Join a remote PC to 2003 domain

My son is at college and his XP PC was on my domain I run at home. Even
though he is no longer on my network while at college (obviously), he's had
no trouble since he has been logging in with the locally cached profile.
However, he let a "buddy" try to fix a networking problem and the "buddy"
removed it from the domain, adding to a workgroup. Of course then he couldn't
log in with his domain account, though I got him past that by logging in to a
local account I had previously created on it.
But now he's running into a bunch of errors and problems and I'm thinking
the only way to fix most or all of it is to get his PC back on my domain.

Jonathan
How do I add his PC back to my domain while his PC is 10 hours away at
college? Can he VPN into my network and then the necessary communication will
take place between his PC and my DC?
If so, what do I need to set up on my end to allow that? Obviously opening
ports in my firewall is not a good idea. Do I set up RRAS on my DC or what?
I've never really set up RRAS before so don't know just how that would need
to be configured.
And would I need to open any ports in the firewall to allow his PC to VPN
into the DC/RRAS server?

 

Hi Jonathan,

If you have VPN capabilities, you should be fine. And VPN is a feature that
runs under RRAS, so I assume you are using SBS' VPN capabilities, RRAS is
already setup. Give it a shot and let us know how you make out.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

 

But I'm not running SBS. I'm running Windows Server 2003 Standard. So I have
to completely install and setup RRAS.

Jonathan

 

Setting up remote access in RRAS is not a big deal. Essentially all you
need to do is select the right option in the setup wizard.

That said, doing what you plan is not a walk in the park if neither of
you has experience with VPN. The VPN experience is very different from being
on the LAN.

 

Sorry, I assumed SBS. As for VPN, I mistakenly thought you implied you
already have RRAS and VPN setup.

As Bill mentioned, if you are not familiar with RRAS and VPNs, it can get
complicated. The following articles may be able to help out.

=======================
How to setup RRAS as a VPN server

Routing and Remote Access Blog : VPN server deployment: IP
http://blogs.technet.com/rrasblog/archive/2006/09/20/457653.aspx

Microsoft Windows Server 2008: A Beginner's Guide - Google Books Resultby
Marty Matthews - 2008 - Computers - 592 pages
SET UP A VPN SERVER VPN, like RAS, has both client and server components.
http://books.google.com/books?id=Rm...6fW9Dw&sa=X&oi=book_result&ct=result&resnum=8

VPN Setup - multiple links on how to setup RRAS, VPN and a client
www.chicagotech.net/vpnsetup.htm
=======================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

 

Yes, and this would be preferable to running RRAS on a domain controller.
That said, I've never tried to join a domain via a VPN client connection and
I'm not certain it actually works. And the user's original domain profile is
now lost, so I don't know that creating a new one is going to help much. I
would personally wait until he was home again at the end of the term;
there's nothing he shouldn't be able to do while logged in as a local user.
A remote session via LogMeIn or something would probably be in order to
correct whatever errors he's got now.

 

"Lanwench [MVP - Exchange]"

I've actually joined numerous laptops via VPN. It works great. I've always
recommended a Cisco firewall/VPN solution (PIX 501 and now the ASA5505) and
it works great. With the high end units, you can opt for AD for
authentication or local user (on the firewall) authentication. I opt for
local authentication so I can get in if the DC(s) are down.
Of course, a fast line is helpful. Some of my customers would drop off a
handful of laptops to configure so I can get around to them at my leisure,
install the VPN client and join and configure them, copy any local profile
to the new domain user profile, make sure Redirection is working, etc, all
from home.

I use a number of remote tools, besides Microsoft RDP, if using SBS,
Webworkplace, and others such as TeamViewer, Dell's DRAC and HP's ILO.

But of course, as discussed earlier, Microsoft RRAS/VPN or 3rd party VPN
configuration knowledge is essential.

Ace

 

Ace, Bill, and Lanwench:
Thank you all for your help. Let me try to see if I can respond correctly to
all you've written.
1. Setting up the VPN client on the PC is no problem, been there done that.
I'm used to being on the client end of a VPN, not the server end.
2. I have almost 10 years experience running Windows servers but never had
the chance to install/config RRAS or a VPN server so that's why I need the
help here. I do have written material here to consult.
3. I have a D-Link DI-524 router so no chance of a f/w update to get VPN
capability. At one place I help at, we have a Linsys RVS4000 which works
great, but I can't afford to buy anything till I get another job.
4. I really don't want to install RRAS/VPN on my DC. I do have a file server
that I could install it on which I presume would be better. I just wasn't
sure if it made a difference which server RRAS/VPN was installed on to make
it work so that my son could then VPN in and get his PC back on the domain.
5. I'm using TeamViewer which works great. I've used it multiple times on
multiple PCs and I'm very happy with it. Works great when the other PC is
behind a firewall or router.

Jonathan

 

Hi Jonathan,

Sounds like you have most of the basis covered. Installing RRAS on the
fileserver wouldn't be too big of an issue. I've done that before to get
over the hump before I installed and configured an actual
firewall/router/VPN device (Cisco). I would say go ahead and go for it. Some
of the links I provided have some step by step snapshots to follow. For
PPTP, on our router just make sure you allow TCP GRE 1723 and protocol ID 47
(not a port) which many routers have the provision to all a Protocol ID as a
pass through/port remap to an internal IP.

