Posted: Fri Dec 10, 2010 9:10 pm Post subject: need an advise for domain setup
I have setup a domain envoirment and create vpn setup. most of our office users are worked remotley and now connect with office network using vpn and use domain resoures like file and print sharings etc.
my ques is
is that possible the remote users join domain and use domain resources like normal users in lan, they dont need to enter domain/account passowrd every time when they use domain resources like servers etc.
if i connect a remote system on domain then how overcome there login issues when they are on remote locations.
Yes, a better way to do it is to have them login to the domain right on login. If you're new to VPN and need a quick fix, look into sonicwall VPN-2000 server box. If you want something more secure look into fortinet, they have some really nice devices that can do exactly what you're wanting.
We use openVPN here but it's a bit complicated to setup. If you have the time I would suggest you go this route as it really helps explain the process. There is no reason that a user cannot login to the domain on login and use the DNS resources on your network.
Windows will first try to authenticate to a resource using the *current* logged in user credentials, unless other credentials are specified in "Windows Vault." This goes for SMB/CIFS file shares, printing, and even Internet Explorer if presented with an NTLM challenge on a website.
This behavior is part of the Windows Single Sign-On (SSO) paradigm.
An Active Directory Domain is many things, one of which is central yet distributed database of credentials, both user and machine.
If the remote workstation is a member of the domain and the user signs in the computer with domain credentials then whenever that user attempts to access resources the domain credentials will be attempted first.
If both user and resource (shares, printers, etc.) are members of the same domain, they can authenticate each other (Kerberos, NTLM), and then check whether access is permitted or denied based on permissions that have been assigned to the resource.
To make a remote access paradigm smooth:
All workstations (including laptops) and servers should be members of the same Active Directory domain. There are exceptions but you want "smooth and easy."
Secure, Reliable VPN Solution - PPTP is easy but the least secure. SSTP is a great replacement but new (requires 2008 R2 and 7). There are many vendor implementations of L2TP and IPSec; all with varying degrees of interop. DirectAccess from Microsoft is very interesting but requires a solid *internal* IPv6 infrastructure. SSL/TLS based VPN's (SSTP from MS, AnyConnect from Cisco, OpenVPN, etc.) are becoming the norm but are not compatible with eachother. If you have the option of starting fresh look to a SSL/TLS based solution. This will save you the headache of dealing with GRE and ESP protocol issues when your users are at coffee shops and hotels.
Name Resolution is often the trickiest part of remote access paradigms. Ensuring the remote users can resolve AD DS domain name resources and Internet domain resources is a common problem and can be mitigated in a variety of ways.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum