Join a computer to a domain remotely
collysamin
Posted messages
23
Status
Member
-
collysamin Posted messages 23 Status Member -
collysamin Posted messages 23 Status Member -
Hello,
here is something I’ve been dealing with for a few days while trying a test at home. Let me explain:
I created a VM with Windows Server 2008 R2 and the following roles: DNS, DHCP, AD …), for the moment everything is fine, I can add machines to my domain locally without any problem.
But I want to join a friend's computer to my domain. Of course it needs to reach my server from outside. No problem, I managed to do it with No-IP (www.noip.com) to get a static address. My friend can ping my server from his place, but when he enters the domain name or the IP address of my server, he can’t reach it!
What I want to set up, in short:
Client machine — (internet) → my domain (server)
Question: do I need to give the public address (my server) to the server’s network interface card, and if so how?
I’m available for any questions or explanations.
Best regards.
here is something I’ve been dealing with for a few days while trying a test at home. Let me explain:
I created a VM with Windows Server 2008 R2 and the following roles: DNS, DHCP, AD …), for the moment everything is fine, I can add machines to my domain locally without any problem.
But I want to join a friend's computer to my domain. Of course it needs to reach my server from outside. No problem, I managed to do it with No-IP (www.noip.com) to get a static address. My friend can ping my server from his place, but when he enters the domain name or the IP address of my server, he can’t reach it!
What I want to set up, in short:
Client machine — (internet) → my domain (server)
Question: do I need to give the public address (my server) to the server’s network interface card, and if so how?
I’m available for any questions or explanations.
Best regards.
3 answers
Hello,
First, I do not advise your friend to connect his machine to your test domain.
At best/worst a virtual machine hosted at his place, but not his personal workstation.
You are doing the testing, he is not.
(not to mention that with an admin account, you have access to all his personal data...)
but when he enters the name of the domain or the IP address of my server he can't get his computer to join!!!
That's normal, and not surprising.
Question: do you need to give the public address (my server) to the network card of my server if so how ?
Answer: No.
We do not publish an Active Directory directory on the Internet, nor do we use a domain name with an Internet TLD for an AD domain.
-
Technically speaking two possibilities:
- Set up a VPN "site-to-site" between the two Internet boxes/routers. (good solution)
- Do port forwarding to the DC (I do not recommend this at all): and there you have an open door to anything.
AD uses a lot of ports, notably RPC, RPC is dynamic over a wide range of ports.
That makes a big open door... not to mention that it might not work due to AD DNS name resolution by the client.
List of ports: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN
-
In the everyday world, what you are trying to do, even if it's for testing, is not state-of-the-art.
On the other hand, Active Directory behind NAT is not supported by Microsoft. The vendor does not support it, it's "by design", it's not meant to...
You are missing a few concepts about VPN and port forwarding/routing aspects before you embark on this properly.
Set up a proper VPN, and then the AD pillar can come with fewer difficulties.
--
Using a registry "compactor" on top of a registry "cleaner" would be equivalent to rinsing your throat with a swig of Jack Daniels after swallowing a pint of snake oil....
First, I do not advise your friend to connect his machine to your test domain.
At best/worst a virtual machine hosted at his place, but not his personal workstation.
You are doing the testing, he is not.
(not to mention that with an admin account, you have access to all his personal data...)
but when he enters the name of the domain or the IP address of my server he can't get his computer to join!!!
That's normal, and not surprising.
Question: do you need to give the public address (my server) to the network card of my server if so how ?
Answer: No.
We do not publish an Active Directory directory on the Internet, nor do we use a domain name with an Internet TLD for an AD domain.
-
Technically speaking two possibilities:
- Set up a VPN "site-to-site" between the two Internet boxes/routers. (good solution)
- Do port forwarding to the DC (I do not recommend this at all): and there you have an open door to anything.
AD uses a lot of ports, notably RPC, RPC is dynamic over a wide range of ports.
That makes a big open door... not to mention that it might not work due to AD DNS name resolution by the client.
List of ports: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN
-
In the everyday world, what you are trying to do, even if it's for testing, is not state-of-the-art.
On the other hand, Active Directory behind NAT is not supported by Microsoft. The vendor does not support it, it's "by design", it's not meant to...
You are missing a few concepts about VPN and port forwarding/routing aspects before you embark on this properly.
Set up a proper VPN, and then the AD pillar can come with fewer difficulties.
--
Using a registry "compactor" on top of a registry "cleaner" would be equivalent to rinsing your throat with a swig of Jack Daniels after swallowing a pint of snake oil....
thank you very much for your very thorough reply
so you’re suggesting I set up a VPN between me and my friend before putting the AD brick?
by any chance do you have a tutorial to set up a VPN between me and my friend
thanks for your help