Join a remote PC to 2003 domain

My son is at college and his XP PC was on my domain I run at home. Even
though he is no longer on my network while at college (obviously), he's had
no trouble since he has been logging in with the locally cached profile.
However, he let a "buddy" try to fix a networking problem and the "buddy"
removed it from the domain, adding to a workgroup. Of course then he couldn't
log in with his domain account, though I got him past that by logging in to a
local account I had previously created on it.
But now he's running into a bunch of errors and problems and I'm thinking
the only way to fix most or all of it is to get his PC back on my domain.

Jonathan
How do I add his PC back to my domain while his PC is 10 hours away at
college? Can he VPN into my network and then the necessary communication will
take place between his PC and my DC?
If so, what do I need to set up on my end to allow that? Obviously opening
ports in my firewall is not a good idea. Do I set up RRAS on my DC or what?
I've never really set up RRAS before so don't know just how that would need
to be configured.
And would I need to open any ports in the firewall to allow his PC to VPN
into the DC/RRAS server?

"JonathanL" <(E-Mail Removed)> wrote in message
news:AF7FFF9D-76E4-4552-B2CE-(E-Mail Removed)...
> My son is at college and his XP PC was on my domain I run at home. Even
> though he is no longer on my network while at college (obviously), he's
> had
> no trouble since he has been logging in with the locally cached profile.
> However, he let a "buddy" try to fix a networking problem and the "buddy"
> removed it from the domain, adding to a workgroup. Of course then he
> couldn't
> log in with his domain account, though I got him past that by logging in
> to a
> local account I had previously created on it.
> But now he's running into a bunch of errors and problems and I'm thinking
> the only way to fix most or all of it is to get his PC back on my domain.
>
> Jonathan
> How do I add his PC back to my domain while his PC is 10 hours away at
> college? Can he VPN into my network and then the necessary communication
> will
> take place between his PC and my DC?
> If so, what do I need to set up on my end to allow that? Obviously opening
> ports in my firewall is not a good idea. Do I set up RRAS on my DC or
> what?
> I've never really set up RRAS before so don't know just how that would
> need
> to be configured.
> And would I need to open any ports in the firewall to allow his PC to VPN
> into the DC/RRAS server?


Hi Jonathan,

If you have VPN capabilities, you should be fine. And VPN is a feature that
runs under RRAS, so I assume you are using SBS' VPN capabilities, RRAS is
already setup. Give it a shot and let us know how you make out.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

But I'm not running SBS. I'm running Windows Server 2003 Standard. So I have
to completely install and setup RRAS.

Jonathan

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "JonathanL" <(E-Mail Removed)> wrote in message
> news:AF7FFF9D-76E4-4552-B2CE-(E-Mail Removed)...
> > My son is at college and his XP PC was on my domain I run at home. Even
> > though he is no longer on my network while at college (obviously), he's
> > had
> > no trouble since he has been logging in with the locally cached profile.
> > However, he let a "buddy" try to fix a networking problem and the "buddy"
> > removed it from the domain, adding to a workgroup. Of course then he
> > couldn't
> > log in with his domain account, though I got him past that by logging in
> > to a
> > local account I had previously created on it.
> > But now he's running into a bunch of errors and problems and I'm thinking
> > the only way to fix most or all of it is to get his PC back on my domain.
> >
> > Jonathan
> > How do I add his PC back to my domain while his PC is 10 hours away at
> > college? Can he VPN into my network and then the necessary communication
> > will
> > take place between his PC and my DC?
> > If so, what do I need to set up on my end to allow that? Obviously opening
> > ports in my firewall is not a good idea. Do I set up RRAS on my DC or
> > what?
> > I've never really set up RRAS before so don't know just how that would
> > need
> > to be configured.
> > And would I need to open any ports in the firewall to allow his PC to VPN
> > into the DC/RRAS server?
>
>
> Hi Jonathan,
>
> If you have VPN capabilities, you should be fine. And VPN is a feature that
> runs under RRAS, so I assume you are using SBS' VPN capabilities, RRAS is
> already setup. Give it a shot and let us know how you make out.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> (E-Mail Removed)
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>

Setting up remote access in RRAS is not a big deal. Essentially all you
need to do is select the right option in the setup wizard.

That said, doing what you plan is not a walk in the park if neither of
you has experience with VPN. The VPN experience is very different from being
on the LAN.


