Join a remote PC to 2003 domain

Discussion in 'Server Networking' started by JonathanL, Apr 25, 2009.

  1. JonathanL

    JonathanL Guest

    My son is at college and his XP PC was on my domain I run at home. Even
    though he is no longer on my network while at college (obviously), he's had
    no trouble since he has been logging in with the locally cached profile.
    However, he let a "buddy" try to fix a networking problem and the "buddy"
    removed it from the domain, adding to a workgroup. Of course then he couldn't
    log in with his domain account, though I got him past that by logging in to a
    local account I had previously created on it.
    But now he's running into a bunch of errors and problems and I'm thinking
    the only way to fix most or all of it is to get his PC back on my domain.

    Jonathan
    How do I add his PC back to my domain while his PC is 10 hours away at
    college? Can he VPN into my network and then the necessary communication will
    take place between his PC and my DC?
    If so, what do I need to set up on my end to allow that? Obviously opening
    ports in my firewall is not a good idea. Do I set up RRAS on my DC or what?
    I've never really set up RRAS before so don't know just how that would need
    to be configured.
    And would I need to open any ports in the firewall to allow his PC to VPN
    into the DC/RRAS server?
     
    JonathanL, Apr 25, 2009
    #1
    1. Advertisements


  2. Hi Jonathan,

    If you have VPN capabilities, you should be fine. And VPN is a feature that
    runs under RRAS, so I assume you are using SBS' VPN capabilities, RRAS is
    already setup. Give it a shot and let us know how you make out.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 25, 2009
    #2
    1. Advertisements

  3. JonathanL

    JonathanL Guest

    But I'm not running SBS. I'm running Windows Server 2003 Standard. So I have
    to completely install and setup RRAS.

    Jonathan
     
    JonathanL, Apr 25, 2009
    #3
  4. JonathanL

    Bill Grant Guest

    Setting up remote access in RRAS is not a big deal. Essentially all you
    need to do is select the right option in the setup wizard.

    That said, doing what you plan is not a walk in the park if neither of
    you has experience with VPN. The VPN experience is very different from being
    on the LAN.
     
    Bill Grant, Apr 25, 2009
    #4
  5. Sorry, I assumed SBS. As for VPN, I mistakenly thought you implied you
    already have RRAS and VPN setup.

    As Bill mentioned, if you are not familiar with RRAS and VPNs, it can get
    complicated. The following articles may be able to help out.

    =======================
    How to setup RRAS as a VPN server

    Routing and Remote Access Blog : VPN server deployment: IP
    http://blogs.technet.com/rrasblog/archive/2006/09/20/457653.aspx

    Microsoft Windows Server 2008: A Beginner's Guide - Google Books Resultby
    Marty Matthews - 2008 - Computers - 592 pages
    SET UP A VPN SERVER VPN, like RAS, has both client and server components.
    http://books.google.com/books?id=Rm...6fW9Dw&sa=X&oi=book_result&ct=result&resnum=8

    VPN Setup - multiple links on how to setup RRAS, VPN and a client
    www.chicagotech.net/vpnsetup.htm
    =======================

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 25, 2009
    #5
  6. Yes, and this would be preferable to running RRAS on a domain controller.
    That said, I've never tried to join a domain via a VPN client connection and
    I'm not certain it actually works. And the user's original domain profile is
    now lost, so I don't know that creating a new one is going to help much. I
    would personally wait until he was home again at the end of the term;
    there's nothing he shouldn't be able to do while logged in as a local user.
    A remote session via LogMeIn or something would probably be in order to
    correct whatever errors he's got now.
     
    Lanwench [MVP - Exchange], Apr 25, 2009
    #6
  7. "Lanwench [MVP - Exchange]"
    I've actually joined numerous laptops via VPN. It works great. I've always
    recommended a Cisco firewall/VPN solution (PIX 501 and now the ASA5505) and
    it works great. With the high end units, you can opt for AD for
    authentication or local user (on the firewall) authentication. I opt for
    local authentication so I can get in if the DC(s) are down.
    Of course, a fast line is helpful. Some of my customers would drop off a
    handful of laptops to configure so I can get around to them at my leisure,
    install the VPN client and join and configure them, copy any local profile
    to the new domain user profile, make sure Redirection is working, etc, all
    from home.

