Re: VPN domain membership. Perhaps a dumb question.

Phil,

Thanks for the clarification. Sorry I wasn't more specific on the remote
office "hard-link". I'm adding new information here that would have been
relevant to the initial request. We're running Cisco PIX site-to-site VPN
between both offices on a TW business-class cable connection. The VPN server
sits outside the PIX firewall since the PIX eats up any outside VPN
connections from within the network.

To be clearer our traveler is in some strange city connecting to the VPN
server for myserver domain. Thus, my remote user can't authenticate to my VPN
server because it doesn't have a path to the traveler's remote office domain
to authenticate. So it seems to me a zone transfer wouldn't work here.

That should make it more interesting or more frustrating.

Thanks.



"Phillip Windell" wrote:

"wharfish" <wharfish@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E462A2EE-54A9-4E31-9567-013FD0C4ADD3@xxxxxxxxxxxxxxxx

Just want clarify the environment. The remote user will be accessing the
MS
VPN server on my network to get access to myserver.

No, they will not. You said the two Locations were already joined by a
Site-to-Site Link of some kind. The Laptop doesn't do anything other than
connect to local LAN it is at are at.

the remote office - only the direct hard Cisco link between sites.

Well, what exactly is a "hard cisco link"? We have to use correct industry
terminology for what is being discussed or we won't know what we are talking
about.

But anyway,...it really does not matter if it is a Cisco Site-to-Site VPN or
if it is a non-VPN Private Frame Relay between two Cisco routers. It is
still a Private Link between the Sites, that is all that matters,..the line
technology is irrelevant.
It is like a red Chevrolet -vs- a blue Ford,...it doesn't matter, they are
both vehicles driving down the road,...you'll still get where you are going.
The Chevrolet will just do it faster and cheaper than the Ford :-)

So it actually has to log into my domain to get access. Does solution #2
still
apply?

Yes.

-----------------------If you use Option #1-----------------

1. After a long plane ride, the Laptop powers up on the remote office LAN
and gets an IP Config but retains the static DNS entries from the "Home"
LAN. The private Site-to-Site link (however it happened) between the sites
provides a path to the "target" DNS/Domain Controller over the Private
Site-to-Site Link

2. User hits Ctrl-Alt-Del to login and provides credentials

3. Laptop queries the DNS which is also the Domain Controller that it
normally uses anyway. It discovers that this is also the same machine that
is the correct Domain Controller. The laptop sends the login attempt over
the slow WAN link to the correct Domain Controller.

4. After a slightly longer than normal wait,...the Laptop is authenticated
with the Domain it is a Member of.

5. A blue Ford was found abandoned on the side of the road in the middle of
nowhere.

-----------------------If you use Option #2--------------------

1. After a long plane ride, the Laptop powers up on the remote office LAN
and gets an IP Config that includes the DNS of that particular LAN

2. User hits Ctrl-Alt-Del to login and provides credentials

3. Laptop queries the DNS of that LAN for the identity of the Domain
Controller for the Domain the Laptop is a Member of.

4. Good news. Because of the Zone Transfers done earlier this DNS *knows*
the identity of the correct Domain Controller and provides that information
to the Laptop. More good news,..the private Site-to-Site link (however it
happened) between the sites provides a path to the "target" Domain
Controller over the Link

5. The laptop sends its login attempt over the slow WAN link to the correct
Domain Controller.

6. After a slightly longer than normal wait,...the Laptop is authenticated
with the Domain it is a Member of.

7. A Ford saleman resigned and got a new job at a Chevrolet dealership


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------



.

Relevant Pages

  • Re: More on Remote Desktop
    ... You can access both remote and local drives/print locally and remotely/etc, ... Yes a VPN will work just fine. ... >>> and point it to the Static IP of the internal server. ... On the otherside, when you dial up to earthlink, your laptop also gets a ...
    (microsoft.public.windowsxp.network_web)
  • Re: Remote Users - How do you handle them?
    ... for the 3-4 user sites you are best doing a device based VPN. ... We now have four remote offices. ... Perhaps a server at the remote locations that> are ... The laptop users complained that they can get their 'stuff' (pretty ...
    (microsoft.public.windows.server.sbs)
  • RE: Remote Access problems
    ... However, when you put this laptop in the field of the SBS2003 domain, ... Firewall client when connecting to the VPN server. ... Do the remote and local networks have the same subnet addressing? ...
    (microsoft.public.windows.server.sbs)
  • Re: Accessing files from remote locations.
    ... shared folder on the server with her laptop. ... We do not have a VPN appliance, but we do have a server with 2 NICs. ... Remote Web Workspace is currently running and the workers who have desktops at the office can login in remotely and access shared folders. ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote site loses access to member server when WAN goes down
    ... They are connected with a VPN between two hardware ... >> the remote office lost access to the local member server. ... >> I did not realize that cutting off access to the domain controller would ...
    (microsoft.public.windows.server.sbs)
Loading