Login to Windows Domain / Access to AD, Group Policies, etc. Remotely

I’m preparing to add a few mobile laptops to our domain. They’ll have to be able to login to Domain and change passwords remotely. Ideally it would be nice if the Group Policies could apply to the laptops also, remotely.

Is this something possible with ZeroTier? Is there a guide somewhere?

I have done this during the COVID lockdown in NZ last year. There are some things to keep in mind:
Your DNS servers need at least one member of the domain to be available on Zerotier; this is usually AD integrated, so that gives you an AD on the Zerotier network.

If you are using an external DNS provider, then you can set the names of all of the internal servers including the AD and other fileservers to be the Zerotier addresses for them.
This way, when a user is in the outside world, their DNS lookups will point at your internal servers; including the AD.

So, if your systems can cache credentials and other bits, the user can log in and find themselves looking at something that looks the same as being at work. Some bits, like group policy and password changes, can be a little hit and miss as they need to be connected via ZT for it to work.

Make sure your AD DNS servers do not broadcast the ZT network locally to your local clients, with the exception of the one which must. This means you must make all non-ZT DNS ADs [still using ZT] not respond or listen to DNS requests on the ZT interface. You also need to remove the ZT entries from AD DNS. For the system which is the master, let it talk via DNS on ZT.

If you’re careful, you will have a network talking over ZT, and local clients will be kept away, for the most part, from addresses that cannot respond to them.

Hi d,

Thanks for sharing your experience. I’m glad to know that ZT can be a solution for the mobile workers.

What made you choose ZT over, let’s say, a more conventional approach, like VPN? For example you could have installed a Fortinet or a SonicWall and the users could’ve connected to it via their VPN client, before the Windows Login.

With ZT is it possible to connect before the Windows login?

That’s a very fair question. I literally have no budget for software, beyond CC ($7.50 per annum per student) and a few school specific applications. In terms of being able to deploy for 50+ staff, VPN solutions are cost-prohibitive, and with Zerotier I can take a hands-off approach for staff members. They log into their laptops, and it is already sorting itself out without their interaction. In the background I can adjust routing paths, add additional moons for traffic, move VMs all over the place, and it’ll still work because the IPs follow the VMs. the changes I was making during lockdown, if done via a normal VPN, would hae not been possible due to breakage; and I was not allowed out of the house at level 4, even though I’m essential personal at level 3. Also, Zerotier is quite unlike other VPNs, and brings a lot of cool things to the table, including the software defined switch.

Now, in terms of pre-connection, I’ve not tested this for a client machine specifically, but it certainly seems to be operative for servers and the like. I’d say roll a small demo, and see what happens :slight_smile: that’s what I do. Certainly I didn’t have staff members completely out in the cold, just those with poor internet connectivity, and I found adding more moons to different ISP routes fixed that.

Wow!. This is pretty cool stuff.

If we install the ZT client on a domain server, can it act as a gateway? I mean, will it allow the mobile ZT clients to see all the PCs and printers connected to the same network as the domain server (acting as the gateway)?

Think of it this way, the ZT client is a connection end-point for each machine, and plugs it into a virtual switch which can link all those endpoints. For you to route (bridge) an internal network you will need a machine to act in bridge mode, and also for it to be marked as a bridge in the zerotier controller. However, that is when you are briding a whole network into a zerotier switch, plus you need to sort out your routing. If you have clients on the same bridged network also linking into the same zerotier switch as the bridge, then things go south and it all falls over (this is the same as creating a loop on a normal network), so keep that in mind.

However, you can do routing using the bridging mode built into windows itself, and as long as the zerotier network is expecting a bridge and running in bridge mode, the it should work. However, I’ve not tested that beyond a physical network, so try a play one first. I think there was an answer to this I read on the net (it’s probably linked in an earlier answer on this forum.)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.