VPN + AD + [Non Domain Members]

[EdwardLHall]

All:

We recently migrated our old NT4 domain to Server 2003 AD. We use a
SonicWALL VPN and have many home users running Windows XP that were
never configured as domain members. Most are configured under various
workgroup names. All are configured with appropriate AD DNS and WINS
entries.

We are currently running AD at the "Windows Server 2003 Interim" level,
and have lowered security by adding "Everyone" and "Anonymous Login" to
the "Pre-Windows 2000 Compatible Access" group. So far we have had no
problems with these non-domain VPN systems.

But we are not sure what the impact will be when we raise security and
the domain functional level. The security change we can easily
reverse. But the domain funtional level cannot be tested.

Our concern is that these non-domain VPN systems may all need to be
converted into AD domain members.

Has anyone dealt with this yet?

Thanks.

 

[Guest]

Unfortunately, I don't know how this was done because I don't work for
central IT -

The University where I work has a non-MS VPN solution. Some changes were
made so that if you include the Domain field in the client's VPN login box
(and of course if they enter their domain name into it), they will be
authenticated.

Somehow they got it to not refer to the DCs but to somehow "fake out" (their
words) the resource servers. In other words if I leave the Domain field
blank, I am prompted for credentials when I try to access Windows resources.
If I include my domain, I am not prompted.

Unless I'm missing something, I guess you are using credentials on the VPN
server that are the same as the user's AD credentials, which is the case with
us.

I hope this is at least somewhat helpful.

 

[Steven L Umbach]

You will be fine. The Pre-Windows 2000 Compatible Access is used to allow
NT4.0 ras servers to read user accounts in Active Directory for dial in
permissions. If you are not using a NT4.0 ras server you should not need to
leave everyone in that group anymore if the migration is complete and you
can always add it back easily. When you rasie the domain functional level
you will no longer be able to have any more NT4.0 BDC's on the domain. As
far as VPN users, they already are accessing the domain as AD users if the
ras server is a domain member by providing credentials to a user account in
Active Directory. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;325363

 

[Guest]

I believe Ed implied that the VPN server isn't a domain member.

 

[EdwardLHall]

Yes,

There is no "VPN Server". The SonicWALL is a gateway VPN device. The
VPN client software simply reroutes any traffic destined for our
internal subnet to the SonicWALL gateway so that the client system
thinks it is connected to our internal network.

The client systems use the same logon credentials as their AD user
accounts even though they are not configured as domain members.

I think they they must be getting in right now via pass through
authentication as they are working, but I'm not sure.