Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Can't join domain over OpenVPN connection
« previous
next »
Print
Pages: [
1
]
Author
Topic: Can't join domain over OpenVPN connection (Read 885 times)
Rob88NS
Newbie
Posts: 4
Karma: 0
Can't join domain over OpenVPN connection
«
on:
June 11, 2024, 07:16:20 am »
Hi all,
I am trying to join a server to a remote domain through an OpenVPN connection. There's an OPNSENSE box at the remote domain configured to accept my VPN connections successfully. Once connected, I can ping the remote DC but there's a DNS resolution issue.
In the OPNSENSE firewall > VPN > OpenVPN > Servers - Server settings, I've designated the DNS server IP of the DC LAN in the 'DNS Servers' section of the Client Settings section.
What I don't understand is, if I do an ipconfig /all on my remote computer where my OpenVPN connection is, the IP settings for the OpenVPN adapter don't show any DNS server configurations.
Along with this, I've tried just about everything I can think off, setting static DNS settings for the OpenVPN NIC, using HOSTS file etc, nothing is allowing my remote computer to resolve to the remote DC when trying to join its domain.
Any help appreciated.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Can't join domain over OpenVPN connection
«
Reply #1 on:
June 11, 2024, 08:23:07 am »
Are all subnets in AD? Are you allowing LDAP/Kerberos/etc.? Are the clocks in synch?
Set your DNS manually in the OS with optimally two DC's first and then a public resolver.
Windows does not use different DNS for different connections. You need to set at least one DC as the first DNS server. It is best to set this on the NIC and live with lower performance during boot until the VPN is up.
This is why the official Microsoft recommendation is a minimum of two DC's per site.
Bart...
Logged
Rob88NS
Newbie
Posts: 4
Karma: 0
Re: Can't join domain over OpenVPN connection
«
Reply #2 on:
June 11, 2024, 02:02:38 pm »
Subnets in AD...relevance?
Allowing LDAP/Kerberos? ... and needed for a simple join DC request???
Clocks are in sync.
I've tried all combination of manual and dhcp assigning of DNS servers in NIC to try to resolve DC. Not happening, but can ping DC, so it's not a routing issue, it's a DNS issue.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Can't join domain over OpenVPN connection
«
Reply #3 on:
June 11, 2024, 02:51:39 pm »
Quote from: Rob88NS on June 11, 2024, 02:02:38 pm
Subnets in AD...relevance?
For AD to keep track of DC's.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/creating-a-site-design
Quote from: Rob88NS on June 11, 2024, 02:02:38 pm
Allowing LDAP/Kerberos? ... and needed for a simple join DC request???
Yes, the sequence is DNS _ldap records which point to closest DC (based on subnet), then Kerberos grants the user a ticket that allows them to join (create the computer object).
Do a Wireshark of a local join and compare it to one from the remote attempt.
Bart...
Logged
Rob88NS
Newbie
Posts: 4
Karma: 0
Re: Can't join domain over OpenVPN connection
«
Reply #4 on:
June 12, 2024, 03:11:33 am »
The full story is this.
We are building a server on our office LAN to replace a customer's DC. We are actually going to host this new DC here and ultimately replace their current DC at their business site (lots of home users as well). The users are all going to remote in to a new RDP server that we will also be building and hosting here. So we want to bring this server up on our office LAN and join/promote to DC over the VPN connection to the remote site with the current DC. We will then move FSMO roles over to the new server at final cutover and demote the current DC.
Our office LAN has it's own DC and domain totally unrelated to the customer from a Windows domain perspective.
I don't know enough about Windows OS networking to full understand how network communication happens when there are multiple adapters on a desktop, the main NIC and VPN adapter, how requests go out over a network in respect to those two adapters' IPs, default gateways and DNS server settings.
Anyway, I'm looking into your last post, thanks.
Logged
Rob88NS
Newbie
Posts: 4
Karma: 0
Re: Can't join domain over OpenVPN connection
«
Reply #5 on:
June 15, 2024, 05:18:58 am »
OK, here's how I resolved it for anyone attempting something of this nature.
I configured a VPN connection on our local LAN DNS server to the remote LAN, then created a forward lookup zone in DNS for the remote domain name. After creating it, I went into the Name Server (NS) entry which was currently set to the local LAN DC/DNS server and changed it to the remote LAN DNS server's FQDN. When adding its IP address in the entry, it successfully resolved to it.
After doing this, I was able to join the new server to the remote domain. I restarted it, but it took quite a while to login, probably trying to resolve to the remote DC without the VPN. Then I tried promoting it to DC once the VPN was up but had resolution problems again, this time with the OpenVPN client, It wouldn’t connect. I tested the remote A record it was configured to use with NSLOOKUP, it wouldn’t resolve. To fix this, I simply went into the VPN NIC properties on the new server and set the DNS server client settings to 8.8.8.8. After this it resolved successfully, and I was able to promote the new server to DC.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Can't join domain over OpenVPN connection