Joining a computer to a domain over a client VPN connection
Joining a computer to a domain over a client VPN connection
Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
From time to time, this has come up occassionally for my customers to configure new laptops. Normally, I would visit the office to setup a new laptop, but in some cases, such as with one of my customers with 90% of their users are on the road in various parts of the country, they'll either have the new laptop shipped to me, or they will ship it to me once they've received it, or someone local will drop it off to my office. I'll configure the laptop, then either ship it back, drop it off at the main office, or someone will stop by to pick it up.
Let me know if any of these steps are not clear or if something else needs to be added that I may have missed, and I'll do my best to integrate or clean it up.
1. First, I must state as a rule of thumb, that all of your internal domain controllers, member servers, and clients are set to only use the internal DNS servers, more than likely your domain controllers. This means do not your ISP's DNS servers, or use your router/firewall as a DNS address. It simply won't work. You can configure your ISP's DNS as a Forwarder.
The reason I'm stating this right off the bat, is if using your ISP's DNS configured on any internal machine's NIC DNS settings, is inviting trouble. This is a very common misconfiguration due to an admin not understanding AD and its DNS reliance. I always mention this to prevent AD issues. If not sure what I am referring to, please read the following:
Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
2. Therfore, make sure DHCP Option 006, the DNS addresses being given out to DHCP clients, is only set to use the company's internal DNS servers, and no others. This includes, as previously mentioned, to NOT use the router as a DNS address. If not sure what I'm referring to, please read the link above.
3. For NetBIOS name resultion, you may need to consider using WINS to allow seamless NetBIOS name resolution. Please read the following for more information on how to configure WINS. But you MUST configure a DHCP Relay agent on the VPN server (the RRAS or NAS server), or the DHCP options will not be provided to the VPN clients.
WINS - What Is It, How To Install It, and how to Configure DHCP Scopes For WINS Client DHCP Distribution
4. Configure a DHCP Relay Agent to insure DHCP Options are provided to VPN clients, otherwise they will get the VPN server's WINS and DNS addresses, and they will not get any other options, such as Option 015, the Connection Specific Search Suffix.
Understanding DHCP IP Address Assignment for RAS Clients
IP Address Assignment
Thread Discussion: DNS DHCP option 006 not being applied to VPN clients via RRAS
This is a good discusion with specifics about how an IP config is passed to a RRAS client and DHCP relay agents
Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options
RRAS (VPN) DHCP options
5. Keep in mind, there is a chicken and the egg thing going on here with initially joining a machine over a VPN and logging on, and allowing the new domain account profile to initialize.
Therefore, the one main thing, of course, is the client VPN connection must be established prior to adding it to the domain. This is a bit tricky at times, and for Windows XP and prior operating systems, the VPN client must be configured to come up and be available to connect to the VPN prior to logging into the machine at the remote location, or at initial restart in order to log into the
domain for the first time, or you may have some trouble because there may not be a local profile created yet for the domain account. Many third party VPN clients work hand n hand with Windows GINA (the logon box) to offer a dialup or VPN connection capability. Connect first, then logon.
With Windows Vista or Windows 7, and you're using the Windows VPN, you can establish a VPN connection using the domain administrator account, join it to the domain, then without loggin off, select to "Switch User" while it's still connected to the VPN, then logon with the domain user account that will be using this laptop.
6. Once you've joined the machine to the domain and restarted, connect to the VPN, then logon with the domain admin account. Make sure you can connect to resources, etc. Then logoff. If the VPN cuts off during logoff, either reconnect to the VPN or configure the VPN client to stay active when logging off. This depends on the client if this is possible. Then logon as the domain user account, making sure they can access all resources as if they were in the office.
7. If name resolution does not work, to troubleshoot it depends on how you are connecting. If connecting using \\servername\share, then you are expecting NetBIOS name resolution to work, which means WINS. Run an ipconfig /all on the VPN client PPP (VPN) connection to make sure it shows the WINS address. If it doesn't, go back to step 5 and see what you did wrong with DHCP. Also, check your DHCP settings and DHCP Relay Agent settings.
If connecting using \\servername.internalDomain.local\share, then you are using DNS.
Once again, run an ipconfig /all to make sure the client is getting the company's DNS setting on the PPP (VPN) connection. If not, check your DHCP settings adn DHCP Relay Agent settings.
8. Also, this is important - you want to configure the VPN connection to use the local gateway (the remote machine's ISP gateway) and not the remote gateway (the company's internet connection).
This way any non-company connections (say you are on IE connecting to your Yahoo or MSN email) does not send all that traffic through the tunnel and the company's Internet conenction. In Windows client, Network Tab, IPv4 settings, you can simply uncheck the box that says use remote gateway. For Cisco, it's a setting on the PIX or ASA side to use split-tunneling. I don't know if this is supported with other vendors' VPN solutions, but I can't imagine they don't have an option for this.
9. After completion, and the user account is logged on, you can easily setup the user's Outlook profile, assuming you are using Outlook Anywhere or RPC/HTTPS.
Don't forget to provide them a copy of their NK2 file, or if Outlook 2010 or newer using Exchagne 2010, this should come across automatically with the Autocomplete.xml file from the Exchange 2010 mailbox.
Oh, and you might want to setup their signature from a previously sent email, and if you have a copy of their Favorites and Link Bar, provide that, too.
If not using Folder Redirection, I would highly recommend it. THis way their My Docs show up automatically. More info in the following links, if interested in learning more on this cool feature:
Published by Ace Fekay, MCT, MVP DS on Sep 8, 2009 at 12:16 PM 3640 2
Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization)
Excellent write up on Folder Redirection by Alan Burchill, Microsoft, including screenshots, permissions settings, and much much more.
08/18/2010, 7:00 pm | by Alan Burchill
Comments, suggestions and corrections are welcomed.