Hamins

Once the user authenticates with the VPN server, and receives an IP address from the local pool, what would be the best way to authenticate them on the Domain ?

Would it be advisable to create local user accounts on the laptops, along with local security policies, and then allow the user to access the files/folders to access to access the shares by them typing the UNC of the folder/file (\\servername.domainname\folder path), and then authenticating themselves when the "Connect to ...." box appears. Would that be a secure way ?

Thanks for the response jondercik.

Hi Chili, Thanks for yer response. The firewall has already been configured to act as a VPN server,and Authenticate users for the VPN. However, that authentication is exclusive of the authentication done on the DC. Authentication on the firewall only creates a VPN, and allows the remote users access to the physical network, and assign an IP from the pool. However, more importantly I would like to know how to configure the laptops & user accounts, to maintain security, configure user profiles, authentication on the domain, configure file and print sharing, offline access etc.. We want the remote users to be able to access only file/folders for which they have the rights. However, we may not want them to print anything from their laptops or any other computer, when working remotely. Most of the users who'll be accessing the Domain/network remotely already have user-accounts on the Domain, along with Roaming profiles. However, we may not want the roaming profile to be downloaded on the laptop when they're working remotely. Is that possible ? or do we create seperate account for Remote users ? Would it be better to create local user-accounts on the laptops ? Would be it advisable to make the users log onto the domain via the standard login screen ? A coupla other things that I did not mention in the first post are : Surfing the internet while connected to the VPN is noticeably slow. I guess this is cause all traffic gets routed through the vpn connection. Does this happen if the "Use default Gateway on remote network" option is selected ? What would happen if I un-checked that option ? How do I optimize the VPN bandwidth ? Thanks

Hi, I manage a network that comprises of a Router connected to a Watchguard X500 firewall, which is connected to 2 Gigabit switches. We have one Multi-purpose Windows 2003 Std. server, and around 21 WinXP based workstations. The Win2k server acts as the Domain Controller, DNS & DHCP server, File & Print server etc. There are around 25 users-accounts created in the AD. Each user has his/her own roaming profile that lies on this server. So far all users connect to the network/server from the same office (Physical location/site). However, now we have a requirement whereby certain existing users need to access information from the sever from any remote location, since they'll be travelling out of town frequently. The users will be provided company Laptops. We have decided that the best way for the remote users to connect to our network would be via VPN. The Watchguard X500 has already been configured to act as the VPN server. It has it's own authentication Method, and a different set of user-accounts. Authencation with the Watchguard VPN server allow access to the network only, and assigns the remote users an IP from the local pool. Something like 192.168.1.... This has nothing to do with domain access. Authentication on VPN will not authenticate the users with the Win2k3 domain/server. I would like to know the best way to allow remote users to securely connect to our Domain. How to configure the laptops & user accounts, to maintain security, configure user profiles, authentication on the domain, configure file and print sharing, offline access etc.. We want the remote users to be able to access only file/folders for which they have the rights. However, we may not want them to print anything from their laptops or any other computer, when working remotely. Most of the users who'll be accessing the Domain/network remotely already have user-accounts on the Domain, along with Roaming profiles. However, we may not want the roaming profile to be downloaded on the laptop when they're working remotely. Is that possible ? or do we create seperate account for Remote users ? Would it be better to create local user-accounts on the laptops ? Would be it advisable to make the users log onto the domain via the standard login screen ? I would like to know how to perform the above tasks. Security is out primary concern. Any suggestions would be welcome. Thanks...

Hi Pebbles, Ahhh..... finally a ray of hope hehehe!! Please try to re-collect how this can be possible. I would really appreciate it. Thanks

Why don't you go for a hardware implementation of a Firewall ? I feel that if you install something like ISA or Symantec on your regular server, you're just increasing the workload on the server. So, it's always better to install these on a seperate machine. That would involve investing in a new machine, and a new OS license. Instead, you could implement Hard-firewall such as Watchguard, or Fortigate, or Sonicwall.

Thnx a ton jaclaz. I thought it could be done through DFS, but am not too sure. I'll try out OpenAFS.

I'm facing the exact same problem. If anyone has a solution please lemme know ASAP

Thanks for the response, memnoch Oh Ratz !!! I thought it would be possible. Would be cool if it were, right ? Anyway, this whole idea came up, cause of budget constraints. We thought of using the existing free resources, instead of investing in a whole new storage medium for backups. Btw, could someone tell me what a SAN/NAS is ?

Hi Chili, Thanx for the response. What you're saying kinda makes sense. All our data is located centrally on the Win3k server, no problem, thats how we want it. However, the problem comes up while taking backups. Our data+emails+user profiles amounts to around 25GB. Due to budget contraints we use NTBACKUP as the backup software, and a Maxtor 300GB External HDD, as the Backup Media. Now, the company policy states that a NORMAL backup on all the above should be taken everyday - Mon-Fri. Plus, a complete System State Backup should be taken every Fri. The Entire backup process is automated using a Script, that is scheduled to run at the End of each day. The problem with this is that the 300GB on the External HDD gets maxed out even before the month ends. So, after every 15-20 days we have to manually delete a coupla backup sets to create space. We're a small Co. and hence have budget constraints. Hence, I was wondering if it would be possible to combine the Free HDD Partitions of all the workstations, and make it into one massive 600GB Volume ?

