Posts tagged ‘connect at logon’

How to join a Windows Domain using a VPN

There may be occasions where you need to join an off-site computer to an existing domain at a remote office.  Most often this would be in a situation such as a satellite office which is part of a larger corporate network and there is a site-to-site VPN in place.  Though a site-to-site VPN is by far the easiest way to join, it can be done using a Windows VPN client, which will be discussed further on in this article.  The primary problem encountered when joining the domain is DNS, but this is easily dealt with.

Joining the domain using a site-to-site VPN

  • Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection.  If any others exist such as a wireless card, disable until domain joined.  On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
  • Configure the connecting PC’s network adapter either statically or through DHCP to point ONLY to the domain controller at the corporate office for DNS.  Do not add an alternate external DNS server such as an ISP or router as these will often respond first and name resolution will fail.
  • In the NIC configuration, under Internet Protocol Version 4 (TCP/IPv4) properties, click advanced, and under the DNS tab insert the corporate internal DNS suffix, such as CompanyDomain.local in the box entitled “DNS suffix for this connection”
  • image
  • Then join the domain using the traditional method of Computer (formerly My Computer) | Properties | Change Settings |  Change | enter the internal domain name | click OK | and you should be prompted for credentials for an account authorized to do so, a Domain Admin account.  If the Domain Controller is a version of Small Business Server the SBS option to use  http://SBSname/connectcomputer  or http://connect most often will not work.  (more detail and screen shots for the joining the domain process can be found below in the using a VPN client section).
  • If you wish to simultaneously import an existing local user profile, you can use ProfWiz as outlined in the following link which will both join the domain and move the profile. Though the article references SBS, it can be used with any Windows Server Version.  https://blog.lan-tech.ca/2011/05/19/sbs-and-profwiz/

Joining the domain using a Windows VPN client

Joining a domain using a VPN client is a little more involved, but not complicated. This method may work with other VPN clients, so long as they have the option to connect to the VPN before logon, but this explanation uses only the Windows built-in VPN client.  Without the ability to connect before logon, there is very little advantage even if you can join the domain, as you would not actually be authenticating to the domain.  I will assume the server end, RRAS, is configured and working for VPN client connections.

  • Log on to the PC you wish to join the domain with a local administrator account
  • Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection.  If any others exist such as a wireless card, disable until domain joined.  On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
  • Establish a VPN connection.  If not familiar with doing so:
    • From the network and sharing center choose “Set up a new connection or Network”
    • Select “Connect to a workplace”
    • Choose “Use my Internet connection (VPN)”
    • Enter the public facing FQDN of the corporate VPN server such as VPNserver.MyDomain.com and enter a friendly name for the connection, anything you like.  It is also very important to check the box “Allow other people to use this connection” as you will soon have a domain account which will require access to this VPN connection.
    • image
    • Enter a User name, which ideally is the user that will be using the connection once joined to the domain, but can be any user name that is authorized to connect to the corporate network via VPN.  If you use a name other than the ultimate user of the PC they will simply have to change the user name during in the connection wizard, the first time they try to connect.  Enter the password and choose connect.  For security reasons I don’t recommend checking “Remember this password”.
    • image
    • If prompted for a network type after connecting, choose “Work Network”.

