Re: Connecting a remote workstation to a domain

And this may be of interest...

An Alternative Approach to Building an SBS Branch Office
http://windowsitpro.com/articles/print.cfm?articleid=49788

--
Merv Porter [SBS-MVP]
============================

"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23cg8uHQ6IHA.1592@xxxxxxxxxxxxxxxxxxxxxxx
MF <MF@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Thanx for your response, I understand that I can configure onsite
then ship to the remote office but the remote office computers were
already in production before me. I was wondering if it is possible to
do this using a profile pre-configured on the server LAN then copied
to the Default User profile which is in turn copied onto the remote
workstations. Will this apply the cached roaming profile/sync @
logon/log off function and auto-apply the Outlook-Exchange settings?
I think I figured how to automatically apply the remote office
printers to remote PCs by simply setting up the remote office
printers (though on a different subnet) on the server for the server
to set that on the profile at first logon (currently, the server sets
is able to set its own local printers on the remote office PCs).

Keep in mid that the server already applies and installs all the apps
that
it installs on its LAN PCs, I just need to take it further with cached
roaming profile, Outlook setup, and printer setup. I guess I can say
that the most important thing here is to have a cached roaming
profile on remote PCs so that users can log onto their PCs with or
without the "Log on using a dial-up connection" checkbox. There are
at least eight people at the remote office with a total of six VPN
enabled PCs on a DSL with good data rate/speed.

Thanx.

No, I don't think your idea would work. Since you have a remote *office*
and
these are not remote users all over the place, I'd suggest you implement a
WAN link via IPSEC VPN (two compatible firewalls/routers) and stick a
low-end server in this office as a DC/DNS/DHCP/WINS/print server box. Set
it up in its
own AD site & subnet. This will work *much* better than what you're trying
to kluge together right now, seriously. You don't want to push application
installs, etc., over a slow link like VPN - nor should your users
authenticate to a non-local DC if you've got this option.

Re roaming profiles - implement them only if you are very careful with
them!
Your remote users should access profiles on their local DC (set the path
in
their ADUC properties). My boilerplate below may help. But note that you
probably don't need roaming profiles at all, based on what you've written.

********************
General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is *not*
set
to allow offline files/caching! (that's on by default - disable it)

2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.

3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field

4. Have each user log into the domain once - if this is an existing user
with a profile you wish to keep, have them log in at their usual
workstationand log out. The profile is now roaming.

5. If you want the administrators group to automatically have permissions
to
the profiles folders, you'll need to make the appropriate change in group
policy. Look in computer configuration/administrative
templates/system/user
profiles - there's an option to add administrators group to the roaming
profiles permissions. Do this *before* the users' roaming profile folders
are created - it isn't retroactive.

********************
Notes:

Make sure users understand that they should not log into multiple
computers
at the same time when they have roaming profiles (unless you make the
profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change
them, which has major disadvantages),. Explain that the 'last one out
wins'
when it comes to uploading the final, changed copy of the profile. If you
want to restrict multiple simultaneous network logins, look at LimitLogon
(too much overhead for me), or this:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768

********************
Keep your profiles TINY. Via group policy, you should be redirecting My
Documents (at the very least) - to a subfolder of the user's home
directory
or user folder. Also consider redirecting Desktop & Application Data
similarly..... so the user will end up with:

\\server\users\%username%\My Documents,
\\server\users\%username%\Desktop,
\\server\users\%username%\Application Data.

[Alternatively, just manually re-target My Documents to
\\server\users\%username% (this is not optimal, however!)]

You should use folder redirection even without roaming profiles, but it's
especially critical if you *are* using them.

If you aren't going to also redirect the desktop using policies, tell
users
that they are not to store any files on the desktop or you will beat them
with a
stick. Big profile=slow login/logout, and possible profile corruption.