    I use a number of remote tools, besides Microsoft RDP, if using SBS,
    Webworkplace, and others such as TeamViewer, Dell's DRAC and HP's ILO.

    But of course, as discussed earlier, Microsoft RRAS/VPN or 3rd party VPN
    configuration knowledge is essential.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 25, 2009
    #7
  8. JonathanL

    JonathanL Guest

    Ace, Bill, and Lanwench:
    Thank you all for your help. Let me try to see if I can respond correctly to
    all you've written.
    1. Setting up the VPN client on the PC is no problem, been there done that.
    I'm used to being on the client end of a VPN, not the server end.
    2. I have almost 10 years experience running Windows servers but never had
    the chance to install/config RRAS or a VPN server so that's why I need the
    help here. I do have written material here to consult.
    3. I have a D-Link DI-524 router so no chance of a f/w update to get VPN
    capability. At one place I help at, we have a Linsys RVS4000 which works
    great, but I can't afford to buy anything till I get another job.
    4. I really don't want to install RRAS/VPN on my DC. I do have a file server
    that I could install it on which I presume would be better. I just wasn't
    sure if it made a difference which server RRAS/VPN was installed on to make
    it work so that my son could then VPN in and get his PC back on the domain.
    5. I'm using TeamViewer which works great. I've used it multiple times on
    multiple PCs and I'm very happy with it. Works great when the other PC is
    behind a firewall or router.

    Jonathan

     
    JonathanL, Apr 26, 2009
    #8

  9. Hi Jonathan,

    Sounds like you have most of the basis covered. Installing RRAS on the
    fileserver wouldn't be too big of an issue. I've done that before to get
    over the hump before I installed and configured an actual
    firewall/router/VPN device (Cisco). I would say go ahead and go for it. Some
    of the links I provided have some step by step snapshots to follow. For
    PPTP, on our router just make sure you allow TCP GRE 1723 and protocol ID 47
    (not a port) which many routers have the provision to all a Protocol ID as a
    pass through/port remap to an internal IP.

    Let us know how you make out.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 26, 2009
    #9
  10. JonathanL

    JonathanL Guest

    Well I've had partial success. I got the VPN server set up (that was easy)
    and got the router/firewall configured (also easy). I then tested it from a
    couple of PCs at a remote location near me and the VPN server showed them
    connected.
    But...when my son tried it, after setting up the VPN connection on his PC,
    all he could get was the 721 error that the remote system (my end) wasn't
    responding. I've researched it and don't come up with anything helpful. All
    they say is to make sure the PPTP port and GRE are open and forwarding to the
    VPN server. They are. I've looked at the settings a dozen times. It worked
    fine for the other PCs but not his. I don't know if it has something to do
    with the router he's behind at school or what. I wouldn't think so, but I
    can't think of anything else.

    Jonathan
     
    JonathanL, Apr 28, 2009
    #10
  11. It could be the school's firewall, but then again, if it were, it may not
    have allowed the connection. Once it showed he was connected, can he UNC
    into a share using the single computer name of the domain, and using the
    FQDN of the internal server name?

    DNS resolution is paramount. Make sure that the IP address he gets with his
    connection (ipconfig /all) is your internal DNS server only (just for the
    PPP connection). This would be dicated by your own DHCP server DNS options.
    If you have your ISP's address as a DHCP option, then forget it, it will
    cause numerous issues with AD. I assume you are using Microsoft DHCP on your
    DC and not your router's DHCP service, which more than likely does not
    support Dynamic DNS registration. Make sure your DHCP Option 006 is only
    your internal DNS address. Also if not using it, I would suggest to install
    and use WINS to allow network share and resource browsing.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 28, 2009
    #11
  12. JonathanL

    JonathanL Guest

    He never could get connected, that's the thing. That's why he was getting the
    721 error which states "the remote host did not respond". I googled it and
    all I came up with was to make sure that the firewall was set to open port
    1723 and the GRE and forward PPTP requests to the VPN server. Those were
    already done and proven by my ability to VPN in from another location. So
    something with his end is preventing him from connecting. I can't imagine why
    his school would prevent it or even if they could. But if they are, then he'd
    have to take the drastic step of taking his PC (a desktop) to somwhere else
    with internet access and do it from there.