Here's a detailed run-down on how I create roaming Profiles (1) Create a folder by the name of Profiles$ (you could use any name). Create this preferably on a non-system volume. (2) Share the Profiles$ folder you just created, and set the following SHARE permissions on it : Administrators = Full Control, Domain Users = Change & Read (3) Set the following NTFS Security permissions, but before setting any permissions, make sure that you click on ADVANCE, un-check the "ALLOW INHERITABLE PERMISSIONS ......", click on REMOVE, and then click on OK. Administrators = Full Control (This Folder, Subfolder, and Files) Creator Owner = Full Control (Sub Folder and Files) Domain User = Read + Write (This folder, Subfolders, and Files) (4) Now, to map the Profiles$ folder to the user account, open up Active Directory Users and Computers, double-click on the user(s), select the Profiles tab, and in the PROFILE PATH field type \\<The name of your server>\Profiles$\%username%. Make sure that the path to the profile folder is type in UNC format like above, and not in absolute format. Once you have typed the profile path, click OK. That's all ... I hope this help you understand how to create a roaming profile for users on your network.

Storm, have you checked whether the users have read access to \\Server\Netlogon\Default User folder ?

Anyone with any answers or suggestions ?

Hi, I manage a network with a Windows 2003 Std. Server, and 21 WinXP workstations, all connected to a Gigabit network. All the data lies solely on the server, and the workstations just contain software such as Ms-Office, OE, etc. etc. Now, almost all the workstations have a 40GB HDD, with a 10GB partition that holds the OS, and the various software. The remaining HDD space on all the workstations is unallocated, which means that there is around 21x30 = 630GB of FREE HDD space on the network thats just lying around, unused. What we would like to do is make use of this 630GB of total HDD space. However, we still want all the data to be centrally located. So, we plan on using this free HDD space for backup. I would like to know if there is any way we can combine the free space of all the HDDs on the network, and use that as one storage volume (Drive) ? Firstly, is that even possible ? If yes, is it a relativelu easy thing to do, without investing in any Hardware or Software ? Whats is a NAS/SAN ? Also, any other suggestions on how we could utilize the free HDD space, would be most welcome... Thanx

This error usually comes-up with due to a program made under Visual Basic. It is also known to be caused by Ms-Word.

I think (and I may be wrong) this happens because of the different ways HDD manufacturers, and Windows count disk space. HDD manufacturers count 1GB as 1000MB, whereas Windows counts 1GB as 1024MB.

Does anyone have a solution/suggestion ? Please, I have to do something about this problem ASAP. It's affecting productivity as most of our work is based on internet. Also, in reponse to Cluberti's suggestion of comparing a slow workstation to a non-slow one - The latency problem is present on all PCs, so there is nothing to compare with. However, there seems to be no latency problem while working on the LOCAL network. The problem occurs only when working with anything on the internet.

Hi, What do you mean by Authentication Failures and excessive re-transmits. The users are able to authenticate normally with ADS. Sorry, if I sound LAME, but this is the first live network I have setup, so I'm a noob. No Suspicious event in the eventviewer. Anything in particular I should be looking for in the eventviewer ? No proxy server used. Login times are normal. User's have roaming Profiles. No folder re-direction. Yes, the users use only IE to browse, and OE as an email client. There are documents that need to be downloaded from an external web-based server. Yes, we use DHCP on the network. I dont understand what you mean when you say "what DNS servers are you pushing out via DHCP?" Once again, sorry for sounding lame.

Hi Cluberti, Thnx for the reponse. I did a netmon on a slow workstation, but did not come across any conclusive reason. What could be the probable reasons for this weird behaviour ?

Anyone know which Group Policy restriction to apply ?

Anyone ??? Please I need to know this ASAP!!!

Hi, First, let me describe our network. We have a 256k lease-line connection, which comes through a lease-line modem, which is connected to a router, which in-turn is connected to a gigabit switch. We have a single Windows 2003 server, which works as a DNS/DHCP/File/Print/ADS server, and around 20 workstations. Typical work would involve working with Word, Excel documents, visiting work related web-sites/secure-web-sites, downloading documents, download & reading emails/digitally signed emails in Outlook Express. Now for the problem ..... The users have been facing some serious latency issues when working on the internet.... Pages load very slow or not at all, secure server pages dont open at all, online PDF and word documents don't open at all, emails download very slowly into Outlook Express, secure emails dont open up etc etc. However all these problems come-up only when the users working on the internet when logged onto the domain. These issues do not come up when the users are accessing the internet, when logged onto the local PC, instead of the domain. I need a solution to this problem ASAP. My client is gonna kick my butt ...heheh Thanx

Yes, we are using ADS, and most of the users have been setup as regular users. However, users have been able to download certain programs (like googchat), and install them. I would like to know how to lock it down using Group Policy.

Hi, How do I prevent users from installing or un-installing programs/applications/software on their workstations ? Right now the users are able to download programs from the net and install them. Network enviroment is Windows2003 Std server with WinXP Pro workstations.