There may be occasions where you need to join an off-site computer to an existing domain at a remote office.  Most often this would be in a situation such as a satellite office which is part of a larger corporate network and there is a site-to-site VPN in place.  Though a site-to-site VPN is by far the easiest way to join, it can be done using a Windows VPN client, which will be discussed further on in this article.  The primary problem encountered when joining the domain is DNS, but this is easily dealt with.

Joining the domain using a site-to-site VPN

  • Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection.  If any others exist such as a wireless card, disable until domain joined.  On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
  • Configure the connecting PC’s network adapter either statically or through DHCP to point ONLY to the domain controller at the corporate office for DNS.  Do not add an alternate external DNS server such as an ISP or router as these will often respond first and name resolution will fail.
  • In the NIC configuration, under Internet Protocol Version 4 (TCP/IPv4) properties, click advanced, and under the DNS tab insert the corporate internal DNS suffix, such as CompanyDomain.local in the box entitled “DNS suffix for this connection”
  • image
  • Then join the domain using the traditional method of Computer (formerly My Computer) | Properties | Change Settings |  Change | enter the internal domain name | click OK | and you should be prompted for credentials for an account authorized to do so, a Domain Admin account.  If the Domain Controller is a version of Small Business Server the SBS option to use  http://SBSname/connectcomputer  or http://connect most often will not work.  (more detail and screen shots for the joining the domain process can be found below in the using a VPN client section).
  • If you wish to simultaneously import an existing local user profile, you can use ProfWiz as outlined in the following link which will both join the domain and move the profile. Though the article references SBS, it can be used with any Windows Server Version.  https://blog.lan-tech.ca/2011/05/19/sbs-and-profwiz/

Joining the domain using a Windows VPN client

Joining a domain using a VPN client is a little more involved, but not complicated. This method may work with other VPN clients, so long as they have the option to connect to the VPN before logon, but this explanation uses only the Windows built-in VPN client.  Without the ability to connect before logon, there is very little advantage even if you can join the domain, as you would not actually be authenticating to the domain.  I will assume the server end, RRAS, is configured and working for VPN client connections.

  • Log on to the PC you wish to join the domain with a local administrator account
  • Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection.  If any others exist such as a wireless card, disable until domain joined.  On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
  • Establish a VPN connection.  If not familiar with doing so:
    • From the network and sharing center choose “Set up a new connection or Network”
    • Select “Connect to a workplace”
    • Choose “Use my Internet connection (VPN)”
    • Enter the public facing FQDN of the corporate VPN server such as VPNserver.MyDomain.com and enter a friendly name for the connection, anything you like.  It is also very important to check the box “Allow other people to use this connection” as you will soon have a domain account which will require access to this VPN connection.
    • image
    • Enter a User name, which ideally is the user that will be using the connection once joined to the domain, but can be any user name that is authorized to connect to the corporate network via VPN.  If you use a name other than the ultimate user of the PC they will simply have to change the user name during in the connection wizard, the first time they try to connect.  Enter the password and choose connect.  For security reasons I don’t recommend checking “Remember this password”.
    • image
    • If prompted for a network type after connecting, choose “Work Network”.