"JonathanL" <(E-Mail Removed)> wrote in message
news:ABA9FC59-6940-4C62-83B5-(E-Mail Removed)...
> But I'm not running SBS. I'm running Windows Server 2003 Standard. So I
> have
> to completely install and setup RRAS.
>
> Jonathan
>
> "Ace Fekay [Microsoft Certified Trainer]" wrote:
>
>> "JonathanL" <(E-Mail Removed)> wrote in message
>> news:AF7FFF9D-76E4-4552-B2CE-(E-Mail Removed)...
>> > My son is at college and his XP PC was on my domain I run at home. Even
>> > though he is no longer on my network while at college (obviously), he's
>> > had
>> > no trouble since he has been logging in with the locally cached
>> > profile.
>> > However, he let a "buddy" try to fix a networking problem and the
>> > "buddy"
>> > removed it from the domain, adding to a workgroup. Of course then he
>> > couldn't
>> > log in with his domain account, though I got him past that by logging
>> > in
>> > to a
>> > local account I had previously created on it.
>> > But now he's running into a bunch of errors and problems and I'm
>> > thinking
>> > the only way to fix most or all of it is to get his PC back on my
>> > domain.
>> >
>> > Jonathan
>> > How do I add his PC back to my domain while his PC is 10 hours away at
>> > college? Can he VPN into my network and then the necessary
>> > communication
>> > will
>> > take place between his PC and my DC?
>> > If so, what do I need to set up on my end to allow that? Obviously
>> > opening
>> > ports in my firewall is not a good idea. Do I set up RRAS on my DC or
>> > what?
>> > I've never really set up RRAS before so don't know just how that would
>> > need
>> > to be configured.
>> > And would I need to open any ports in the firewall to allow his PC to
>> > VPN
>> > into the DC/RRAS server?
>>
>>
>> Hi Jonathan,
>>
>> If you have VPN capabilities, you should be fine. And VPN is a feature
>> that
>> runs under RRAS, so I assume you are using SBS' VPN capabilities, RRAS is
>> already setup. Give it a shot and let us know how you make out.
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
>> Microsoft Certified Trainer
>> (E-Mail Removed)
>>
>> For urgent issues, you may want to contact Microsoft PSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>>

"JonathanL" <(E-Mail Removed)> wrote in message
news:ABA9FC59-6940-4C62-83B5-(E-Mail Removed)...
> But I'm not running SBS. I'm running Windows Server 2003 Standard. So I
> have
> to completely install and setup RRAS.

Sorry, I assumed SBS. As for VPN, I mistakenly thought you implied you
already have RRAS and VPN setup.

As Bill mentioned, if you are not familiar with RRAS and VPNs, it can get
complicated. The following articles may be able to help out.

=======================
How to setup RRAS as a VPN server

Routing and Remote Access Blog : VPN server deployment: IP
http://blogs.technet.com/rrasblog/ar...20/457653.aspx

Microsoft Windows Server 2008: A Beginner's Guide - Google Books Resultby
Marty Matthews - 2008 - Computers - 592 pages
SET UP A VPN SERVER VPN, like RAS, has both client and server components.
http://books.google.com/books?id=Rm0...esult&resnum=8

VPN Setup - multiple links on how to setup RRAS, VPN and a client
www.chicagotech.net/vpnsetup.htm
=======================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Bill Kearney <(E-Mail Removed)> wrote:
>> How do I add his PC back to my domain while his PC is 10 hours away
>> at college? Can he VPN into my network and then the necessary
>> communication will
>> take place between his PC and my DC?
>
> Yes, that would work. What router do you have running at home? Some
> routers have the ability to run a VPN server on them. Or support
> changing their firmware to support one. I've had great success doing
> just that using a Linksys WRT54G with the DDWRT firmware loaded onto
> it. The stock firmware has no VPN server support. The free DDWRT
> firmware replaces it and has, among other features, a VPN server. You VPN
> 'dial' into the router itself. No need to setup anything on
> an internal server.
> WRT54G routers are cheap too. Cheap enough that if you don't have a
> VPN capable router now it might be simplest to just get one that'll
> run DDWRT. This would likely be a lot less trouble than learning how
> and setting up a RRAS server internally.
>
> -Bill Kearney

Yes, and this would be preferable to running RRAS on a domain controller.
That said, I've never tried to join a domain via a VPN client connection and
I'm not certain it actually works. And the user's original domain profile is
now lost, so I don't know that creating a new one is going to help much. I
would personally wait until he was home again at the end of the term;
there's nothing he shouldn't be able to do while logged in as a local user.
A remote session via LogMeIn or something would probably be in order to
correct whatever errors he's got now.

