Hi
the vpn is beetween 2 nethserver with openvpn net2net
The network is this:
Site A:
Network: 192.168.16.0/24
Gateway: 192.168.16.250 (nethserver firewall)
DC: 192.168.16.5 (nethserver AD)
Site B:
Network: 192.168.1.0/24
Gateway: 192.168.1.252 (nethserver firewall)
So where i need to add trusted network on both firewall?
yes
but i need to add networks only on firewall on Site A or Site B?
Actually only on Site A, as Site A provides “Services” like AD, maybe some Shares for AD Clients…
But it doesn’t harm to add it in on both sides - it can make eg administration easier from Site A…
My 2 cents
Andy
ok
So i need to add in trusted network this:
192.168.1.0/24 (lan)
right?
It’s also a good idea to add in (on both sides) the name of the AD into the local NethServer’s DNS…
eg:
ad.domainname.tld -> 192.168.16.5
This helps a lot!
My 2 cents
Andy
My home DNS (NethServer):
This is correct, for Site A…
OK i add this network 192.168.1.0 on firewall on site A, and i add this record dns on both firewall
ad.domainname.tld > 192.168.16.5
I configure the network cards on client windows10 on site B only primary dns with this ip 192.168.16.5, but when i try to join a get error i put in domain only netbios name of the ad
To join you need to put in the name as shown in the Account provider, usually like this:
ad.domain.tld…
A NetBIOS Name (without dots) will NOT work!
In local network is work only if i put netbios name, i try now to join with ad.domainname.tld but i get the same error
This is the configuration of the remote client
IP: 192.168.1.57
Netmask: 255.255.255.0
Gateway: 192.168.1.252
Primary DNS: 192.168.16.5
if i try to ping 192.168.16.5 is work, if i try to ping ad.studiozamagni.com not work
As AD is based on LDAP and DNS, the DNS must work!
My Win10 (virtual) PC here at home:
(Sorry, but I don’t have an english capable Win10 to make screenshots, but I think you can still compare…)
My Firewall is not NethServer, but OPNsense, but that does not matter. I can ping the name from other VPN-Connected sites - and it get’s resolved correctly AND I get an answer!
Another not unimportant tip:
Deactivate IPv6 completly on the PC at Site B…
NethServer still does not support IPv6, so evade it at the moment.
now it work i add this network 192.168.1.0 on trusted networks on nethserver ad, and i add record dns ad.domainname.tld > 192.168.16.5
and now works
if the vpn goes down what problems can i have i can’t login on windows anymore?
Any Windows PC or Notebook which has logged in to AD can ALWAYS log on using cached information…
Same for all those business Notebooks running Windows and connected to some large Corporation…
They all log in using cached identification when out of the office. It get’s verified as soon as you are logged on and connect…
So don’t worry about a non-issue!
Note: You do need to actually log on for this to work. Just joining AD is not enough…
This has been working since at least Windows NT 4.0 (Using the old NT Domain) - and still works today with the latest AD from Microsoft (or NethServer!). Almost 30 years!
If the PC you’re using right now is AD connected, you can easily test this:
log out…
unplug the LAN cable
you can also reboot to be doubly sure…
log in (It will work!)
reconnect the LAN and see if your drives are accessible…
OK
Thanks a lot
Please click on Solution, as you’re the creator of this post…
It can help others in future, as AD and Multisite is an issue a lot of people have…
Thank you!
My 2 cents
Andy
SOLUTION:
Add remote customer network lan in “Trusted Networks” on firewall and nethserver ad (if the AD is on another nethserver machine).
Add a dns record like this on both sides:
ad.domainname.tld > ip adress nethserver AD
Step for Join into domain on client windows:
Configure network card with only primary DNS with the Ip adress nethserver AD and use “ad.domainname.tld” to join and not use Netbios name
