Windows Server Join Active Directory over VPN

A X

1/15/24, 9:46 PM

OK, here is what I am trying to achieve. I have servers distributed across data centers around the world. I want them all to join the same Active Directory Domain. I don't want to implement ADFS and put Active Directory servers in every data center because it is too much work.

Instead I want to have only one Active Directory server/cluster in one data center, let's say US East. Then I want all of the servers around the world to have a VPN virtual network adapter that is always connected, and I want to send all the Active Directory related traffic over this VPN connection to the US East data center network where the actual Active Directory Server is. In this way, as far as the servers can tell, they are all on the same network as the Active Directory server.

Note that I do NOT want to setup Site-to-Site VPN. I want it to be Point-to-Site VPN from each "leaf" server into the main root network via Point-to-Site VPN from each server. I also don't want to send all network traffic over the VPN, only the network traffic actually related to Active Directory.

Also note that the VPN connection should be durable and survive reboots and should reconnect automatically if disconnected.

Any guidance on how to do this would be amazing. I haven't been able to find any good guides on how to do this but I'm pretty sure this should be possible with Windows Server 2022.

1 + 2

vpn

active-directory

windows-server-2022

A X

1/15/24, 9:54 PM

Does "Always On VPN" have something to do with this scenario? What is Always On VPN anyway?

TomTom

1/15/24, 10:04 PM

Always On is a technology bag from MS where a client has multiple ways to connect to the network and thus is always on - enterprise style VPN replacement, where there are multiple protocols AND multiple endpoints available and the client tries them all automatically, from "real" vpn to a http tunnel, to get to the company network.

Score:-2

Server

TomTom

1/15/24, 10:06 PM

Not possible in 2022. Problems are multiple and all go down to Windows ROuting being limited (no "by protocol") and your requirements being so unusual that shows how a misunderstanding how to set things up in a way that is easily managed.

Worst of them:

I also don't want to send all network traffic over the VPN, only the network traffic actually related to Active Directory.

This is exactly one thing: NOT how Routing works in Windows - there is no way to differentiate by port numbers etc. You can get MOST of that with proper network selection, but then "MOST" is not an answer to very specific requirements.

+ 2

A X

1/15/24, 10:19 PM

Thanks. What is the "closest" we could get assuming some flex on requirements?

TomTom

1/16/24, 5:42 AM

Well, first of all - I would just put some proper router everywhere and let that handle the VPN. I Would just drop the funny network traffic split and use IP address ranges to isolate the DNS - I am not sure you ever thought that one through, but a central IP pool for the AD is good enough to NEARLY isolate things. You also take a SERIOUS uptime risk here if that one data center is disconnected - there are scenarios that makes sense in, but I would think hard whether you have that or not. And "the actual Active Directory Server" means you want o loose it all - always 2-3 servers.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Windows Server Join Active Directory over VPN

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.