SYNCUBE SOLUTIONS HELPDESK Knowledgebase Windows
Join Domain and Login over a VPN Connection
Suggested knowledgebase articles:

Join Domain and Login over a VPN Connection

This is a tutorial on how to join a Windows computer to a domain over a VPN connection. Recently, we reinstalled Windows on our laptop, and now we need to connect to our domain from my home office and set up my domain profile.

In Windows 10 and 11, you can join your device to an Active Directory domain via VPN. However, after joining, you need to restart your computer to establish a secure connection with a domain controller. The challenge is that without the VPN session, you can’t authenticate to domain controllers or log in with your AD domain account.

There is a workaround to join a new Windows device to the domain over VPN:

  1. Log in to your device with a local administrator account;
  2. Configure the Windows VPN client and connect to your company VPG gateway;
  3. Join your Windows device to the Active Directory domain;
  4. (Optional) Add your domain account to the local admins group on your home device;
  5. Reboot your computer and log in with a local administrator account;
  6. Connect to the VPN and switch Windows user account;
  7. Sign in under your domain user account;
  8. Reconfigure your VPN connection to allow you to connect to VPN before logging into Windows.

How to Join a Windows Computer to a Domain over VPN

Log in to your computer using a local account with administrative privileges.

Create a new Virtual Private Network connection to your corporate VPN gateway.

  1. Open the “Windows Settings” → “Network & Internet”;
  2. Choose the “VPN” tab and click on “Add a VPN connection”;
    join domain over vpn
  3. Fill in the fields as follows:
    “VPN Provider” → Windows (built-in);
    “Connection name” can be any;
    “Server name or address” → the FQDN or IP address of your corporate VPN server;
    “VPN type” → “Automatic” (you can choose manually);
    Type of sign-in info (user name and password).
    active directory over vpn
  4. Click on “Save” button.
  5. Connect to your VPN gateway.

Join your computer to the AD domain

  1. Open the System Properties dialog by running the sysdm.cpl command;
  2. Click on the “Change” button on the “Computer Name” tab;
    join domain through vpn
  3. Select the option “Domain”, type your AD domain name, and press OK;
    domain join over vpn
  4. Enter the credentials of the user who is allowed to join the computer to the domain;
  5. Restart the computer.

Hint. Also, you can join your Windows device to Active Directory domain using PowerShell:

Add-Computer -DomainName theitbros.com –verbose
  1. Log in with local administrator credentials;
  2. Connect to the VPN again.
  3. Now add the domain user you will be using to the local administrator’s group on the computer. You can add a domain user account to the local group by its SID.

Ask your colleagues to find your domain account SID by using the following PowerShell command:

Get-Aduser M.Becker|select sid

join domain via vpn

You can now use PowerShell to add this account by its SID to the local Administrators group:

Add-LocalGroupMember -Group administrators -Member S-1-5-21-2927053466-1818515551-2824591131-4101

Then press CTRL+ALT+DEL and select the “Switch user” option.

join computer to domain windows 10

 

Hint. If the Switch User option is missing, check the local GPO option Hide Entry Points for Fast User Switching under the following section: Computer configuration > Administrative Templates > System > Logon.
how to connect to a domain from outside the network

Enter your domain user credentials (use the following format of the username: domain\username) and login to a computer.

add computer to domain

You are now logged in with your domain account on a domain-joined machine.

After you sign in for the first time, your domain user credentials are cached locally and you can sign in with your domain account even if the VPN is not connected.

Connect to VPN Before Sign-in Windows

You can use a more elegant solution that allows you to establish a VPN connection before the user logs in to Windows, without having to switch between local and domain accounts.

Suppose you’ve configured a VPN connection under the local user. These VPN connection settings are stored in the rasphone.pbk file in the user profile folder. (%userprofile%\AppData\Roaming\Microsoft\Network\Connections\PBK). In order to make this VPN profile available to all users of the computer, you need to copy the file containing the settings for the VPN connection to the public profile C:\ProgramData\Microsoft\Network\Connections\PBK.

    1. Copy the rasphone.pbk file manually by using File Explorer or with the PowerShell command: 
      Copy-Item $Env:USERPROFILE\AppData\Roaming\Microsoft\Network\Connections\PBK\rasphone.pbk $Env:ALLUSERSPROFILE\Microsoft\Network\Connections\PBK

      how to add computer to domain

    2. Logoff Windows;
    3. On the Windows logon screen, click the Network Connections icon in the bottom right-hand corner of the screen; how to login to vpn
    4. Specify the user credentials to connect to the VPN server; how to add a computer to a domain
    5. Your computer should establish a VPN tunnel and you should be able to log in to Windows using your domain account.
      windows 10 join domain

To create a public VPN connection profile that is available on the Windows logon screen, you can also use the Add-VpnConnection PowerShell cmdlet with the AllUserConnection parameter enabled.

Add-VpnConnection -Name WorkVPN -ServerAddress vpn.theitbros.com -AllUserConnection $true -SplitTunneling $true -AuthenticationMethod MSChapv2 -TunnelType Automatic -EncryptionLevel Required -PassThru

 

Article Details

Article ID:
25
Category:
Windows

Related articles