"Lanwench [MVP - Exchange]"
<(E-Mail Removed) hoo.com> wrote in message
news:(E-Mail Removed)...
>
> Yes, and this would be preferable to running RRAS on a domain controller.
> That said, I've never tried to join a domain via a VPN client connection
> and I'm not certain it actually works. And the user's original domain
> profile is now lost, so I don't know that creating a new one is going to
> help much. I would personally wait until he was home again at the end of
> the term; there's nothing he shouldn't be able to do while logged in as a
> local user. A remote session via LogMeIn or something would probably be in
> order to correct whatever errors he's got now.
>

I've actually joined numerous laptops via VPN. It works great. I've always
recommended a Cisco firewall/VPN solution (PIX 501 and now the ASA5505) and
it works great. With the high end units, you can opt for AD for
authentication or local user (on the firewall) authentication. I opt for
local authentication so I can get in if the DC(s) are down.
Of course, a fast line is helpful. Some of my customers would drop off a
handful of laptops to configure so I can get around to them at my leisure,
install the VPN client and join and configure them, copy any local profile
to the new domain user profile, make sure Redirection is working, etc, all
from home.

I use a number of remote tools, besides Microsoft RDP, if using SBS,
Webworkplace, and others such as TeamViewer, Dell's DRAC and HP's ILO.

But of course, as discussed earlier, Microsoft RRAS/VPN or 3rd party VPN
configuration knowledge is essential.

Ace

Ace, Bill, and Lanwench:
Thank you all for your help. Let me try to see if I can respond correctly to
all you've written.
1. Setting up the VPN client on the PC is no problem, been there done that.
I'm used to being on the client end of a VPN, not the server end.
2. I have almost 10 years experience running Windows servers but never had
the chance to install/config RRAS or a VPN server so that's why I need the
help here. I do have written material here to consult.
3. I have a D-Link DI-524 router so no chance of a f/w update to get VPN
capability. At one place I help at, we have a Linsys RVS4000 which works
great, but I can't afford to buy anything till I get another job.
4. I really don't want to install RRAS/VPN on my DC. I do have a file server
that I could install it on which I presume would be better. I just wasn't
sure if it made a difference which server RRAS/VPN was installed on to make
it work so that my son could then VPN in and get his PC back on the domain.
5. I'm using TeamViewer which works great. I've used it multiple times on
multiple PCs and I'm very happy with it. Works great when the other PC is
behind a firewall or router.

Jonathan

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) hoo.com> wrote in message
> news:(E-Mail Removed)...
> >
> > Yes, and this would be preferable to running RRAS on a domain controller.
> > That said, I've never tried to join a domain via a VPN client connection
> > and I'm not certain it actually works. And the user's original domain
> > profile is now lost, so I don't know that creating a new one is going to
> > help much. I would personally wait until he was home again at the end of
> > the term; there's nothing he shouldn't be able to do while logged in as a
> > local user. A remote session via LogMeIn or something would probably be in
> > order to correct whatever errors he's got now.
> >
>
> I've actually joined numerous laptops via VPN. It works great. I've always
> recommended a Cisco firewall/VPN solution (PIX 501 and now the ASA5505) and
> it works great. With the high end units, you can opt for AD for
> authentication or local user (on the firewall) authentication. I opt for
> local authentication so I can get in if the DC(s) are down.
> Of course, a fast line is helpful. Some of my customers would drop off a
> handful of laptops to configure so I can get around to them at my leisure,
> install the VPN client and join and configure them, copy any local profile
> to the new domain user profile, make sure Redirection is working, etc, all
> from home.
>
> I use a number of remote tools, besides Microsoft RDP, if using SBS,
> Webworkplace, and others such as TeamViewer, Dell's DRAC and HP's ILO.
>
> But of course, as discussed earlier, Microsoft RRAS/VPN or 3rd party VPN
> configuration knowledge is essential.
>
> Ace
>
>
>
>
>

