Join AD through vpn net2net


the vpn is beetween 2 nethserver with openvpn net2net

The network is this:

Site A:

Gateway: (nethserver firewall)
DC: (nethserver AD)

Site B:

Gateway: (nethserver firewall)

So where i need to add trusted network on both firewall?


Using Cockpit, here:


but i need to add networks only on firewall on Site A or Site B?

Actually only on Site A, as Site A provides “Services” like AD, maybe some Shares for AD Clients…
But it doesn’t harm to add it in on both sides - it can make eg administration easier from Site A…

My 2 cents


So i need to add in trusted network this: (lan)


1 Like

It’s also a good idea to add in (on both sides) the name of the AD into the local NethServer’s DNS…


ad.domainname.tld ->

This helps a lot!

My 2 cents

My home DNS (NethServer):

This is correct, for Site A…

OK i add this network on firewall on site A, and i add this record dns on both firewall

ad.domainname.tld >

I configure the network cards on client windows10 on site B only primary dns with this ip, but when i try to join a get error i put in domain only netbios name of the ad

To join you need to put in the name as shown in the Account provider, usually like this:

A NetBIOS Name (without dots) will NOT work!

In local network is work only if i put netbios name, i try now to join with ad.domainname.tld but i get the same error

This is the configuration of the remote client
Primary DNS:

if i try to ping is work, if i try to ping not work

Does pinging "" work from any client in Site A?

As AD is based on LDAP and DNS, the DNS must work!

My Win10 (virtual) PC here at home:
(Sorry, but I don’t have an english capable Win10 to make screenshots, but I think you can still compare…)

My Firewall is not NethServer, but OPNsense, but that does not matter. I can ping the name from other VPN-Connected sites - and it get’s resolved correctly AND I get an answer!


Another not unimportant tip:

Deactivate IPv6 completly on the PC at Site B…

NethServer still does not support IPv6, so evade it at the moment.

now it work i add this network on trusted networks on nethserver ad, and i add record dns ad.domainname.tld >

and now works

if the vpn goes down what problems can i have i can’t login on windows anymore?

Any Windows PC or Notebook which has logged in to AD can ALWAYS log on using cached information…

Same for all those business Notebooks running Windows and connected to some large Corporation…
They all log in using cached identification when out of the office. It get’s verified as soon as you are logged on and connect…

So don’t worry about a non-issue! :slight_smile:

Note: You do need to actually log on for this to work. Just joining AD is not enough…

This has been working since at least Windows NT 4.0 (Using the old NT Domain) - and still works today with the latest AD from Microsoft (or NethServer!). Almost 30 years!


If the PC you’re using right now is AD connected, you can easily test this:

log out…
unplug the LAN cable
you can also reboot to be doubly sure…
log in (It will work!)

reconnect the LAN and see if your drives are accessible…



Thanks a lot



Please click on Solution, as you’re the creator of this post…
It can help others in future, as AD and Multisite is an issue a lot of people have…

Thank you!

My 2 cents


Add remote customer network lan in “Trusted Networks” on firewall and nethserver ad (if the AD is on another nethserver machine).

Add a dns record like this on both sides:

ad.domainname.tld > ip adress nethserver AD

Step for Join into domain on client windows:

Configure network card with only primary DNS with the Ip adress nethserver AD and use “ad.domainname.tld” to join and not use Netbios name