Remote Authentication to AD Server

pts.
Tags:
Active Directory
DataCenter
Desktops
Management
Microsoft Windows
OS
Security
Servers
SQL Server
Our main site uses Active Directory, but our small remote sites do not; users up to this point had no need to log on to the domain. Now, we have a remote user that needs to log on to the domain. How do I point him there? What will I need at the AD end? Sites are connected via DSL. Prior to my tenure, they tried to set up VPNs to the home site, but it messed up the main app that is used (via Terminal Server on NT 4.0). Can this be done w/o VPN? Thanks Much!

Answer Wiki

Thanks. We'll let you know when a new response is added.

Dusty:
You said the sites are connected via DSL. I assume this is through the internet. If the users at the remote sites can see the domain controllers, and have a valid domain account, they can log into the domain. With that said, having your domain controllers visible to the internet is asking for trouble. Also, it is not good practice to allow unencrypted communications between sites unless you “own” the medium, as in a site to site T1.

I use remote desktop through VPNs on a regular basis. What was the nature of the problem?

I strongly recommend you set up VPNs between your sites to protect intersite communications. Lacking this, you should require any remote user to use encryption when connecting to another site with a personal VPN. This option would require a VPN server set up to trust active directory.

Since nearly all modern firewalls support VPNs, I suggest you use your site firewalls to establish VPNs between sites. With this arrangement, you can allow normal access to the internet and protect traffic between sites.
rt

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Swiftd
    What type of DSL connection are you using, SDSL, ADSL, VDSL? What's important is what's the upload and download speeds between your two sites. It probably won't matter if only one client will ever use the connection, but a thing like this only increases. Today it's one, tomorrow it'll be 20... Obviously, the connection can only go as fast as the slowest speeds (upload speeds, commonly in SDSL). If this becomes a trend, you'll probably need to upgrade the connection between you to SDSL or VDSL. Don
    0 pointsBadges:
    report
  • Swiftd
    Mistake: that "commonly SDSL" should be "commonly "ADSL." ADSL and VDSL have different upload and download speeds, SDSL are the same (1.5Mbps). ADSL usually has very low upload and high download (768Kbps vs 3Mbps)... Sorry for the typo.
    0 pointsBadges:
    report
  • Dusty1
    Thanks guys. To clarify, the DSL is ADSL, all over the Internet. Speed has never been a problem, even though we stream real-time video (low quality) from multiple sites to the office. That's to watch trucks loading, security, etc. The Terminal Server and the App Server are both NT 4.0, and I believe that's a part of the problem with the VPN. The older technologies don't work as well w/ the XP desktops. That will soon go away, (upgraded to W2k3) but for now we need one remote guy to be authenticated on the Domain. Can I do a NAT forwarding of a few ports to get this done? I won't put an AD server in a DMZ. Any ideas? Thanks!
    0 pointsBadges:
    report
  • Astronomer
    Dusty: As I said, you should be doing this through a VPN. This should be your long term goal. I believe this would solve several issues. In particular, a firewall-firewall VPN would hide the NAT from both clients. For the short term, does the remote user's site have a fixed IP? If so, I would consider opening access through the firewall to the specific IP of the remote site to reach your domain controllers. I don't know if NAT will break these protocols, (I don't think so), but you can try it if you limit access as I described. rt
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following