L2TP VPN over the internet
Posted on 2011-02-17
Ok, I have a client who is dead set on running their domain controller out of a datacenter across the internet (not a very good idea, I'm aware). I have set up the datacenter server (Server 2008) with all the services required - DHCP, AD Domain Services, AD Cert Services, Routing and Remote Access (via the Network Policy and Access role), and File Services.
However, I need some guidance for the rest of things -
I want to use L2TP for the VPN. Their clients are XP so SSTP is out, but they move medical data so PPTP is not an option due to insecurity. However, I can't create a L2TP connection without installing a certificate from the client (by joining the datacenter server's domain), but I can't join the domain without creating the VPN so it's a catch 22. My idea was to try to log in using PPTP, join the domain, and then switch to L2TP, but the datacenter server won't verify my credentials. When I try to log in it just says 'Verifying username and password...' for a minute then times out with 'Error 721: The remote computer did not respond'. I tried temporarily (VERY temporarily) disabling the remote server's firewall but still couldn't connect.
Client setup - Should I just point the client machine's DNS settings to the public IP of the datacenter server, pull it off their current domain, and join it to the new one? This seems too easy, honestly.
Any thoughts on migrating their active directory data? Can I just dump it out as .csv from their local DC (Server 2003) and import it to their new remote DC? I'm not sure exactly how to do this, any tools y'all are aware of would help.
Any help would be appreciated. I realize trying to run a DC over the internet is probably a bad idea, but the client had already signed a 3 year contract on the remote servers before I even got here.