[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 987
  • Last Modified:

How to logon domain over VPN

Before I purchase Static Public IP Address for my VPN Connection , I want to know whether the following setup will work ?

VPN Client workstation and VPN Server is separated by Internet.

Both VPN client site and VPN server site are using residential DSL Modem Router ( normal ADSL Modem Router ) .

On VPN Server site , ADSL Modem Router is connected to VPN Server and behind VPN server is Domain Controller .

See the following "layout":-

VPN Client ==DSL Modem/Router ==( INTERNET ) ==DSL ModemRouter==VPN Server==DC

VPN Server site is using Dynamic Public Static IP Adress. ( I understand dynamic public IP address is not the right way to configure VPN , but I just want to try out first whether it work before I purchase Static Public IP Address )

VPN Client workstation is using XP Pro and VPN Server and DC are both use Window Server 2003 .  No Cisco product is involved for this case .

Assuming , I already setup/configure VPN Client and also on the VPN Client Properties 's Option Tab , check the box for "include Window logon domain" .

Assuming I will set port fordwarding for PPTP  on VPN Server site on the ADSL Modem/Router

Assuming VPN Client is registered Domain computer /Domain User for the remote DC.  

What else should I do to succeesfully use VPN to logon to domain ?

I see some article mentioned about :-

1)Open the VPN Client. Choose Options 
2)Choose Windows Logon Properties 
3)Uncheck Disconnect VPN connection when logging off 
4)Choose OK Note: this change to the VPN client only needs to be done once for your initial
   logon with CLO.
5)Choose Connect

Choose Log Off

But I cannot find "Windows Logon Properties" and :Disconnect VPN connection when logging off  on VPN Client , I though this is Cisco VPN Client option ???

Anyhow , please advise , what else should I do in order to logon domain over VPN ??
Just click / open VPN Client , key in VPN Server credential ( username / password ) plus key in domain name on the domain drop down  menu ? Would it work ?

I yet to try out , just want to confirm ...

I am confusing with "Windows Logon Properties" and :Disconnect VPN connection when logging off  on VPN Client which I learn from other article ....

I am not going to use any Cisco product in this setup , I only want to use Microsoft VPN to setup this and without involve any 3rd party software/technology .

Please advise . If possible step by step , starting from OPEN THE VPN CLIENT ...

1 Solution
Jian An LimCommented:
okay, i am reading too many thing here.
I am not sure what you are trying to do.

let me get it right,
you cant logon domain over VPN using microsoft solutions.

u,  however, can logon to domain, then dial VPN.
this will definitely work.

So what are you trying to do, in a brief term.

in pure microsoft solution, do you know RRAS? IAS?  this is the VPN server.

kcnAuthor Commented:
Dear limjinan,
Yes, I know RRAS and IAS . Any suggestion on them ?

What I want is :-  sitting in front of VPN Client workstation , logon as Domain User but the Domain Controller is not at the same building as VPN Client , the Domain Controller is 200km from VPN Client workstation .

VPN Client and VPN Server , both are at 2 difference locations , Domain Controller is at the same location as VPN Server .  How to make VPN Client to logon domain ( logon to DC ) WITHOUT  first dial VPN ?
How To Configure and Use Dial-Up Connections in Windows XP

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

in the above u can use pptp client as ur dialup connection then once pptp connection established you can login to domain

any questions please ask

Good Luck
i mean to say after creating connection settings in windows xp

restart computer at logon screen select dialup option
kcnAuthor Commented:
Dear HarendraG ,

Try to correct me if I am wrong .

On the XP Pro Workstation ( VPN Client ):-
Start> Control Panel > Network Connection > click "add new networkplace connection" > Wizard start >
select VPN Client > 

After finish the Wizard , go to VPN Connection , Right Click on VPN Connection > Properties > Option Tab >  check the box for "include Window logon domain"

On the XP Pro workstation ( VPN Client) :-
Start > Control Panel > Network Connection > click(open) VPN Connection > the Dialog Box prompt out to request USERNAME + PASSWORD + DOMAIN > key in VPN Server authenticated Username + Password and enter the Domain name > Click "connect" button

That's all , I can dial VPN plus logon on domain ? Am I right .
YES this should work
Rob WilliamsCommented:
>>"check the box for "include Window logon domain" "
No, that will not log you on to the domain, it will just add your domain name to the user name for authentication, which is not necessary, often doesn't even work, and has nothing to do with logging the client on to the domain.

The only way to have a remote user logon to the domain at the time the VPN connection is made is to join that PC to the domain. Once done when the user logs on to their PC there will then be a check box in the logon screen "log-in using dial up connection". Selecting this will then allow the user to choose the VPN connection (assuming you have created it). This then allows the user to connect to the VPN before logon, and then authenticate to the domain and apply group policy and logon scripts. On occasion you have to use the following group policies to "tweak" the connection because VPN's are considered slow links.

Computer Configuration | Administrative Templates | System | Logon  | Always wait for the network at computer startup and login
Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously

Though a static IP simplifies things you can subscribe to a free DDNS service, such as www.no-ip.com or www.dyndns.com which will allow you to consistently use a dynamic IP.

As for the VPN, the following instructions may be of some help:
The basic server and client configurations can be found at the following sites with good detail:
-Server 2003 configuration:
-Windows XP client configuration:
-You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
-The users that are connecting to the VPN need to have allow access enabled under the dial-in tab of their profile in active directory
-The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office, the remote should be something like 192.168.2.x

-Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name, though this can usually be configured.. Using the IP address is less problematic such as \\\SharenName.
-Nome resolution can be dealt with in many ways. See:
However, the best method is to add the DNS suffix to the remote users VPN client configuration as described in the link above

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now