Windows Server 2008

[crunchcable0]

Hi

I have a setup where there are about a handful of buildings and 5 or so PCs in each connected to a Linksys Router connecting PPOE DSL.

Is it possible to have these PCs join a Server 2008 domain? I am but a student, and have been offered an opportunity implement a Domain Infrastructure (I think this is the term).

My idea is that Server 2008 will have a static IP and the different building's PC's will be connected to Linksys Routers that will use PPOE to share internet across the ports, as most residential networks do. Then I will point the login to credentials something like this :

Username : server.ip.address.here\Domain\Username
Password: password

I have curiosity if this setup is even possible, or if I would have to use some sort of VPN software after having them login locally to the machines.

I am totally new to doing this, and will be my first implementation, as they are aware, but they are desperate for help.

There is a lot more for me to understand, and I plan on purchasing a training kit to follow as a work on this project. I am just curious if this kind of setup is possible, PCs in the domain being in different geographical locations, but connecting remotely.


Thanks

 

[Jamsan]

You've got a lot to learn to get something like this configured correctly. If this is any kind of business and will rely on availability, I'd suggesting getting some outside help to assist in this.

To get you started, you can get away with having a DC at a single site and have all of the remote site's PCs VPN into the site with the hardware. You'll need to join the PCs to the domain when physically connected to the main site network or you can VPN in, join the PCs to the domain, but will need to establish a pre-logon VPN when users are logging into the remote site PCs for the first time (until the PC can establish cached credentials).

What you don't want to do is have the ability to join the PCs directly to the domain/access the domain without first establishing a VPN connection. Bad bad bad.

The preferred approach would be establishing site to site VPN connections at the router/firewall level at each remote site to the main site. This will allow PCs at all the remote sites to access resources (with the proper ACLs) at the main site without each individual PC establishing it's own VPN connection.

 

[crunchcable0]

Ok, so I can establish a pre-logon VPN before the users enter their credentials, or, the Router can VPN to the server and it's more transparent.

The routers they have would be Linksys Routers, so my first questions about this approach, are is it possible to have the router first login to PPPOE DSL, and then VPN to the server? Or is this not a feature a 54RG includes. (My guess)

The pre-login VPN, what I'm guessing is what I would have to use if not the router method, would be configuring the local machine settings to establish a VPN to the DC at bootup, and then await users to enter their credentials for authentication? Does Windows XP Professionial come with the software necessary to do this pre-VPN? I would suppose that Server 2008 does come with some sort of VPN software at least.

 

[Jamsan]

Originally posted by: crunchcable0
The routers they have would be Linksys Routers, so my first questions about this approach, are is it possible to have the router first login to PPPOE DSL, and then VPN to the server? Or is this not a feature a 54RG includes. (My guess)

Depending on the version of your WRT54G's, you may be able to flash it with a custom firmware that can support VPNs. I'd definately use something a bit more business class (low-end ASAs/SSGs or Sonicwall stuff).

Originally posted by: crunchcable0
The pre-login VPN, what I'm guessing is what I would have to use if not the router method, would be configuring the local machine settings to establish a VPN to the DC at bootup, and then await users to enter their credentials for authentication? Does Windows XP Professionial come with the software necessary to do this pre-VPN? I would suppose that Server 2008 does come with some sort of VPN software at least.

I'm not sure about Server 2008, as I haven't gone into it in too much detail, but you could use 2003 Server and use Routing and Remote Access to create a VPN server. From there, you can create the VPN connections on the XP machines. Once you have the connections created, you'll have a checkbox called "Log on using a dial-up connection", which will allow you to connect to the VPN first, and then login to Windows.

 

[crunchcable0]

Ok, for now I will consider that the pre-login, non-router method is the option to be used.

(XP Pro) I went to Network Connections and it seemed as easy as going to file > new connections, and I was able to find where I could add a VPN connection, add the address of the server, choose the encryption protocol, and such. It seems rather simple to configure the VPN on XP Pro. One thing I didn't find was how I ensure that this is dialed everytime at boot-up, and I know for sure it's using this VPN and not using it's un-encrypted connection to the internet out the default-gateway router.

 

[crunchcable0]

After reading that, I wasn't sure if it was clear that I understand it will use it's Ethernet connection to the router that will then forward out to the internet to establish a VPN. But I am curious how I know it is using that VPN tunnel afterwards for correspondence with the server, and not continuing to use the un-encrypted channel.

 

[drebo]

To properly do this, I would recommend using site-to-site IPSec VPN tunnels.

You could do it with Routing and Remote Access and pre-logon VPNs, but site-to-site VPNs would just plain be easier.

Cisco ASA 5505's would fit the bill well. The 10 user license appliances are only about $400 at Newegg. You could probably find some used PIX 501s pretty cheap as well, and they'd work too. PPPoE isn't that difficult to set up on them.

Only caveat is that (to avoid a shitload of unnecesary headaches) you'd need static IP addresses at all locations.