• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

need an advise for domain setup

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory

View previous topic :: View next topic  
Author Message
poorprince
Just Arrived
Just Arrived


Joined: 10 Dec 2010
Posts: 0


Offline

PostPosted: Fri Dec 10, 2010 9:10 pm    Post subject: need an advise for domain setup Reply with quote

I have setup a domain envoirment and create vpn setup. most of our office users are worked remotley and now connect with office network using vpn and use domain resoures like file and print sharings etc.
my ques is
is that possible the remote users join domain and use domain resources like normal users in lan, they dont need to enter domain/account passowrd every time when they use domain resources like servers etc.
if i connect a remote system on domain then how overcome there login issues when they are on remote locations.
Back to top
View user's profile Send private message
Bannerd
Just Arrived
Just Arrived


Joined: 31 Dec 2004
Posts: 0


Offline

PostPosted: Thu Dec 23, 2010 1:55 pm    Post subject: Reply with quote

Yes, a better way to do it is to have them login to the domain right on login. If you're new to VPN and need a quick fix, look into sonicwall VPN-2000 server box. If you want something more secure look into fortinet, they have some really nice devices that can do exactly what you're wanting.

We use openVPN here but it's a bit complicated to setup. If you have the time I would suggest you go this route as it really helps explain the process. There is no reason that a user cannot login to the domain on login and use the DNS resources on your network.
Back to top
View user's profile Send private message
Weaver
Trusted SF Member
Trusted SF Member


Joined: 04 Jan 2003
Posts: 0
Location: WI, USA

Offline

PostPosted: Sat Jan 22, 2011 2:45 am    Post subject: Reply with quote

Windows will first try to authenticate to a resource using the *current* logged in user credentials, unless other credentials are specified in "Windows Vault." This goes for SMB/CIFS file shares, printing, and even Internet Explorer if presented with an NTLM challenge on a website.

This behavior is part of the Windows Single Sign-On (SSO) paradigm.

An Active Directory Domain is many things, one of which is central yet distributed database of credentials, both user and machine.

If the remote workstation is a member of the domain and the user signs in the computer with domain credentials then whenever that user attempts to access resources the domain credentials will be attempted first.

If both user and resource (shares, printers, etc.) are members of the same domain, they can authenticate each other (Kerberos, NTLM), and then check whether access is permitted or denied based on permissions that have been assigned to the resource.

To make a remote access paradigm smooth:


  • All workstations (including laptops) and servers should be members of the same Active Directory domain. There are exceptions but you want "smooth and easy."
  • Secure, Reliable VPN Solution - PPTP is easy but the least secure. SSTP is a great replacement but new (requires 2008 R2 and 7). There are many vendor implementations of L2TP and IPSec; all with varying degrees of interop. DirectAccess from Microsoft is very interesting but requires a solid *internal* IPv6 infrastructure. SSL/TLS based VPN's (SSTP from MS, AnyConnect from Cisco, OpenVPN, etc.) are becoming the norm but are not compatible with eachother. If you have the option of starting fresh look to a SSL/TLS based solution. This will save you the headache of dealing with GRE and ESP protocol issues when your users are at coffee shops and hotels.
  • Name Resolution is often the trickiest part of remote access paradigms. Ensuring the remote users can resolve AD DS domain name resources and Internet domain resources is a common problem and can be mitigated in a variety of ways.


-Weaver
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register