    As for DNS, yah I'm aware of its importance In his connection setup I made
    sure he had the box checked to use the remote DNS. But that would only come
    into play once he got connected, and since he can't even get connected, DNS
    is not an issue.

    So I'm still stumped. argh

    Jonathan
     
    JonathanL, Apr 28, 2009
    #12

  13. Nothing to be stumped about. The school is blocking it. Have him go to
    Starbucks or a friend's house, and try again,.

    He wouldn't have to select to use the remote DNS because by default, the VPN
    (PPP connection) will be the default connection.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 28, 2009
    #13
  14. Glad I was able to help in part of it!

    FYI, I had a similar problem with one of my clients with remote users. They have a group at a local university here in Philly. Their Windows based PPTP VPN works EVERYWHERE else except when at the school. I spoke to the administrators, the Director of IT and one of his top guys, and they said they weren't blocking anything. I said the issue appears to be with your ISA and/or firewall because their VPNs work everywhere else. Then his top guy proceeded to bash the fact we were using WIndows PPTP VPN and how their Cisco PIX doesn't support it. I emailed him back saying I have a Cisco PIX 506 in my own office and when I tested the PPTP VPN, it works fine. I also told him this VPN type was an interim solution until I get the newly ordered Cisco ASAs installed in our environment. I finally received one, and installed it, pushing the schedule install up just to see if it will work, set the clients up with the Cisco client, tested it from my location without a problem. When I tested it once again at their location, no go. I still couldn't get it to work at their location. I just gave up. The users are setup for Folder Redirection, so I just said do whatever you need to do at that location, make sure you connect at night from home to allow Offline files to sync up. That was a losing battle that I decided to just work around. I was surprised at the lack of help the university gave me with an obvious problem that was easy to fix to allow our machines pass through.

    Consider your son lucky to have internet access!!!

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 28, 2009
    #14
  15. JonathanL

    JonathanL Guest

    It's amazing how unhelpful people can be, especially when IT Professionals
    should all be working together.
    My son had other issues but he knows enough that I was able to walk him
    through the fixes over the phone. This was the only thing that had me stumped.

    I just hope this situation has convinced him not to let his "buddies"
    Jonathan

    once again at their location, no go. I still couldn't get it to work at their location. I just gave up. The users are setup for Folder Redirection, so I just said do whatever you need to do at that location, make sure you connect at night from home to allow Offline files to sync up. That was a losing battle that I decided to just work around. I was surprised at the lack of help the university gave me with an obvious problem that was easy to fix to allow our machines pass through.
     
    JonathanL, Apr 28, 2009
    #15
  16. I agree, no "buddies" touch anything! My guess is they know enough to be dangerous, or are Mac users. This is no disrespect to Mac users. This is to illustrate that many folks that may have basic network, Mac or PC experience, do not have AD experience, and do not realize/understand the implications of actions performed on a joined machine, such as disjoining it, or even *fully* understand what a joined machine is!

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 28, 2009
    #16
  17. JonathanL

    JonathanL Guest

    Exactly what I told my son!

    Jonathan

     
    JonathanL, Apr 29, 2009
    #17
  18. Good!

    Cheers!!

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 29, 2009
    #18
  19. Beowolf,

    This is a long thread. In summary:
    Son is in college with a PC joined to a domain at home
    Friend of son did him a *favor* and disjoined the machine from the domain
    Dad was not happy. Must be rejoined for policies, files, etc.
    We suggested to use a VPN from son to home
    VPNs not allowed at college network
    Must wait to take it elsewhere where a VPN will work

    Cheers!

    Ace

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 29, 2009
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.