********************
Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

*********************
If you also have Terminal Services users, make sure you set up a different
TS profile path for them in their ADUC properties - e.g.,
\\server\tsprofiles$\%username%

********************
Do not let people store any data locally - all data belongs on the server.

********************
The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

********************
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html



"Lanwench [MVP - Exchange]" wrote:

MF <MF@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Thanx for your response. Perhaps in the log run we can consider a
Terminal Server to go with the SBS server. But to get around the
current issue at hand, how can I accomplish the following on a
remote XP Pro PC?;

I can remotely join XP Pro computers at the remote
office to the SBS 2003 Premium R2 server via the "Log in using a
dial up connection" checkbox so that any user can logon remotely.
However, I need to resolve certain things (the CEO's laptop trned
out fine because I too it to the server's local network to log into
it to acquire its profile which it cached and that lets the CEO log
into the laptop with or without checking the "Log in using a dial up
connection" checkbox, either way it loads her cached roaming profile
then synchronizes with the server over the VPN);

1. I need the Outlook email to be set up automatically at first
logon of each user at the remote office.
2. I need the local printers at the remote office to be set up
automatically at first logon of each user at the remote office.
3. I need the XP Pro PCs in the remote office to retain and load
cached copies of users' profiles at logon and synchronize My
Documents/Offline Files, etc thereafter at logon/log off.
4. I basically need the server to set up remote computers similarly
to how it does on local computers. I basically need all the remote
office computers to work similarly to the CEO's laptop which she
uses from CA.

Thanx.

You're really asking a lot of VPN connectivity here! If you had a
remote network connected via a WAN link (with a local DC, ideally)
you could accomplish what you wish with ease. But I doubt you'll
have much luck if you expect your remote/VPN client-connected
computers to behave at all as your LAN-connected ones do.

Another option is for you to pre-configure the computers while on
your LAN and then ship them out to the remote users.

I agree with Merv - it sounds like you really need a terminal server
in the main office.




"Merv Porter [SBS-MVP]" wrote:

If you have more than a couple of remote workstations connecting to
the SBS server via VPN, you really need to consider a Terminal
Server in the main office.

--
Merv Porter [SBS-MVP]
============================

"MF" <MF@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A395203A-B798-4F32-A5EC-3B2B539B1FE4@xxxxxxxxxxxxxxxx
Hello All,

Thanx for your help. I can remotely join XP Pro computers at the
remote office to the SBS 2003 Premium R2 server via the "Log in
using a dial up connection" checkbox so that any user can logon
remotely. However, I need to
resolve certain things (the CEO's laptop trned out fine because I
too it to
the server's local network to log into it to acquire its profile
which it cached and that lets the CEO log into the laptop with or
without checking the
"Log in using a dial up connection" checkbox, either way it loads
her cached
roaming profile then synchronizes with the server over the VPN);

1. I need the Outlook email to be set up automatically at first
logon of each user at the remote office.
2. I need the local printers at the remote office to be set up
automatically
at first logon of each user at the remote office.
3. I need the XP Pro PCs in the remote office to retain and load
cached copies of users' profiles at logon and synchronize My
Documents/Offline Files, etc thereafter at logon/log off.
4. I basically need the server to set up remote computers
similarly to how it does on local computers. I basically need all
the remote office computers
to work similarly to the CEO's laptop which she uses from CA.

Thanx.




"MF" wrote:

Thanx Merv, you are the best. Windows wireless zero configuration
tool did
the job. And for the record, all Pre-logon features need to
already have the
wireless settings entered, I was in the middle of configuring the
Intel application (just kinda addressing Philip on the Google
groups link). Now the CEO is good to go; VPN logon works fine;
wireless pre-logon is awesomely good, and I keep my job and
perhaps get a raise ;^D

"Merv Porter [SBS-MVP]" wrote:

Maybe...

