Guest Todd H. Posted July 6, 2007 Posted July 6, 2007 Greetings, I'm new to Windows Server 2003, but been around computing for quite a while. I'm contemplating a centralized profile solution for two mobile users (we hope to grow eventually to 5-10). For our mobile, dispersed workforce, I'm a dedicated Windows 2003 server externally hosted, and (hopefully) accessible behind a managed non-microsoft VPN appliance. This vpn appliance uses its own client software to connect. My question is whether/how an XP Pro client would initially login to the domain... because they'll need to login to their worksation first to launch the vpn client to be able to see the win2003 server at all. Is this a situation where the initial connection to the domain must be on the LAN so the profile can be pulled down from the domain controller? Thanks in advance for any help or pointers to documentation -- my searching at microsoft.com for info on this setup has not been fruitful (lots of talk about ISA server and microsoft VPN's). If what I'm trying to accomplish is irretrievably screwed, I'd also welcome alternative setup suggestions! Best Regards, -- Todd H. http://toddh.net/
Guest Danny Sanders Posted July 6, 2007 Posted July 6, 2007 Re: client login to domain controller behind VPN appliance - possible? > Is this a situation where the initial connection to the domain must be > on the LAN so the profile can be pulled down from the domain > controller? Yes. After that they can log into the domain with cached credentials. hth DDS "Todd H." <comphelp@toddh.net> wrote in message news:84wsxdz5ct.fsf@ripco.com... > > Greetings, > > I'm new to Windows Server 2003, but been around computing for quite a > while. I'm contemplating a centralized profile solution for two mobile > users (we hope to grow eventually to 5-10). > > For our mobile, dispersed workforce, I'm a dedicated Windows 2003 > server externally hosted, and (hopefully) accessible behind a managed > non-microsoft VPN appliance. This vpn appliance uses its own client > software to connect. > > My question is whether/how an XP Pro client would initially login to > the domain... because they'll need to login to their worksation first > to launch the vpn client to be able to see the win2003 server at all. > > > Is this a situation where the initial connection to the domain must be > on the LAN so the profile can be pulled down from the domain > controller? > > Thanks in advance for any help or pointers to documentation -- my > searching at microsoft.com for info on this setup has not been > fruitful (lots of talk about ISA server and microsoft VPN's). If what > I'm trying to accomplish is irretrievably screwed, I'd also welcome > alternative setup suggestions! > > Best Regards, > -- > Todd H. > http://toddh.net/
Guest Todd H. Posted July 6, 2007 Posted July 6, 2007 Re: client login to domain controller behind VPN appliance - possible? "Danny Sanders" <DSanders@NOSPAMciber.com> writes: > > Is this a situation where the initial connection to the domain must be > > on the LAN so the profile can be pulled down from the domain > > controller? > > Yes. > > After that they can log into the domain with cached credentials. > > hth > DDS Unfortunately that's not what I was hoping to hear. Surely there's some way around this? The (common?) scenario where this is troublesome is when domain controller is in, say New York, new remote employee is in LA, and there's no permanent office network to speak of--just remote vpn access via the third party vpn client. Creating a site to site VPN would be one possible workaround I suppose. Or, having initial setup of that employees workstation done on the LAN in New York.... Does the caching of the credentials not occur when an XP Pro box is joined to a domain (while logged into the local user account?)? Or does it happen on the first login of that new domain user to the domain? Best Regards, -- Todd H. http://www.toddh.net/
Guest Lanwench [MVP - Exchange] Posted July 8, 2007 Posted July 8, 2007 Re: client login to domain controller behind VPN appliance - possible? Todd H. <comphelp@toddh.net> wrote: > "Danny Sanders" <DSanders@NOSPAMciber.com> writes: > >>> Is this a situation where the initial connection to the domain must >>> be on the LAN so the profile can be pulled down from the domain >>> controller? >> >> Yes. >> >> After that they can log into the domain with cached credentials. >> >> hth >> DDS > > Unfortunately that's not what I was hoping to hear. Surely there's > some way around this? > > The (common?) scenario where this is troublesome is when domain > controller is in, say New York, new remote employee is in LA, and > there's no permanent office network to speak of--just remote vpn > access via the third party vpn client. > > Creating a site to site VPN would be one possible workaround I > suppose. Or, having initial setup of that employees workstation > done on the LAN in New York.... > > Does the caching of the credentials not occur when an XP Pro box is > joined to a domain (while logged into the local user account?)? No. > Or > does it happen on the first login of that new domain user to the > domain? Yes. > > Best Regards, If this is a laptop,configure it in New York and ship it out to LA. The domain user has to have logged in once (with connectivity to a DC) in order for them to be able to log in at all with cached credentials. What's the point of joining the computer to the domain if they're never (or v rarely) going to be on a network with a DC? I wouldn't.
Recommended Posts