  image

  • Presumably you were able to establish a connection.  However while connected if you did an NSlookup from a command line for the server name, you will see it fails. Try an NSlookup for the FQDN of the server, and it will succeed.  Thus, we need to configure DNS for the VPN clientbefore proceeding.
    • image
    • Disconnect the VPN client
    • In the network connections window right click on the VPN/PPP connection and choose properties | Networking tab | highlight Internet Protocol Version 4 (TCP/IPv4) and choose properties | Advanced | DNS tab | and enter the IP of the corporate DNS server under DNS server addresses and the internal domain suffix such as MyDomain.local in the “DNS suffix for this connection box.  If admins need to connect to the remote client PC for administration by name check the box “register this connection’s address in DNS” but I would discourage this as the IP can change frequently and cause issues.  Also on the “IP Settings” tab leave the option “Use default gateway on remote network” checked, at least for now, so that all traffic is forced to the corporate network while the VPN is connected.
    • image
  • Now you can try joining the domain
    • Connect the VPN client
    • Right click on “Computer” (formerly My Computer) and choose properties.
    • In the resulting window select “Change Settings”
    • image
    • Slect “Change” again
    • image
    • Enter the corporate internal Domain name, such as MyDomain.local in the Domain box and click OK
    • image
    • You will be prompted for a domain account with privileges to join a PC to the domain, a Domain Admin.  Enter it and the password and you should receive a message advising you have been joined to the domain.  Be patient it takes a little longer as this is a slow link compared to the LAN.
    • image
    • You now need to reboot the connecting PC.
  • In order to authenticate to the corporate network at logon and work as if on the corporate LAN, you need to connect the VPN before logging on to the PC.  When the PC reboots press Ctrl+Alt+Delete as you normally would, and then choose  “Switch User”
    • image
    • You will then be presented with a new option, a little blue icon in the lower right corner.
    • image
    • Clicking this allows you to choose to connect to the corporate network, by using the VPN.  After entering your credentials you will see the familiar VPN connection automatically start, it will connect, and you will be authenticated to the domain.
    • image
    • Logon is a little slower of course due to the slow link, and the first time you connect it will have to set up the local domain profile.  If you make use of redirected my documents, offline files, or have a lot of group policies logon can take a very long time while they apply and sync.  If logon is too slow, you may want to review options available to the remote user.  You will note that if you now try nslookup <servername> works as it should.

Note:  If connecting from Windows 8, please see the following updated article:  https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/

 

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection. The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:
  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed
Server 2003 / SBS 2003 / SBS 2003 R2:
  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

Comments on: "How to join a Windows Domain using a VPN" (37)

  1. Thanks!

  2. about2flip said:

    Thank You!

  3. thanks very much

  4. Benjamin said:

    Only works with Windows 7 Premium or Ultimate.

  5. I was able to find good information from your
    articles.

  6. cheap watches online new designs for the $5 $10 $20 and $50 bills said:

    We’re a group of volunteers and opening a new scheme in our community.

    Your site provided us with valuable info to work on.
    You have done a formidable job and our whole community will be thankful to you.

  7. Safe.Mn/OrmO said:

    Wow, awesome blog layout!
    The overall look of your website is great, let alone the content!

  8. loans no credit check said:

    Hurrah! Finally I got a webpage from where I can actually get helpful information concerbing my study and knowledge.

  9. sugar stores Coupon Code said:

    You really make it seem so easy with your presentation. I am looking forward for your next post.

  10. Thailand resort said:

    I wish to say that this article is awesome, nicely written
    and includes important info. I would like to look for more posts like this.

  11. superman stamina said:

    excellent points !

  12. Great article.

  13. Hi colleagues, nice article and comments here, I aam genuinely
    enjoying these.

  14. First off I would like to say superb blog! Thank you!

  15. thank you gifts said:

    Hello There. That is a really neatly written article.Thanks for the post.

  16. marching bands Music said:

    I found this truly useful. You helped me.

  17. Dui Lawyer Tyler, TX said:

    You have some really great posts!

  18. foundation contractor Toronto Ontario said:

    Your site is very useful.
    Thanks for sharing!

  19. You ought to take part in a contest for one of the greatest websites online.

  20. Thank you.

  21. great article, but can you tell me what are the minimum list of ports that I would need to open on the main office router? Also, would the remote office router also need ports to be open and if so which? If so, how would that work? Many thanks and your patience if this is a really dumb question.

    • Assuming the VPN has already been configured, no additional ports at the host or client end need to be opened in either router configuration.
      The ports that need to be opened to establish a VPN are dependent on the type of VPN you are creating. At the host/server end for example, if a server based PPTP VPN, you need to enable GRE and forward port 1723 to the VPN server. If L2TP w/ IPsec you need to forward ports 500, 1701, and 4500, as well as address ESP or AH. At the client end only “allow VPN pass-through, for the required protocol, needs to be enabled. No port forwarding. However, if a site to site VPN between to routers, the better configuration, no port forwarding is required at all. Configuring of the VPN is beyond the scope of this particular article.

  22. refurbished desktop said:

    Good web site you’ve got here. Thanks.

  23. Hi,
    I followed your procedure which is great; however I hit a problem at the stage where you reboot after making the initial VPN connection and join the PC to the domain as it didn’t show the small blue icon that allows you to connect to the VPN whilst logging on.