"JonathanL" <(E-Mail Removed)> wrote in message
news3072971-D1E9-4380-B3C2-(E-Mail Removed)...
> Ace, Bill, and Lanwench:
> Thank you all for your help. Let me try to see if I can respond correctly
> to
> all you've written.
> 1. Setting up the VPN client on the PC is no problem, been there done
> that.
> I'm used to being on the client end of a VPN, not the server end.
> 2. I have almost 10 years experience running Windows servers but never had
> the chance to install/config RRAS or a VPN server so that's why I need the
> help here. I do have written material here to consult.
> 3. I have a D-Link DI-524 router so no chance of a f/w update to get VPN
> capability. At one place I help at, we have a Linsys RVS4000 which works
> great, but I can't afford to buy anything till I get another job.
> 4. I really don't want to install RRAS/VPN on my DC. I do have a file
> server
> that I could install it on which I presume would be better. I just wasn't
> sure if it made a difference which server RRAS/VPN was installed on to
> make
> it work so that my son could then VPN in and get his PC back on the
> domain.
> 5. I'm using TeamViewer which works great. I've used it multiple times on
> multiple PCs and I'm very happy with it. Works great when the other PC is
> behind a firewall or router.
>
> Jonathan
>


Hi Jonathan,

Sounds like you have most of the basis covered. Installing RRAS on the
fileserver wouldn't be too big of an issue. I've done that before to get
over the hump before I installed and configured an actual
firewall/router/VPN device (Cisco). I would say go ahead and go for it. Some
of the links I provided have some step by step snapshots to follow. For
PPTP, on our router just make sure you allow TCP GRE 1723 and protocol ID 47
(not a port) which many routers have the provision to all a Protocol ID as a
pass through/port remap to an internal IP.

Let us know how you make out.

Ace

Well I've had partial success. I got the VPN server set up (that was easy)
and got the router/firewall configured (also easy). I then tested it from a
couple of PCs at a remote location near me and the VPN server showed them
connected.
But...when my son tried it, after setting up the VPN connection on his PC,
all he could get was the 721 error that the remote system (my end) wasn't
responding. I've researched it and don't come up with anything helpful. All
they say is to make sure the PPTP port and GRE are open and forwarding to the
VPN server. They are. I've looked at the settings a dozen times. It worked
fine for the other PCs but not his. I don't know if it has something to do
with the router he's behind at school or what. I wouldn't think so, but I
can't think of anything else.

Jonathan

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "JonathanL" <(E-Mail Removed)> wrote in message
> news3072971-D1E9-4380-B3C2-(E-Mail Removed)...
> > Ace, Bill, and Lanwench:
> > Thank you all for your help. Let me try to see if I can respond correctly
> > to
> > all you've written.
> > 1. Setting up the VPN client on the PC is no problem, been there done
> > that.
> > I'm used to being on the client end of a VPN, not the server end.
> > 2. I have almost 10 years experience running Windows servers but never had
> > the chance to install/config RRAS or a VPN server so that's why I need the
> > help here. I do have written material here to consult.
> > 3. I have a D-Link DI-524 router so no chance of a f/w update to get VPN
> > capability. At one place I help at, we have a Linsys RVS4000 which works
> > great, but I can't afford to buy anything till I get another job.
> > 4. I really don't want to install RRAS/VPN on my DC. I do have a file
> > server
> > that I could install it on which I presume would be better. I just wasn't
> > sure if it made a difference which server RRAS/VPN was installed on to
> > make
> > it work so that my son could then VPN in and get his PC back on the
> > domain.
> > 5. I'm using TeamViewer which works great. I've used it multiple times on
> > multiple PCs and I'm very happy with it. Works great when the other PC is
> > behind a firewall or router.
> >
> > Jonathan
> >
>
>
> Hi Jonathan,
>
> Sounds like you have most of the basis covered. Installing RRAS on the
> fileserver wouldn't be too big of an issue. I've done that before to get
> over the hump before I installed and configured an actual
> firewall/router/VPN device (Cisco). I would say go ahead and go for it. Some
> of the links I provided have some step by step snapshots to follow. For
> PPTP, on our router just make sure you allow TCP GRE 1723 and protocol ID 47
> (not a port) which many routers have the provision to all a Protocol ID as a
> pass through/port remap to an internal IP.
>
> Let us know how you make out.
>
> Ace
>
>
>