Let us know how you make out.

Ace

 

Well I've had partial success. I got the VPN server set up (that was easy)
and got the router/firewall configured (also easy). I then tested it from a
couple of PCs at a remote location near me and the VPN server showed them
connected.
But...when my son tried it, after setting up the VPN connection on his PC,
all he could get was the 721 error that the remote system (my end) wasn't
responding. I've researched it and don't come up with anything helpful. All
they say is to make sure the PPTP port and GRE are open and forwarding to the
VPN server. They are. I've looked at the settings a dozen times. It worked
fine for the other PCs but not his. I don't know if it has something to do
with the router he's behind at school or what. I wouldn't think so, but I
can't think of anything else.

Jonathan

 

It could be the school's firewall, but then again, if it were, it may not
have allowed the connection. Once it showed he was connected, can he UNC
into a share using the single computer name of the domain, and using the
FQDN of the internal server name?

DNS resolution is paramount. Make sure that the IP address he gets with his
connection (ipconfig /all) is your internal DNS server only (just for the
PPP connection). This would be dicated by your own DHCP server DNS options.
If you have your ISP's address as a DHCP option, then forget it, it will
cause numerous issues with AD. I assume you are using Microsoft DHCP on your
DC and not your router's DHCP service, which more than likely does not
support Dynamic DNS registration. Make sure your DHCP Option 006 is only
your internal DNS address. Also if not using it, I would suggest to install
and use WINS to allow network share and resource browsing.

Ace

 

He never could get connected, that's the thing. That's why he was getting the
721 error which states "the remote host did not respond". I googled it and
all I came up with was to make sure that the firewall was set to open port
1723 and the GRE and forward PPTP requests to the VPN server. Those were
already done and proven by my ability to VPN in from another location. So
something with his end is preventing him from connecting. I can't imagine why
his school would prevent it or even if they could. But if they are, then he'd
have to take the drastic step of taking his PC (a desktop) to somwhere else
with internet access and do it from there.

As for DNS, yah I'm aware of its importance In his connection setup I made
sure he had the box checked to use the remote DNS. But that would only come
into play once he got connected, and since he can't even get connected, DNS
is not an issue.

So I'm still stumped. argh

Jonathan

 

Nothing to be stumped about. The school is blocking it. Have him go to
Starbucks or a friend's house, and try again,.

He wouldn't have to select to use the remote DNS because by default, the VPN
(PPP connection) will be the default connection.

Ace

 

Glad I was able to help in part of it!

FYI, I had a similar problem with one of my clients with remote users. They have a group at a local university here in Philly. Their Windows based PPTP VPN works EVERYWHERE else except when at the school. I spoke to the administrators, the Director of IT and one of his top guys, and they said they weren't blocking anything. I said the issue appears to be with your ISA and/or firewall because their VPNs work everywhere else. Then his top guy proceeded to bash the fact we were using WIndows PPTP VPN and how their Cisco PIX doesn't support it. I emailed him back saying I have a Cisco PIX 506 in my own office and when I tested the PPTP VPN, it works fine. I also told him this VPN type was an interim solution until I get the newly ordered Cisco ASAs installed in our environment. I finally received one, and installed it, pushing the schedule install up just to see if it will work, set the clients up with the Cisco client, tested it from my location without a problem. When I tested it once again at their location, no go. I still couldn't get it to work at their location. I just gave up. The users are setup for Folder Redirection, so I just said do whatever you need to do at that location, make sure you connect at night from home to allow Offline files to sync up. That was a losing battle that I decided to just work around. I was surprised at the lack of help the university gave me with an obvious problem that was easy to fix to allow our machines pass through.

Consider your son lucky to have internet access!!!

Ace

 

It's amazing how unhelpful people can be, especially when IT Professionals
should all be working together.
My son had other issues but he knows enough that I was able to walk him
through the fixes over the phone. This was the only thing that had me stumped.

I just hope this situation has convinced him not to let his "buddies"
Jonathan

once again at their location, no go. I still couldn't get it to work at their location. I just gave up. The users are setup for Folder Redirection, so I just said do whatever you need to do at that location, make sure you connect at night from home to allow Offline files to sync up. That was a losing battle that I decided to just work around. I was surprised at the lack of help the university gave me with an obvious problem that was easy to fix to allow our machines pass through.

 

I agree, no "buddies" touch anything! My guess is they know enough to be dangerous, or are Mac users. This is no disrespect to Mac users. This is to illustrate that many folks that may have basic network, Mac or PC experience, do not have AD experience, and do not realize/understand the implications of actions performed on a joined machine, such as disjoining it, or even *fully* understand what a joined machine is!

Ace

 

Exactly what I told my son!

Jonathan

 

Good!

Cheers!!

Ace

 

Beowolf,

This is a long thread. In summary:
Son is in college with a PC joined to a domain at home
Friend of son did him a *favor* and disjoined the machine from the domain
Dad was not happy. Must be rejoined for policies, files, etc.
We suggested to use a VPN from son to home
VPNs not allowed at college network
Must wait to take it elsewhere where a VPN will work

Cheers!

Ace

Ace