How to logon domain over VPN

Posted on 2009-12-20
Last Modified: 2013-12-23
Before I purchase Static Public IP Address for my VPN Connection , I want to know whether the following setup will work ?

VPN Client workstation and VPN Server is separated by Internet.

Both VPN client site and VPN server site are using residential DSL Modem Router ( normal ADSL Modem Router ) .

On VPN Server site , ADSL Modem Router is connected to VPN Server and behind VPN server is Domain Controller .

See the following "layout":-

VPN Client ==DSL Modem/Router ==( INTERNET ) ==DSL ModemRouter==VPN Server==DC

VPN Server site is using Dynamic Public Static IP Adress. ( I understand dynamic public IP address is not the right way to configure VPN , but I just want to try out first whether it work before I purchase Static Public IP Address )

VPN Client workstation is using XP Pro and VPN Server and DC are both use Window Server 2003 .  No Cisco product is involved for this case .

Assuming , I already setup/configure VPN Client and also on the VPN Client Properties 's Option Tab , check the box for "include Window logon domain" .

Assuming I will set port fordwarding for PPTP  on VPN Server site on the ADSL Modem/Router

Assuming VPN Client is registered Domain computer /Domain User for the remote DC.  

What else should I do to succeesfully use VPN to logon to domain ?

I see some article mentioned about :-

1)Open the VPN Client. Choose Options 
2)Choose Windows Logon Properties 
3)Uncheck Disconnect VPN connection when logging off 
4)Choose OK Note: this change to the VPN client only needs to be done once for your initial
   logon with CLO.
5)Choose Connect

Choose Log Off

But I cannot find "Windows Logon Properties" and :Disconnect VPN connection when logging off  on VPN Client , I though this is Cisco VPN Client option ???

Anyhow , please advise , what else should I do in order to logon domain over VPN ??
Just click / open VPN Client , key in VPN Server credential ( username / password ) plus key in domain name on the domain drop down  menu ? Would it work ?

I yet to try out , just want to confirm ...

I am confusing with "Windows Logon Properties" and :Disconnect VPN connection when logging off  on VPN Client which I learn from other article ....

I am not going to use any Cisco product in this setup , I only want to use Microsoft VPN to setup this and without involve any 3rd party software/technology .

Please advise . If possible step by step , starting from OPEN THE VPN CLIENT ...

Question by:kcn
    LVL 35

    Expert Comment

    by:Jian An Lim
    okay, i am reading too many thing here.
    I am not sure what you are trying to do.

    let me get it right,
    you cant logon domain over VPN using microsoft solutions.

    u,  however, can logon to domain, then dial VPN.
    this will definitely work.

    So what are you trying to do, in a brief term.

    in pure microsoft solution, do you know RRAS? IAS?  this is the VPN server.


    Author Comment

    Dear limjinan,
    Yes, I know RRAS and IAS . Any suggestion on them ?

    What I want is :-  sitting in front of VPN Client workstation , logon as Domain User but the Domain Controller is not at the same building as VPN Client , the Domain Controller is 200km from VPN Client workstation .

    VPN Client and VPN Server , both are at 2 difference locations , Domain Controller is at the same location as VPN Server .  How to make VPN Client to logon domain ( logon to DC ) WITHOUT  first dial VPN ?
    LVL 13

    Expert Comment

    How To Configure and Use Dial-Up Connections in Windows XP
    LVL 13

    Expert Comment

    in the above u can use pptp client as ur dialup connection then once pptp connection established you can login to domain

    any questions please ask

    Good Luck
    LVL 13

    Expert Comment

    i mean to say after creating connection settings in windows xp

    restart computer at logon screen select dialup option
    LVL 13

    Expert Comment


    Author Comment

    Dear HarendraG ,

    Try to correct me if I am wrong .

    On the XP Pro Workstation ( VPN Client ):-
    Start> Control Panel > Network Connection > click "add new networkplace connection" > Wizard start >
    select VPN Client >

    After finish the Wizard , go to VPN Connection , Right Click on VPN Connection > Properties > Option Tab >  check the box for "include Window logon domain"

    On the XP Pro workstation ( VPN Client) :-
    Start > Control Panel > Network Connection > click(open) VPN Connection > the Dialog Box prompt out to request USERNAME + PASSWORD + DOMAIN > key in VPN Server authenticated Username + Password and enter the Domain name > Click "connect" button

    That's all , I can dial VPN plus logon on domain ? Am I right .
    LVL 13

    Expert Comment

    YES this should work
    LVL 77

    Accepted Solution

    >>"check the box for "include Window logon domain" "
    No, that will not log you on to the domain, it will just add your domain name to the user name for authentication, which is not necessary, often doesn't even work, and has nothing to do with logging the client on to the domain.

    The only way to have a remote user logon to the domain at the time the VPN connection is made is to join that PC to the domain. Once done when the user logs on to their PC there will then be a check box in the logon screen "log-in using dial up connection". Selecting this will then allow the user to choose the VPN connection (assuming you have created it). This then allows the user to connect to the VPN before logon, and then authenticate to the domain and apply group policy and logon scripts. On occasion you have to use the following group policies to "tweak" the connection because VPN's are considered slow links.

    Computer Configuration | Administrative Templates | System | Logon  | Always wait for the network at computer startup and login
    Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
    Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously

    Though a static IP simplifies things you can subscribe to a free DDNS service, such as or which will allow you to consistently use a dynamic IP.

    As for the VPN, the following instructions may be of some help:
    The basic server and client configurations can be found at the following sites with good detail:
    -Server 2003 configuration:
    -Windows XP client configuration:
    -You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
    -The users that are connecting to the VPN need to have allow access enabled under the dial-in tab of their profile in active directory
    -The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office, the remote should be something like 192.168.2.x

    -Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name, though this can usually be configured.. Using the IP address is less problematic such as \\\SharenName.
    -Nome resolution can be dealt with in many ways. See:
    However, the best method is to add the DNS suffix to the remote users VPN client configuration as described in the link above

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now