+ Post New Thread
Results 1 to 7 of 7
Windows Server 2008 R2 Thread, Active Directory Setup in Technical; I have created a Windows Server R2 Domain with Windows 7 Clients Authenticating over Hamachi. This is fine and everything ...
  1. #1

    Join Date
    Apr 2012
    Posts
    34
    Thank Post
    3
    Thanked 2 Times in 2 Posts
    Rep Power
    6

    Active Directory Setup

    I have created a Windows Server R2 Domain with Windows 7 Clients Authenticating over Hamachi. This is fine and everything is working well apart from the fact that if I deploy machine policies such as software installation they won't run as the machines cannot access the main network until Hamachi has loaded.

    Is there a better way to implement this? I am currently just testing functionality, I will mostly use just WSUS and Group Policy and ocasionally a software policy.

    The most important thing here is that accounts used are local. The only domain account I am using is the Admin account for updating settings etc on the clients, this is because the machines must remain accessible to users if the domain controller is not switched on. Each computer has one main user.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    Hamachi VPN??, are all your computers always away from the network in seporate unconnected buildings or something. Why not just use native connections, offline file sync and cached logons with local profiles. That way they are all locally stored profiles but the users are still domain managed. For software deploys you will need the connection to be active at the very beginning when the machine is booting so a software VPN is not going to work.

    The one real option that you have for a software VPN solution is using DirectAccess through something like Microsoft Forefront UAG or setting it up manually with a 2k8r2 server and two external IP addresses. This means the computer will just always be connected to the corp/school network over https VPN if it has an internet connection enabled. This will allow all auth, GPO and deployment through from an external site with no need for the user to mes about with any other software.

    Other than that you could look at using hardware VPN clients for each computer to keep the VPN open before the computer is up.

    It does sound like a strange setup and you may need to elaborate a bunch more so we understand what you have and are trying to achive. Also, why would you ever turn off a DC???
    Last edited by SYNACK; 6th April 2012 at 02:43 PM.

  3. #3

    Join Date
    Apr 2012
    Posts
    34
    Thank Post
    3
    Thanked 2 Times in 2 Posts
    Rep Power
    6
    Hi SYNACK, basically the answer to your first question is yes all the machines are spread around the place and not in the same building. I like the idea of cached logins but I don't like the limit of 50 although I can understand why this upper limit is in place. I am trying to create a rather ad-hoc network, that is machines are updated between 10:00-22:00 and the domain controller would generally be switched off after these hours, the reason for this (it might sound crazy) is to save electricity as it's only a small network with about 10-20 devices connected. Initially the Domain Controller was just to update some software/provide group policies.

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    Get a low power modern server, the power use is about the same as leaving on a low power light bulb which I am sure staff do. Turning it off at those times is more likely to ause problems by preventing the matinence of the AD database and adding more wear to the server.

    There are ways to be green and there are ways to be silly, this is the latter.

    Is there no internal network? it seems strange that everyone would have internet but not network, are these all geographicly seporate buildings all with their own net connections (sounds inefficient if they are all on the same campus)?

    If you leave it on you can use DirectAccess and have no cached logon limit etc. The current solution sounds like it may cause many more hassels than it is worth TBH.

  5. #5

    Join Date
    Apr 2012
    Posts
    34
    Thank Post
    3
    Thanked 2 Times in 2 Posts
    Rep Power
    6
    All the machines are in different buildings with seperate internet connections. Is Direct Access hard to setup? also what would happen if the machine was to fail?

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    Is DA hard to setup, kind of, much easier with UAG.

    If it breaks then your machines can't connect to it and you need to fix it.

    I'm struggeling to see how the domain is going to work without a decent connection method back like DA or hardware VPN client boxes for every seporate internet connection in use. Group Policy and AD were just not designed to work that way.

    For logons you could use the built in VPN server software on the 2008 server an the client stuff on the w7 machines to logon via VPN to start with which would be a lot more efficient than the Hamachi stuff for this kind of thing. That is still not going to help with policy and software deployment though so for that you'll need one of the above solutions of DA or hardware VPN.

  7. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    Option three is to scrap the domain and just use something like WPKG ( WPKG | Open Source Software Deployment and Distribution ) for software deployment and use a package in that to try and export/import local GPOs to each machine.

    Microsoft Security Compliance Manager localGPO.msi



SHARE:
+ Post New Thread

Similar Threads

  1. Query Active Directory through asp page
    By KarlGoddard in forum Web Development
    Replies: 19
    Last Post: 22nd February 2006, 01:15 PM
  2. Importing data to Active Directory
    By fooby in forum Wireless Networks
    Replies: 3
    Last Post: 16th February 2006, 06:08 PM
  3. Replies: 1
    Last Post: 16th February 2006, 09:40 AM
  4. Authenticating MRBS against Active Directory using LDAP
    By Wizzer in forum Web Development
    Replies: 2
    Last Post: 26th January 2006, 05:21 PM
  5. Setting up test scenario on Server 2003/Active Directory/GPO
    By tosca925 in forum How do you do....it?
    Replies: 20
    Last Post: 24th January 2006, 12:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •