Hello
I tried to join the domain and it works locally but it doesn’t work in the other customer site
can it depend on the vpn?
Hi
You most likely need to add in the “customer site” into your NethServer’s “Trusted Networks”.
Also, the customer site DHCP Server (whatever device provides DHCP) would need to provide the correct DNS servers, so the client can “find” the AD. This can also be done with a “manual” (static) IP configuration on the client. This can be a lot of work if there are several PCs, easier and better via DHCP…
You can push these information via VPN, but that’s more for RoadWarrior configurations, as the “push” only goes to the device that acts as router, not directly to the clients…
My 2 cents
Andy
Hi
the vpn is beetween 2 nethserver with openvpn net2net
The network is this:
Site A:
Network: 192.168.16.0/24
Gateway: 192.168.16.250 (nethserver firewall)
DC: 192.168.16.5 (nethserver AD)
Site B:
Network: 192.168.1.0/24
Gateway: 192.168.1.252 (nethserver firewall)
So where i need to add trusted network on both firewall?
yes
but i need to add networks only on firewall on Site A or Site B?
Actually only on Site A, as Site A provides “Services” like AD, maybe some Shares for AD Clients…
But it doesn’t harm to add it in on both sides - it can make eg administration easier from Site A…
My 2 cents
Andy
ok
So i need to add in trusted network this:
192.168.1.0/24 (lan)
right?
1 Like
It’s also a good idea to add in (on both sides) the name of the AD into the local NethServer’s DNS…
eg:
ad.domainname.tld -> 192.168.16.5
This helps a lot!
My 2 cents
Andy
My home DNS (NethServer):
This is correct, for Site A…
OK i add this network 192.168.1.0 on firewall on site A, and i add this record dns on both firewall
ad.domainname.tld > 192.168.16.5
I configure the network cards on client windows10 on site B only primary dns with this ip 192.168.16.5, but when i try to join a get error i put in domain only netbios name of the ad
To join you need to put in the name as shown in the Account provider, usually like this:
ad.domain.tld…
A NetBIOS Name (without dots) will NOT work!
In local network is work only if i put netbios name, i try now to join with ad.domainname.tld but i get the same error
This is the configuration of the remote client
IP: 192.168.1.57
Netmask: 255.255.255.0
Gateway: 192.168.1.252
Primary DNS: 192.168.16.5
if i try to ping 192.168.16.5 is work, if i try to ping ad.studiozamagni.com not work
Does pinging " ad.studiozamagni.com" work from any client in Site A?
As AD is based on LDAP and DNS, the DNS must work!
My Win10 (virtual) PC here at home:
(Sorry, but I don’t have an english capable Win10 to make screenshots, but I think you can still compare…)
My Firewall is not NethServer, but OPNsense, but that does not matter. I can ping the name from other VPN-Connected sites - and it get’s resolved correctly AND I get an answer!
Another not unimportant tip:
Deactivate IPv6 completly on the PC at Site B…
NethServer still does not support IPv6, so evade it at the moment.
now it work i add this network 192.168.1.0 on trusted networks on nethserver ad, and i add record dns ad.domainname.tld > 192.168.16.5
and now works
if the vpn goes down what problems can i have i can’t login on windows anymore?
Any Windows PC or Notebook which has logged in to AD can ALWAYS log on using cached information…
Same for all those business Notebooks running Windows and connected to some large Corporation…
They all log in using cached identification when out of the office. It get’s verified as soon as you are logged on and connect…
So don’t worry about a non-issue!
Note: You do need to actually log on for this to work. Just joining AD is not enough…
This has been working since at least Windows NT 4.0 (Using the old NT Domain) - and still works today with the latest AD from Microsoft (or NethServer!). Almost 30 years!
If the PC you’re using right now is AD connected, you can easily test this:
log out…
unplug the LAN cable
you can also reboot to be doubly sure…
log in (It will work!)
reconnect the LAN and see if your drives are accessible…
OK
Thanks a lot