I am attempting to authenticate remote systems against my Windows 2000 domain. But before I go into details, let me lay out the setup:
Remote WinXP SP2 Laptop
w/ Cisco VPN client 4.0.5
|
|
|
Linksys 4-port 10/100 router
(PPTP passthrough enabled)
|
|
|
- - - - - - - -
| INTERNET |
- - - - - - - -
|
|
|
Cisco VPN Server
on Subnet A
|
|
|
Windows 2000 AD domain
on Subnet B
In my corporate environment, the network department runs the vpn server, top-level BIND DNS (non-dynamic) servers, and of course, the network itself. I recently requested that they setup relaying for my AD DNS servers as well as for my WINS server. This was in preparation for authenticating my machines through the VPN against my domain DC's.
I installed the Cisco VPN client v4.0.5 (Rel) onto my Windows XP SP2(firewall disabled) laptop. I configured the VPN client connection for "Group Authentication" and the VPN client to start before logon.
I can connect via the VPN client to our corporate cisco vpn server. However, it appears to me that the computer itself is not authenticating against my AD domain, and hence not becoming a member of the "domain computers" group. This causes problems because my gpo-defined startup scripts reference directories on my domain servers. These directories grant access based upon "domain computers"
group membership. The scripts run, but they encounter "access denied" errors when they attempt to access server resources. To me it appears that the machine account is not being authenticated against the AD domain, but I am not 100% certain. As I am uncertain how exactly to verify this. I guess there could also be some other reason that my remote systems cannot access the server-based resources, but if it's not authentication based, then what could it be?
There could be many causes here. Perhaps the relaying for my AD DNS and WINS servers is not functioning correctly. Perhaps a group policy setting is hampering remote authentication. Perhaps it's something else entirely.
I plan to ask the network department to verify the functionality of the AD DNS and WINS relay. However, I can't continually ask them to double-check their settings. So, what I need (in absence of an outright solution) are some troubleshooting tips. The more information I can verify myself, the less I have to bother others with
problems that are most likely mine to begin with.
Thanks for any and all suggestions.
- Ravashaak
Remote WinXP SP2 Laptop
w/ Cisco VPN client 4.0.5
|
|
|
Linksys 4-port 10/100 router
(PPTP passthrough enabled)
|
|
|
- - - - - - - -
| INTERNET |
- - - - - - - -
|
|
|
Cisco VPN Server
on Subnet A
|
|
|
Windows 2000 AD domain
on Subnet B
In my corporate environment, the network department runs the vpn server, top-level BIND DNS (non-dynamic) servers, and of course, the network itself. I recently requested that they setup relaying for my AD DNS servers as well as for my WINS server. This was in preparation for authenticating my machines through the VPN against my domain DC's.
I installed the Cisco VPN client v4.0.5 (Rel) onto my Windows XP SP2(firewall disabled) laptop. I configured the VPN client connection for "Group Authentication" and the VPN client to start before logon.
I can connect via the VPN client to our corporate cisco vpn server. However, it appears to me that the computer itself is not authenticating against my AD domain, and hence not becoming a member of the "domain computers" group. This causes problems because my gpo-defined startup scripts reference directories on my domain servers. These directories grant access based upon "domain computers"
group membership. The scripts run, but they encounter "access denied" errors when they attempt to access server resources. To me it appears that the machine account is not being authenticated against the AD domain, but I am not 100% certain. As I am uncertain how exactly to verify this. I guess there could also be some other reason that my remote systems cannot access the server-based resources, but if it's not authentication based, then what could it be?
There could be many causes here. Perhaps the relaying for my AD DNS and WINS servers is not functioning correctly. Perhaps a group policy setting is hampering remote authentication. Perhaps it's something else entirely.
I plan to ask the network department to verify the functionality of the AD DNS and WINS relay. However, I can't continually ask them to double-check their settings. So, what I need (in absence of an outright solution) are some troubleshooting tips. The more information I can verify myself, the less I have to bother others with
problems that are most likely mine to begin with.
Thanks for any and all suggestions.
- Ravashaak
