locked
How to Create a Domain Controller Accessible Without VPN RRS feed

  • Question

  • Hi All,

    I am a newbie. Below is my query----

    I need to create a domain controller running on azure. I want my client PC to be able to Ping it and get domain joined. I am not looking for a scenario that uses a VPN. I am simply looking for a scenario in which DC is having a Public IP and I should be able to domain join my PC to that domain.

    I am using Windows Server 2012 R2 in Azure. I am using my Windows 8.1 PC as a client computer. I am not testing this for organizational purposes as I understand this is not a secure configuration as per company standards.

    What all do I need? Multiple NICs? Public IP? Specific Port Numbers?

    I need to start from the scratch. I am a newbie. Please help.

    Saturday, March 12, 2016 12:06 PM

Answers

  • Hi.

    If you have a router then you have somekind of NAT i guess.

    You will need to:

    1. Lock down RPC ports
    2. Forward all ports including RPC ports from the internet to the DC
    3. Rewrite all DNS queries

    I have never done this and I'm unsure if I know anybody who has done this. I dont think anyone will be able to easily help you, it is all to depending on your environment.

    Please read up on:



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread.


    Oscar Virot

    • Proposed as answer by Jay Gu Friday, March 25, 2016 8:44 AM
    • Marked as answer by Amy Wang_ Monday, March 28, 2016 6:59 AM
    Sunday, March 13, 2016 3:05 PM
  • Hi,

    I think direct access may be helpful to you.

    Direct Access feature was introduced with Windows Server 2008 R2 and Windows 7 Client computers. Direct Access overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network so users never have to think about connecting to the enterprise network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.

    Here are two articles below may be helpful to you.

    Using DirectAccess

    https://technet.microsoft.com/en-us/windows/dn168168.aspx

    Windows Server 2012 Direct Access – Part 1 What’s New

    https://blogs.technet.microsoft.com/meamcs/2012/05/03/windows-server-2012-direct-access-part-1-whats-new/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay Gu Friday, March 25, 2016 8:44 AM
    • Marked as answer by Amy Wang_ Monday, March 28, 2016 6:59 AM
    Tuesday, March 15, 2016 9:48 AM

All replies

  • Hi.

    Given that there are no firewalls blocking it shouldnt be a problem.

    Are you using a public domain fqdn? And that one is delegated to the DC? Otherwise set the DC as the DNS server for the client. It will then ask for the domain from that server which should return its IP. But I am not sure if Azure uses NAT, in that case then you have a problem.



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread.


    Oscar Virot

    Saturday, March 12, 2016 6:46 PM
  • Let's forget about Azure. Can you help me out with my own server setup located at my infra? What configuration of server Do I need? How many IPs and NICs will I need? How to Provide a public IP to that DC and make it accessible via Internet. How to bring the client in the same network as the DC so that it is able to Ping it and get domain joined? 
    Saturday, March 12, 2016 8:23 PM
  • Just think of the internet as your regular lan. How many NICs do you need if you have a domain controller on the inside (1).

    So just put your domain controller on the internet and point the DNS of your client to that IP. This in NOT A SECURE setup.

    Or are you asking how to NAT traverse a to Domain Controller?



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread.


    Oscar Virot

    Saturday, March 12, 2016 8:28 PM
  • Okay. That was kind of helful.

    Now that I have my Internet connected Windows Server 2012 R2 running as DC on my server, what else do I need to make this DC publicly accessible. I do have a Public IP assigned to my connection by my ISP. Does this require some sort of port forwarding in my router? OR does this require only public IP to be added via NCPA.CPL to the DCs adaptor's setting. 

    Thanks

    Saturday, March 12, 2016 10:08 PM
  • Hi.

    If you have a router then you have somekind of NAT i guess.

    You will need to:

    1. Lock down RPC ports
    2. Forward all ports including RPC ports from the internet to the DC
    3. Rewrite all DNS queries

    I have never done this and I'm unsure if I know anybody who has done this. I dont think anyone will be able to easily help you, it is all to depending on your environment.

    Please read up on:



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread.


    Oscar Virot

    • Proposed as answer by Jay Gu Friday, March 25, 2016 8:44 AM
    • Marked as answer by Amy Wang_ Monday, March 28, 2016 6:59 AM
    Sunday, March 13, 2016 3:05 PM
  • Hi,

    I think direct access may be helpful to you.

    Direct Access feature was introduced with Windows Server 2008 R2 and Windows 7 Client computers. Direct Access overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network so users never have to think about connecting to the enterprise network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.

    Here are two articles below may be helpful to you.

    Using DirectAccess

    https://technet.microsoft.com/en-us/windows/dn168168.aspx

    Windows Server 2012 Direct Access – Part 1 What’s New

    https://blogs.technet.microsoft.com/meamcs/2012/05/03/windows-server-2012-direct-access-part-1-whats-new/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay Gu Friday, March 25, 2016 8:44 AM
    • Marked as answer by Amy Wang_ Monday, March 28, 2016 6:59 AM
    Tuesday, March 15, 2016 9:48 AM
  • So, you can join a PC into a domain through the WAN? ( No VPN involved )

    And what about applying the GPOs everytime the user logs into this computer?

    and what about kerberos going through the wan?

    and the login process, would it be lenghty?

    I am new to this kind of deployement, but actually have the same question as Oscar.

    Thanks in advance.


    Luis Olías.


    • Edited by Luis O.J Tuesday, May 21, 2019 8:29 AM
    Tuesday, May 21, 2019 8:28 AM