would create a
> separate WSUS GPO to have the remote users get their updates directly from
> Microsoft's servers instead of saturating the company WAN link. If they are
> not joined, then they can't be managed.
>
> Ace
>
>
Thanks, I was interested in how you managed Windows Updates for remote
domain clients across a VPN link.... specifically how to avoid
saturating the VPN link with windows updates (service packs for
exemple!!)... Thanks for the insight.
 

My Computer

A

Ace Fekay [MVP-DS, MCT]

"James Hurrell" <"j_a_hurrell at hotmail com"> wrote in message
news:[email protected]

> On 07/01/2010 17:06, Ace Fekay [MVP-DS, MCT] wrote:

>> "James Hurrell"<"j_a_hurrell at hotmail com"> wrote in message
>> news:[email protected]

>>> On 06/01/2010 18:38, Ace Fekay [MVP-DS, MCT] wrote:
>>> depending on how you want to connect
>>>> (single name or FQDN).
>>>>
>>>> Also, you want to configure the VPN connection to use the local gateway
>>>> and
>>>> not the remote gateway. This way any non-company connections (say you
>>>> are
>>>> on
>>>> IE) does not all go through the tunnel. In Windows client, you can
>>>> simply
>>>> uncheck the box that says use remote gateway. For Cisco, it's a setting
>>>> on
>>>> the PIX or ASA side to use split-tunneling. I don;t know what it is in
>>>> SonicWall.
>>>>
>>>> I hope that helps as a starter.
>>>>
>>> Out of curiosity how do you manage Windows Updates for domain attached
>>> clients?
>>
>>
>> How do I (myself) manage them? For internal client machines, I use WSUS
>> 3.0.
>> Same for VPN clients that frequently come in. However, if the clients are
>> always remote users and they are joined to the domain, then I would
>> create a
>> separate WSUS GPO to have the remote users get their updates directly
>> from
>> Microsoft's servers instead of saturating the company WAN link. If they
>> are
>> not joined, then they can't be managed.
>>
>> Ace
>>
>>
> Thanks, I was interested in how you managed Windows Updates for remote
> domain clients across a VPN link.... specifically how to avoid saturating
> the VPN link with windows updates (service packs for exemple!!)... Thanks
> for the insight.


Well, the biggest thing is the WAN link speed. Even if I had created a
separate GPO for remote clients and created a separate group for them in
WSUS to minimize what updates I was permitting to hit them, if the line is
lower than 500 KB, they won't get it anyway. In cases like that, I would
configure the GPO for those machines to use Microsoft's site for updates
instead of the WSUS server at the office, so they can directly download to
their machines.

I hope that helps.

Ace
 

My Computer

Top