VPN + AD + [Non Domain Members]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

All:

We recently migrated our old NT4 domain to Server 2003 AD. We use a
SonicWALL VPN and have many home users running Windows XP that were
never configured as domain members. Most are configured under various
workgroup names. All are configured with appropriate AD DNS and WINS
entries.

We are currently running AD at the "Windows Server 2003 Interim" level,
and have lowered security by adding "Everyone" and "Anonymous Login" to
the "Pre-Windows 2000 Compatible Access" group. So far we have had no
problems with these non-domain VPN systems.

But we are not sure what the impact will be when we raise security and
the domain functional level. The security change we can easily
reverse. But the domain funtional level cannot be tested.

Our concern is that these non-domain VPN systems may all need to be
converted into AD domain members.

Has anyone dealt with this yet?

Thanks.
4 answers Last reply
More about domain members
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Unfortunately, I don't know how this was done because I don't work for
    central IT -

    The University where I work has a non-MS VPN solution. Some changes were
    made so that if you include the Domain field in the client's VPN login box
    (and of course if they enter their domain name into it), they will be
    authenticated.

    Somehow they got it to not refer to the DCs but to somehow "fake out" (their
    words) the resource servers. In other words if I leave the Domain field
    blank, I am prompted for credentials when I try to access Windows resources.
    If I include my domain, I am not prompted.

    Unless I'm missing something, I guess you are using credentials on the VPN
    server that are the same as the user's AD credentials, which is the case with
    us.

    I hope this is at least somewhat helpful.

    "EdwardLHall@hotmail.com" wrote:

    > All:
    >
    > We recently migrated our old NT4 domain to Server 2003 AD. We use a
    > SonicWALL VPN and have many home users running Windows XP that were
    > never configured as domain members. Most are configured under various
    > workgroup names. All are configured with appropriate AD DNS and WINS
    > entries.
    >
    > We are currently running AD at the "Windows Server 2003 Interim" level,
    > and have lowered security by adding "Everyone" and "Anonymous Login" to
    > the "Pre-Windows 2000 Compatible Access" group. So far we have had no
    > problems with these non-domain VPN systems.
    >
    > But we are not sure what the impact will be when we raise security and
    > the domain functional level. The security change we can easily
    > reverse. But the domain funtional level cannot be tested.
    >
    > Our concern is that these non-domain VPN systems may all need to be
    > converted into AD domain members.
    >
    > Has anyone dealt with this yet?
    >
    > Thanks.
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You will be fine. The Pre-Windows 2000 Compatible Access is used to allow
    NT4.0 ras servers to read user accounts in Active Directory for dial in
    permissions. If you are not using a NT4.0 ras server you should not need to
    leave everyone in that group anymore if the migration is complete and you
    can always add it back easily. When you rasie the domain functional level
    you will no longer be able to have any more NT4.0 BDC's on the domain. As
    far as VPN users, they already are accessing the domain as AD users if the
    ras server is a domain member by providing credentials to a user account in
    Active Directory. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;325363

    <EdwardLHall@hotmail.com> wrote in message
    news:1107525968.886704.295460@f14g2000cwb.googlegroups.com...
    > All:
    >
    > We recently migrated our old NT4 domain to Server 2003 AD. We use a
    > SonicWALL VPN and have many home users running Windows XP that were
    > never configured as domain members. Most are configured under various
    > workgroup names. All are configured with appropriate AD DNS and WINS
    > entries.
    >
    > We are currently running AD at the "Windows Server 2003 Interim" level,
    > and have lowered security by adding "Everyone" and "Anonymous Login" to
    > the "Pre-Windows 2000 Compatible Access" group. So far we have had no
    > problems with these non-domain VPN systems.
    >
    > But we are not sure what the impact will be when we raise security and
    > the domain functional level. The security change we can easily
    > reverse. But the domain funtional level cannot be tested.
    >
    > Our concern is that these non-domain VPN systems may all need to be
    > converted into AD domain members.
    >
    > Has anyone dealt with this yet?
    >
    > Thanks.
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I believe Ed implied that the VPN server isn't a domain member.

    "Steven L Umbach" wrote:

    > You will be fine. The Pre-Windows 2000 Compatible Access is used to allow
    > NT4.0 ras servers to read user accounts in Active Directory for dial in
    > permissions. If you are not using a NT4.0 ras server you should not need to
    > leave everyone in that group anymore if the migration is complete and you
    > can always add it back easily. When you rasie the domain functional level
    > you will no longer be able to have any more NT4.0 BDC's on the domain. As
    > far as VPN users, they already are accessing the domain as AD users if the
    > ras server is a domain member by providing credentials to a user account in
    > Active Directory. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;325363
    >
    > <EdwardLHall@hotmail.com> wrote in message
    > news:1107525968.886704.295460@f14g2000cwb.googlegroups.com...
    > > All:
    > >
    > > We recently migrated our old NT4 domain to Server 2003 AD. We use a
    > > SonicWALL VPN and have many home users running Windows XP that were
    > > never configured as domain members. Most are configured under various
    > > workgroup names. All are configured with appropriate AD DNS and WINS
    > > entries.
    > >
    > > We are currently running AD at the "Windows Server 2003 Interim" level,
    > > and have lowered security by adding "Everyone" and "Anonymous Login" to
    > > the "Pre-Windows 2000 Compatible Access" group. So far we have had no
    > > problems with these non-domain VPN systems.
    > >
    > > But we are not sure what the impact will be when we raise security and
    > > the domain functional level. The security change we can easily
    > > reverse. But the domain funtional level cannot be tested.
    > >
    > > Our concern is that these non-domain VPN systems may all need to be
    > > converted into AD domain members.
    > >
    > > Has anyone dealt with this yet?
    > >
    > > Thanks.
    > >
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Yes,

    There is no "VPN Server". The SonicWALL is a gateway VPN device. The
    VPN client software simply reroutes any traffic destined for our
    internal subnet to the SonicWALL gateway so that the client system
    thinks it is connected to our internal network.

    The client systems use the same logon credentials as their AD user
    accounts even though they are not configured as domain members.

    I think they they must be getting in right now via pass through
    authentication as they are working, but I'm not sure.
Ask a new question

Read More

Domain vpn Active Directory Windows