Sign in with
Sign up | Sign in
Your question

VPN + AD + [Non Domain Members]

Last response: in Windows 2000/NT
Share
Anonymous
February 4, 2005 9:06:08 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

All:

We recently migrated our old NT4 domain to Server 2003 AD. We use a
SonicWALL VPN and have many home users running Windows XP that were
never configured as domain members. Most are configured under various
workgroup names. All are configured with appropriate AD DNS and WINS
entries.

We are currently running AD at the "Windows Server 2003 Interim" level,
and have lowered security by adding "Everyone" and "Anonymous Login" to
the "Pre-Windows 2000 Compatible Access" group. So far we have had no
problems with these non-domain VPN systems.

But we are not sure what the impact will be when we raise security and
the domain functional level. The security change we can easily
reverse. But the domain funtional level cannot be tested.

Our concern is that these non-domain VPN systems may all need to be
converted into AD domain members.

Has anyone dealt with this yet?

Thanks.

More about : vpn domain members

February 5, 2005 7:39:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Unfortunately, I don't know how this was done because I don't work for
central IT -

The University where I work has a non-MS VPN solution. Some changes were
made so that if you include the Domain field in the client's VPN login box
(and of course if they enter their domain name into it), they will be
authenticated.

Somehow they got it to not refer to the DCs but to somehow "fake out" (their
words) the resource servers. In other words if I leave the Domain field
blank, I am prompted for credentials when I try to access Windows resources.
If I include my domain, I am not prompted.

Unless I'm missing something, I guess you are using credentials on the VPN
server that are the same as the user's AD credentials, which is the case with
us.

I hope this is at least somewhat helpful.

"EdwardLHall@hotmail.com" wrote:

> All:
>
> We recently migrated our old NT4 domain to Server 2003 AD. We use a
> SonicWALL VPN and have many home users running Windows XP that were
> never configured as domain members. Most are configured under various
> workgroup names. All are configured with appropriate AD DNS and WINS
> entries.
>
> We are currently running AD at the "Windows Server 2003 Interim" level,
> and have lowered security by adding "Everyone" and "Anonymous Login" to
> the "Pre-Windows 2000 Compatible Access" group. So far we have had no
> problems with these non-domain VPN systems.
>
> But we are not sure what the impact will be when we raise security and
> the domain functional level. The security change we can easily
> reverse. But the domain funtional level cannot be tested.
>
> Our concern is that these non-domain VPN systems may all need to be
> converted into AD domain members.
>
> Has anyone dealt with this yet?
>
> Thanks.
>
>
Anonymous
February 5, 2005 10:27:49 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You will be fine. The Pre-Windows 2000 Compatible Access is used to allow
NT4.0 ras servers to read user accounts in Active Directory for dial in
permissions. If you are not using a NT4.0 ras server you should not need to
leave everyone in that group anymore if the migration is complete and you
can always add it back easily. When you rasie the domain functional level
you will no longer be able to have any more NT4.0 BDC's on the domain. As
far as VPN users, they already are accessing the domain as AD users if the
ras server is a domain member by providing credentials to a user account in
Active Directory. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;325363

<EdwardLHall@hotmail.com> wrote in message
news:1107525968.886704.295460@f14g2000cwb.googlegroups.com...
> All:
>
> We recently migrated our old NT4 domain to Server 2003 AD. We use a
> SonicWALL VPN and have many home users running Windows XP that were
> never configured as domain members. Most are configured under various
> workgroup names. All are configured with appropriate AD DNS and WINS
> entries.
>
> We are currently running AD at the "Windows Server 2003 Interim" level,
> and have lowered security by adding "Everyone" and "Anonymous Login" to
> the "Pre-Windows 2000 Compatible Access" group. So far we have had no
> problems with these non-domain VPN systems.
>
> But we are not sure what the impact will be when we raise security and
> the domain functional level. The security change we can easily
> reverse. But the domain funtional level cannot be tested.
>
> Our concern is that these non-domain VPN systems may all need to be
> converted into AD domain members.
>
> Has anyone dealt with this yet?
>
> Thanks.
>
Related resources
February 5, 2005 10:27:50 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I believe Ed implied that the VPN server isn't a domain member.

"Steven L Umbach" wrote:

> You will be fine. The Pre-Windows 2000 Compatible Access is used to allow
> NT4.0 ras servers to read user accounts in Active Directory for dial in
> permissions. If you are not using a NT4.0 ras server you should not need to
> leave everyone in that group anymore if the migration is complete and you
> can always add it back easily. When you rasie the domain functional level
> you will no longer be able to have any more NT4.0 BDC's on the domain. As
> far as VPN users, they already are accessing the domain as AD users if the
> ras server is a domain member by providing credentials to a user account in
> Active Directory. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;325363
>
> <EdwardLHall@hotmail.com> wrote in message
> news:1107525968.886704.295460@f14g2000cwb.googlegroups.com...
> > All:
> >
> > We recently migrated our old NT4 domain to Server 2003 AD. We use a
> > SonicWALL VPN and have many home users running Windows XP that were
> > never configured as domain members. Most are configured under various
> > workgroup names. All are configured with appropriate AD DNS and WINS
> > entries.
> >
> > We are currently running AD at the "Windows Server 2003 Interim" level,
> > and have lowered security by adding "Everyone" and "Anonymous Login" to
> > the "Pre-Windows 2000 Compatible Access" group. So far we have had no
> > problems with these non-domain VPN systems.
> >
> > But we are not sure what the impact will be when we raise security and
> > the domain functional level. The security change we can easily
> > reverse. But the domain funtional level cannot be tested.
> >
> > Our concern is that these non-domain VPN systems may all need to be
> > converted into AD domain members.
> >
> > Has anyone dealt with this yet?
> >
> > Thanks.
> >
>
>
>
Anonymous
February 17, 2005 10:39:37 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes,

There is no "VPN Server". The SonicWALL is a gateway VPN device. The
VPN client software simply reroutes any traffic destined for our
internal subnet to the SonicWALL gateway so that the client system
thinks it is connected to our internal network.

The client systems use the same logon credentials as their AD user
accounts even though they are not configured as domain members.

I think they they must be getting in right now via pass through
authentication as they are working, but I'm not sure.
!