Windows Server 2008 R2 Thread, Active Directory Setup in Technical; I have created a Windows Server R2 Domain with Windows 7 Clients Authenticating over Hamachi. This is fine and everything ...
6th April 2012, 01:24 PM #1
- Rep Power
Active Directory Setup
I have created a Windows Server R2 Domain with Windows 7 Clients Authenticating over Hamachi. This is fine and everything is working well apart from the fact that if I deploy machine policies such as software installation they won't run as the machines cannot access the main network until Hamachi has loaded.
Is there a better way to implement this? I am currently just testing functionality, I will mostly use just WSUS and Group Policy and ocasionally a software policy.
The most important thing here is that accounts used are local. The only domain account I am using is the Admin account for updating settings etc on the clients, this is because the machines must remain accessible to users if the domain controller is not switched on. Each computer has one main user.
6th April 2012, 01:42 PM #2
Hamachi VPN??, are all your computers always away from the network in seporate unconnected buildings or something. Why not just use native connections, offline file sync and cached logons with local profiles. That way they are all locally stored profiles but the users are still domain managed. For software deploys you will need the connection to be active at the very beginning when the machine is booting so a software VPN is not going to work.
The one real option that you have for a software VPN solution is using DirectAccess through something like Microsoft Forefront UAG or setting it up manually with a 2k8r2 server and two external IP addresses. This means the computer will just always be connected to the corp/school network over https VPN if it has an internet connection enabled. This will allow all auth, GPO and deployment through from an external site with no need for the user to mes about with any other software.
Other than that you could look at using hardware VPN clients for each computer to keep the VPN open before the computer is up.
It does sound like a strange setup and you may need to elaborate a bunch more so we understand what you have and are trying to achive. Also, why would you ever turn off a DC???
Last edited by SYNACK; 6th April 2012 at 01:43 PM.
6th April 2012, 02:12 PM #3
- Rep Power
Hi SYNACK, basically the answer to your first question is yes all the machines are spread around the place and not in the same building. I like the idea of cached logins but I don't like the limit of 50 although I can understand why this upper limit is in place. I am trying to create a rather ad-hoc network, that is machines are updated between 10:00-22:00 and the domain controller would generally be switched off after these hours, the reason for this (it might sound crazy) is to save electricity as it's only a small network with about 10-20 devices connected. Initially the Domain Controller was just to update some software/provide group policies.
6th April 2012, 02:26 PM #4
Get a low power modern server, the power use is about the same as leaving on a low power light bulb which I am sure staff do. Turning it off at those times is more likely to ause problems by preventing the matinence of the AD database and adding more wear to the server.
There are ways to be green and there are ways to be silly, this is the latter.
Is there no internal network? it seems strange that everyone would have internet but not network, are these all geographicly seporate buildings all with their own net connections (sounds inefficient if they are all on the same campus)?
If you leave it on you can use DirectAccess and have no cached logon limit etc. The current solution sounds like it may cause many more hassels than it is worth TBH.
6th April 2012, 02:34 PM #5
- Rep Power
All the machines are in different buildings with seperate internet connections. Is Direct Access hard to setup? also what would happen if the machine was to fail?
6th April 2012, 02:45 PM #6
Is DA hard to setup, kind of, much easier with UAG.
If it breaks then your machines can't connect to it and you need to fix it.
I'm struggeling to see how the domain is going to work without a decent connection method back like DA or hardware VPN client boxes for every seporate internet connection in use. Group Policy and AD were just not designed to work that way.
For logons you could use the built in VPN server software on the 2008 server an the client stuff on the w7 machines to logon via VPN to start with which would be a lot more efficient than the Hamachi stuff for this kind of thing. That is still not going to help with policy and software deployment though so for that you'll need one of the above solutions of DA or hardware VPN.
6th April 2012, 02:53 PM #7
Option three is to scrap the domain and just use something like WPKG ( WPKG | Open Source Software Deployment and Distribution ) for software deployment and use a package in that to try and export/import local GPOs to each machine.
Microsoft Security Compliance Manager localGPO.msi
By KarlGoddard in forum Web Development
Last Post: 22nd February 2006, 12:15 PM
By fooby in forum Wireless Networks
Last Post: 16th February 2006, 05:08 PM
By tosca925 in forum Windows
Last Post: 16th February 2006, 08:40 AM
By Wizzer in forum Web Development
Last Post: 26th January 2006, 04:21 PM
By tosca925 in forum How do you do....it?
Last Post: 24th January 2006, 11:38 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)