Set Up AD Domain Over VPN


this is the setup of my AD domain:

network

install Active Directory Domain Services (AD DS)

install using server manager

assuming you are using Windows Server 2012 or later, in the server manager window, click Manage -> Add roles and features

install ad ds

DNS Server will be installed as well

i dont want to reinstall my ADDS, you can find detailed instructions here

configure ADDS

in this step:

promote server

you click Promote this server to a domain controller, then Add a new forest

In the Root domain name, type something like your-domain.local, remember, this is a local domain, for which you need a DNS server. you might be thinking about adding your public domain here, just DON'T

A delegation for this DNS server cannot be created

you can safely ignore this warning since we are adding this server as the first domain controller

more details about setting up a new forest

when you see this, your ADDS should soon be ready

complete

join your domain via VPN

basic idea

typically, an AD domain like this, only allows computers in its local network to join. with VPN, you can add computers from anywhere to your domain

if you look at the network diagram i put above, you can get a basic idea of how to do it

first of all, your AD server must join your VPN, so do all the domain computers who will be connecting via VPN, and make sure they can communicate with each other (at least with the server)

and the most important part, every computer on the domain must be configured to use your AD server's DNS server, otherwise you won't be able to resolve AD server's domain name therefore impossible to join the domain

however you might not want to use that DNS server, especially in China, the AD server's DNS service is very likely polluted by the ISP.

AdGuard DNS

although looks irrelevant, AdGuard Home is the best solution here. you can set up a DNS server with AdGuard Home, install it as a service on a linux vm, the default config works just fine (for ad blocking)

thankfully, you can configure AdGuard to forward all DNS queries of your-domain.local to your AD server, without affecting anything else

upstream DNS

well, remeber to set the DNS server on your VPN NIC, otherwise it wont know where to send the DNS queries, and also, to prefer this DNS (which i strongly suggest), you need to change VPN NIC's metric to a lower value

then you can join your domain

i will talk about other things later, AD domain really helped me to solve many pain in the ass problems with Windows

Comments

comments powered by Disqus