Pre-logon wireless connectivity
http://groups.google.com/group/microsoft.public.windows.networking.wireless/browse_thread/thread/6ce0f70db40b6238/29a3bfc8f7b07157?hl=en&lnk=st&q=Pre-logon+wireless+connectivity#29a3bfc8f7b07157

--
Merv Porter [SBS-MVP]
============================

"MF" <MF@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:95516A04-53E4-44E2-B2D0-4942DB30B4C8@xxxxxxxxxxxxxxxx
Yes, everyone on the server has a roaming profile. But after
the dialogue
box
mentioned the roaming profile issue, I logged out and logged
back in as
local
admin, then went to> right-clicked My Computer> Properties,
Advanced tab>
Settings (under User Profiles), then I highlighted her roaming
profile and
clicked the "Change Type" button to change it to local profile
so that
whenever whse logs in it loads a cached copy of her roaming
profile instead
of a temporary profile each time. So far this seems to do it. I
will keep
testing until otherwise (hopefully never otherwise). Now I am
dealing with
Pre-Logon connect feature so that she does not have to connect
to an ethernet
cable to get to the internet before she can log onto the
server. Any ideas in that are will help as well, the WiFi card
is an Intel 3945ABG.

Thanx.


"Merv Porter [SBS-MVP]" wrote:

Is the CEO using a roaming profile?

--
Merv Porter [SBS-MVP]
============================

"MF" <MF@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:710329A1-DC6E-49BB-8B34-B7E179052E68@xxxxxxxxxxxxxxxx
I figured it out. Something told me that the dial up modem
settings page
that
kept popping up when I try to log on with her credential was
just prompting
me to configure it. So I logged on as local admin, open
Control Panel,
then
Phone and Modem. Then I configured the local area code (being
the minimum
entry) and Ok-ed out of there. My next dial-up logo on with
the CEO's
credential went through. While it logged in as expected now,
it popped
up
a
dialogue box that said it could not find the CEO's local
profile and
would
load a temporary profile and no changes will be saved. That
sucks because
it
will keep doing this each time she uses the dial-up logon
process. Any
ideas?

"Merv Porter [SBS-MVP]" wrote:

Can you log onto the laptop using her domain credentials,
then create
a
new
VPN for "All Users" to the SBS server (and using her domain
credentials).
Then log off and log back on again with her domain
credentials and the
"Log
on using"...?

--
Merv Porter [SBS-MVP]
============================

"MF" <MF@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CF7F3E76-D806-4706-B236-39954BB28FAD@xxxxxxxxxxxxxxxx
I have done this all day. I actually went to the office to
log onto
the
server with her credentials to cache her profile. Before
and after,
I
have
created the VPN connection and tested with the same results
from a
remote
location. Still no dice.
(I'm pulling my hair now).



"Merv Porter [SBS-MVP]" wrote:

Log onto the laptop with her domain credentials without
using the
VPN
at
login, then log out and try the "log on using dialup
connnection".

--
Merv Porter [SBS-MVP]
============================

"MF" <MF@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E3AC9D0D-DC86-4B68-AE81-3AF33D4EBAB1@xxxxxxxxxxxxxxxx
Yes, she is logging on with her domain credentials and
she has
mobile
user
template applied to her profile. She has been using VPN
for over
a
year
now
but not in this manner. Her laptop had been corrupt so it
had to
be
re-installed. Now I am facing this issue as she needs to
leave
tomorrow
morning. I am not sure what else I am missing or leaving
out.
This
is a
desperate situation now as every second counts.

Thanx.


"Merv Porter [SBS-MVP]" wrote:

Is she logging in with credentials that are the same as
her domain
user
account and does her domain user account have "Mobile
user" permissions
(so
she is granted VPN rights to the SBS server)?

I really think her "end user experience" is going to be
poor
with
just
a
VPN
connection directly to the SBS network, espercially for
file
access
or
printing. That's a lot of data to be sending over the
wires.
As
Frank
said, RWW would be far better. Even setting up a low
end workstation
in
the
office for her for RDP access via RWW should be better
than a
VPN
and
worth
the extra $$ (wouldn't even need a dedicated monitor for
it).

--
Merv Porter [SBS-MVP]
============================

"MF" <MF@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:35C59DB6-9492-47ED-8D0C-EDF0EEE5F786@xxxxxxxxxxxxxxxx
I selected the "All Users" option and I have added her
to the
local
admin
on
the laptop. I have also selected not to dial an initial
connection






.