  image

  • Presumably you were able to establish a connection.  However while connected if you did an NSlookup from a command line for the server name, you will see it fails. Try an NSlookup for the FQDN of the server, and it will succeed.  Thus, we need to configure DNS for the VPN clientbefore proceeding.
    • image
    • Disconnect the VPN client
    • In the network connections window right click on the VPN/PPP connection and choose properties | Networking tab | highlight Internet Protocol Version 4 (TCP/IPv4) and choose properties | Advanced | DNS tab | and enter the IP of the corporate DNS server under DNS server addresses and the internal domain suffix such as MyDomain.local in the “DNS suffix for this connection box.  If admins need to connect to the remote client PC for administration by name check the box “register this connection’s address in DNS” but I would discourage this as the IP can change frequently and cause issues.  Also on the “IP Settings” tab leave the option “Use default gateway on remote network” checked, at least for now, so that all traffic is forced to the corporate network while the VPN is connected.
    • image
  • Now you can try joining the domain
    • Connect the VPN client
    • Right click on “Computer” (formerly My Computer) and choose properties.
    • In the resulting window select “Change Settings”
    • image
    • Slect “Change” again
    • image
    • Enter the corporate internal Domain name, such as MyDomain.local in the Domain box and click OK
    • image
    • You will be prompted for a domain account with privileges to join a PC to the domain, a Domain Admin.  Enter it and the password and you should receive a message advising you have been joined to the domain.  Be patient it takes a little longer as this is a slow link compared to the LAN.
    • image
    • You now need to reboot the connecting PC.
  • In order to authenticate to the corporate network at logon and work as if on the corporate LAN, you need to connect the VPN before logging on to the PC.  When the PC reboots press Ctrl+Alt+Delete as you normally would, and then choose  “Switch User”
    • image
    • You will then be presented with a new option, a little blue icon in the lower right corner.
    • image
    • Clicking this allows you to choose to connect to the corporate network, by using the VPN.  After entering your credentials you will see the familiar VPN connection automatically start, it will connect, and you will be authenticated to the domain.
    • image
    • Logon is a little slower of course due to the slow link, and the first time you connect it will have to set up the local domain profile.  If you make use of redirected my documents, offline files, or have a lot of group policies logon can take a very long time while they apply and sync.  If logon is too slow, you may want to review options available to the remote user.  You will note that if you now try nslookup <servername> works as it should.

Note:  If connecting from Windows 8, please see the following updated article:  https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/

 

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection. The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:
  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed
Server 2003 / SBS 2003 / SBS 2003 R2:
  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

Connect to Windows VPN at Logon

The internet is littered with questions about VPN connection and authentication issues as a result of using cached credentials.

  • How can I automatically connect my Windows VPN at start up?
  • Why do I have to re-enter my user credentials when connecting my corporate VPN?
  • How do I get Group Policy to apply to VPN connected users?
  • How do I use my work domain user account when I work from home using a VPN?
  • Why won’t my logon script run when connecting by VPN?

You can connect from any PC using a VPN, but in most cases you do so after having logged onto the PC first. If this is a “domain joined” corporate PC, when you logon without the domain controller present, you are not authenticating to the domain but rather using the credentials cached on the local computer from a previous logon.  As a result Group Policy cannot be updated, logon scripts are not applied, and most often you have to re-enter your user credentials when you do choose to connect to the office via VPN.

It is possible to connect to the VPN at logon resulting in an experience similar to that of the office, except of course for the reduced file transfer speed,  However, there are few conditions that must be met to do so:

  1. This applies only to the Windows VPN client. Newer Cisco VPN clients and a few others do offer methods to connect the VPN before logon, but they use different processes.
  2. The computer must be a member of the domain, and therefore Pro, Ultimate, or Enterprise versions of the operating system.  At logon you will be providing domain credentials which are automatically passed to the local logon, thus they must be the same.  Using the same username and password is not enough as logon credentials include domain or computer names.  Domain\JDoe is not the same as LocalPCname\JDoe.  If the computer is not already a member of the domain, it is possible to join a remote domain using the VPN connection.  To do so please see:  https://blog.lan-tech.ca/2012/07/25/how-to-join-a-windows-domain-using-a-vpn/
  3. Should the PC not be domain joined and you wish to automate the VPN connection, after logon, please see: https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/
  4. When you create the VPN connection you must check the box “allow other people to use this connection”.

image

Having met these conditions, at logon there is now an option to connect using the VPN during logon.

Windows Vista and Windows 7:

At logon select “Switch User” and a new blue icon will appear in the lower right next to the familiar red Shut Down icon.

image

Clicking the icon will allow you to use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows XP:

At logon after pressing ctrl+alt+del, if you click the “Options” button there will new be a check box “Logon using Dial-up connection” which will use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows 8:

Please see the more recent post to enable on a Win 8 PC

Slow Links:

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection.  The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:

  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed

Server 2003 / SBS 2003 / SBS 2003 R2:

  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

Client Deployment:

Network administrators may also want to considered creating a deployable VPN client for consistency, security, and with a company logo.  An earlier post outlines how to do so in detail:

https://blog.lan-tech.ca/2012/01/30/windows-vpn-client-deployment/

Tag Cloud