The best and the easiest way. Just use OpenVpn. No need for a second DC if all remote pcs start the opnvpn client on startup. On the DC side run the OpenVpn -Server or use "Zero-Shell". Greetings Daniel EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de -----Urspr?ngliche Nachricht----- Von: Sven Schwedas via samba [mailto:samba at lists.samba.org] Gesendet: Montag, 2. November 2020 10:26 An: samba at lists.samba.org Betreff: Re: [Samba] VPN On 01.11.20 18:48, Philip Offermans via samba wrote:> I have a samba server running as an active domaincontroller. I want people in an other office building to use the same samba server. What is the best way to do this? Use a second domain controller. Vpn to first domain controller. (Using an Mikrotik router). And how can you configure windows to use the vpn at startup?If you have the resources for it, a secondary DC would be preferable: Redundancy in case the link between the two offices is unstable, and better performance even if it's stable. You will still need a VPN to connect the two DCs, however. A router-level VPN link ought to suffice, and either way you wouldn't need to set up anything on the individual machines, as long as the router is their default gateway. If it isn't, they need a route to it (usually pushed out via DHCP). Windows itself creating a VPN connection pre-login is more useful when you have people scattered around in home office and need them to access the DCs.
It certainly isn't the easiest (set up VPN once on the router vs. setting it up N times on N different machines plus PKI infrastructure to handle certificate revokations etc.), and I doubt it's the best either, you'll have a lot of traffic overhead for basically no advantage. On 02.11.20 10:37, Mueller via samba wrote:> The best and the easiest way. Just use OpenVpn. > No need for a second DC if all remote pcs start the opnvpn client on startup. > On the DC side run the OpenVpn -Server or use "Zero-Shell". > > > Greetings > Daniel > > > EDV Daniel M?ller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 T?bingen > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller at tropenklinik.de > Internet: www.tropenklinik.de > > > > > > -----Urspr?ngliche Nachricht----- > Von: Sven Schwedas via samba [mailto:samba at lists.samba.org] > Gesendet: Montag, 2. November 2020 10:26 > An: samba at lists.samba.org > Betreff: Re: [Samba] VPN > > On 01.11.20 18:48, Philip Offermans via samba wrote: >> I have a samba server running as an active domaincontroller. I want people in an other office building to use the same samba server. What is the best way to do this? Use a second domain controller. Vpn to first domain controller. (Using an Mikrotik router). And how can you configure windows to use the vpn at startup? > > If you have the resources for it, a secondary DC would be preferable: > Redundancy in case the link between the two offices is unstable, and better performance even if it's stable. > > You will still need a VPN to connect the two DCs, however. A router-level VPN link ought to suffice, and either way you wouldn't need to set up anything on the individual machines, as long as the router is their default gateway. If it isn't, they need a route to it (usually pushed out via DHCP). > > Windows itself creating a VPN connection pre-login is more useful when you have people scattered around in home office and need them to access the DCs. > > >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20201102/1d895584/signature.sig>
Did ist just more simpler : And it is working https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ -----Urspr?ngliche Nachricht----- Von: Sven Schwedas via samba [mailto:samba at lists.samba.org] Gesendet: Montag, 2. November 2020 10:48 An: samba at lists.samba.org Betreff: Re: [Samba] VPN It certainly isn't the easiest (set up VPN once on the router vs. setting it up N times on N different machines plus PKI infrastructure to handle certificate revokations etc.), and I doubt it's the best either, you'll have a lot of traffic overhead for basically no advantage. On 02.11.20 10:37, Mueller via samba wrote:> The best and the easiest way. Just use OpenVpn. > No need for a second DC if all remote pcs start the opnvpn client on startup. > On the DC side run the OpenVpn -Server or use "Zero-Shell". > > > Greetings > Daniel > > > EDV Daniel M?ller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 T?bingen > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller at tropenklinik.de > Internet: www.tropenklinik.de > > > > > > -----Urspr?ngliche Nachricht----- > Von: Sven Schwedas via samba [mailto:samba at lists.samba.org] > Gesendet: Montag, 2. November 2020 10:26 > An: samba at lists.samba.org > Betreff: Re: [Samba] VPN > > On 01.11.20 18:48, Philip Offermans via samba wrote: >> I have a samba server running as an active domaincontroller. I want people in an other office building to use the same samba server. What is the best way to do this? Use a second domain controller. Vpn to first domain controller. (Using an Mikrotik router). And how can you configure windows to use the vpn at startup? > > If you have the resources for it, a secondary DC would be preferable: > Redundancy in case the link between the two offices is unstable, and better performance even if it's stable. > > You will still need a VPN to connect the two DCs, however. A router-level VPN link ought to suffice, and either way you wouldn't need to set up anything on the individual machines, as long as the router is their default gateway. If it isn't, they need a route to it (usually pushed out via DHCP). > > Windows itself creating a VPN connection pre-login is more useful when you have people scattered around in home office and need them to access the DCs. > > >