    I figured out that the fix was to log back in as the local PC user and edit the VPN settings and add a tick to the option on the VPN login that says “Save this user name and password fir the following users:”

    And then of the two options that become available select “Anyone who uses this computer”. If you then log in to test that setting and then disconnect the VPN, then re-boot and the on the domain user name screen you now do get the blue icon.

    Siv

    • Hi Graham. Thanks for pointing that out. The article does say, in bold type; “very important to check the box “Allow other people to use this connection””. Perhaps the phrasing has changed. Without doing so the VPN option is not present at logon.

  24. Thanks for this – I have used this to connect to my work network and it works brilliantly. I can log into the work network and do all my work from home. I thought that if I could see the work server it should be able to see me and I could set up a remote backup on my local PC. However whilst the work servers show me as part of the network the cannot “see” me. Pinging from server to me does not work. I there any way for the work server to see a local shared folder.

    • Chris, a client VPN connection is not all that stable , thus it is generally not the best connection for a backup as they often disconnect while transferring large amounts of data. A site to site VPN using 2 VPN routers is the better option. That being said, it should work. Two possible problems. When you enable features like file and print sharing on a PC Windows automatically creates firewall exceptions. However, those exceptions are usually only for access by devices on the local network. You may have to add the remote subnet, or at least for testing, disable the firewall on the client PC. That goes for any other 3rd party security software on the client PC as well. The other issue is routing. The device to which you are connecting, the server knows the return route due to the RRAS configuration, however when you ping the client PC it may not. Is the IP pool used for the VPN a subset of the same subnet as the server’s local network? If so you should be fine but if not you may have to add a route on the PC. I can provide routing details if necessary.

      • I managed to work out the IP address that the server had allocated my PC. Using that IP I was able to see my local share drive from the server. The obvious problem though is every time I log in I get a new IP address. I tried using a fixed IP address for the VPN connection but that only resulted in a connection error (720)

      • I am very sorry Chris I somehow missed this. I did a blog article a long time ago on assigning a static IP, assuming you are connecting to a RRAS server. It can be found at the following link, however the pictures are now missing I see; http://blogs.msmvps.com/robwill/2009/11/15/static-ip-for-windows-vpn-client/ Having said that I am told, but have not tested that with newer server versions the setting in Active Directory under User profile properties | Dial-In | Assign a static IP works, and makes it much simpler.

  25. It didn’t work for me, we have a site to site vpn i the place i work, the main office has the active directory domain server with the address 192.168.2.2 and the domain name is eatbi, we also a remote office with address 192.168.1.6 domain name for this is eabi.local, i can ping each server from either of the offices, and i can also logon to either using remote desktop using those address, also PC already joined to the domain works at remote office, but i can’t seem join new computers from remote office, is there anything i am missing?

    • If you have a site to site VPN you should only have set DNS on the client to point ONLY to your internal DNS server/s. If you have a router or ISP’s DNS server added as an alternative, it will fail. You should also add the your internal DNS suffix, for the domain you wish to join, presumably the remote eatbi.local, to the DNS tab of the network adapter under “DNS suffix for this connection”. In addition if the connecting machine has more than one network adpter, wired or wireless, disable all but one wired adapter until after you have joined the domain. Disable, don’t just disconnect. I assume these are different domains and not a spelling error? eatbi and eabi ? You might also verify there are no incorrect static entries in the Hosts and LMhosts files.

  26. Great delivery. Sound arguments. Keep up the amazin effort.

  27. i follow all of this steps, i use windows server 2012 and the client laptop using windows 7, i use NIC wifi and 4G internet router, i success connect to the server, but when i use nslookup it give me unknown server, and i cannot join the domain controller

    • Sorry Mody I missed your comment. I assume you are connected by VPN. NSlookup will only work if there is a reverse DNS entry in your internal DNS server. Also the Windows 7 machine must point ONLY to the internal DNS server for DNS. CAn you ping the server by FQDN such as ping server.domain.local ? Do not have an alternate or secondary present. In addition, if using WiFi make sure the wired NIC port is disabled, not just disconnected, until domain joined. All that being said it is very possible it will not work with the dual encryption of the VPN and WiFi as well as slower connection of a 4G connection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Tag Cloud