Join machine to Windows 2000 domain via VPN??

[lengoo]

Hello there
I have some PC's which need to be registered as domain computers. I have sent the Secure Remote software to my users who are offsite and I need to make their machines domain computers so they are properly authenticated.
THese users have dialup connection to an independant ISP and with the Secure Remote software, they are able to connect to our network. However, I cannot get these machines to register on the domain, it is saying that domain is not found.
I notice that DNS isn't working via the VPN for the internal network so I've added a hosts files with the names of the main servers and domain. I still can't connect to domain like this.

 

[guyvernews]

Hey ya dude,

Checking on this one mate. You may want to concentrate on ensuring your DNS resolves internally and externally. When your client log onto the domain are you able to ping the servers etc?

If your clients are Windows 9x, you may want to install WINS on your server.

Kind regards

Paul Thompson (dangermouse)
==================
Awaiting the clock tick to 5.30pm!
==================

 

[lengoo]

Thank you Paul (dangermouse)
I'll concentrate on DNS and let you know

 

[red7]

I am having a similar problem. I would like remote users to be able to logon to the domain via laptops and home machines. I do not want to open pop access and OWA seems spotty; exchange sp2 improved it but it still doesn't have full functionality and people complain, like usual, that it is too slow. I swear people are never satisfied.
I have contacted my CheckPoint representatives and they said it isn't possible to vpn and logon to a win2k domain w/ Active Directory. It has something to do with NAT and Kerbos.
I tried the host file on the client machine and configuring dns.info, blah blah other files blah blah. To make a long story short What did you guys find out?
Also, I was told that Nokia's latest and greatest OS will support NG; due out shortly. Although the problem still hasn't been resolved with Checkpoint. They have released FP-1 and supposedly are trying to address the NAT Kerbos issue in FP-2

 

[lengoo]

Unfortunately I haven't managed yet to get this running. However, like yourself, I tried to include a host file... but no such luck.
I did find something interesting though regarding Secure Remote. There is a feature called SecuRemote Split/Encrypted DNS and Checkpoint have a document regarding this. It allows for a remote PC to be able to utilise DNS of the work servers. I haven't yet implemented this due to time constraints of other projects but if it is a DNS issue then this might be the solution.
Of course, the laptops can connect via the SecuRemote if they were previously joined to the domain.. However, I do have a problem with this, I don't know if you have also. When I connect a laptop via modem through the SecuRemote, I get the Offline icon appear beside the block on the task bar. Even with the SecuRemote connection inplace and authenticated, it doesn't seem possible for the machine to recognise that it is now Online. As a result, though Outlook and our intranet work fine, when trying to open Network drives, files and folders are missing. Have you had this problem?

 

[yizhar]

HI.

I suggest NOT to add these machines to the domain,
unless you realy realy need it.
This can create more problems then it can solve.

On a W2K pro client, you can create a local user account with same credentials as a domain user on the server, and this (in addition to name resolution) should give you enough access to most services needed.

That's what I think.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[SwA]

Have you tried to enter the WINS and DNS parameters on the dial-up connection to the ISP, pointing to the DNS/WINS ip-addresses on your internal LAN?
You should also tell the firewall to encrypt SecuRemote DNS by adding #define ENCDNS above the line
“define USERC_DECRYPT_SRC” in the crypt.def file. These files are located on the management station at:

on NT: \winnt\fw\lib\crypt.def
on UNIX: /etc/fw/lib/crypt.def

 

[dougjk]

If 2000 works like NT then netbios information can not be routed across subnets since it is 'unroutable'. To resolve the issue you have to set up a WINS server and have your client PC's and your servers point to the WINS server. When the client logs in with the correct wins entries the WINS server is checked for the domain name which is then cross-referenced to the correct IP address. This is like DNS except netbios names are used instead of DNS names.
You will, of course, have to make fw entries to allow the clients to access the wins machine. This should solve your problem. When you refer to a domain you are using a netbios name. I understand Dynamic DNS used in Windows 2000 is designed to replace WINS but have not had the opportunity to play with this. Thanks

Doug Kersten
dkersten@usa.net