Remote Authentication to AD Server
Active Directory, DataCenter, Desktops, Management, Microsoft Windows, OS, Security, Servers, SQL Server
Our main site uses Active Directory, but our small remote sites do not; users up to this point had no need to log on to the domain.
Now, we have a remote user that needs to log on to the domain. How do I point him there? What will I need at the AD end? Sites are connected via DSL.
Prior to my tenure, they tried to set up VPNs to the home site, but it messed up the main app that is used (via Terminal Server on NT 4.0). Can this be done w/o VPN?
Thanks Much!
Software/Hardware used:
Software/Hardware used:
ASKED:
January 8, 2007 10:17 AM
UPDATED:
January 9, 2007 11:44 AM
Answer Wiki:
Dusty:
You said the sites are connected via DSL. I assume this is through the internet. If the users at the remote sites can see the domain controllers, and have a valid domain account, they can log into the domain. With that said, having your domain controllers visible to the internet is asking for trouble. Also, it is not good practice to allow unencrypted communications between sites unless you "own" the medium, as in a site to site T1.
I use remote desktop through VPNs on a regular basis. What was the nature of the problem?
I strongly recommend you set up VPNs between your sites to protect intersite communications. Lacking this, you should require any remote user to use encryption when connecting to another site with a personal VPN. This option would require a VPN server set up to trust active directory.
Since nearly all modern firewalls support VPNs, I suggest you use your site firewalls to establish VPNs between sites. With this arrangement, you can allow normal access to the internet and protect traffic between sites.
rt
To see all answers submitted to the Answer Wiki: View Answer History.
What type of DSL connection are you using, SDSL, ADSL, VDSL? What’s important is what’s the upload and download speeds between your two sites. It probably won’t matter if only one client will ever use the connection, but a thing like this only increases. Today it’s one, tomorrow it’ll be 20…
Obviously, the connection can only go as fast as the slowest speeds (upload speeds, commonly in SDSL). If this becomes a trend, you’ll probably need to upgrade the connection between you to SDSL or VDSL.
Don
Mistake: that “commonly SDSL” should be “commonly “ADSL.” ADSL and VDSL have different upload and download speeds, SDSL are the same (1.5Mbps). ADSL usually has very low upload and high download (768Kbps vs 3Mbps)… Sorry for the typo.
Thanks guys. To clarify, the DSL is ADSL, all over the Internet. Speed has never been a problem, even though we stream real-time video (low quality) from multiple sites to the office. That’s to watch trucks loading, security, etc.
The Terminal Server and the App Server are both NT 4.0, and I believe that’s a part of the problem with the VPN. The older technologies don’t work as well w/ the XP desktops. That will soon go away, (upgraded to W2k3) but for now we need one remote guy to be authenticated on the Domain. Can I do a NAT forwarding of a few ports to get this done? I won’t put an AD server in a DMZ.
Any ideas?
Thanks!
Dusty:
As I said, you should be doing this through a VPN. This should be your long term goal. I believe this would solve several issues. In particular, a firewall-firewall VPN would hide the NAT from both clients.
For the short term, does the remote user’s site have a fixed IP? If so, I would consider opening access through the firewall to the specific IP of the remote site to reach your domain controllers. I don’t know if NAT will break these protocols, (I don’t think so), but you can try it if you limit access as I described.
rt