DNS working intermittently for non-domain joined machines

Similar Messages

• Licensing for non domain joined machines

  Good Day
  would additional licensing be required to manage non domain joined machines or would this be covered by the current EA. can someone explain how licensing for the management of non domain machines would work?
  thanks
  daniel

  Hi,
  There is no difference if you don't want to license them differently and if that is possibly in you agreement, so you should contact you MS License reseller.
  You could buy a System Center Configuration Manager CAL if you want to manage it, that will only cover ConfigMgr and not Endpoint protection for instance. So you should really contact your reseller and see what is the most optimal solution for you company/organisation.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Create a certificate for non domain-joined PCs

  We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
  PCs look to the CA to get their trusted certificate from.
  This is the issue I am encountering:
  Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
  However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
  "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
  "DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!

  It sounds like the question you are really asking is :
  How do I designate the internal root CA as a trusted root CA
  Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
  This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
  Run Certutil -addstore CA IssuingCA.crt 
  Brian

• Direct Access for Non Domain Machines

  Hi,
  In My IT-infra, there is multiple machines that is out my Office network & Domain..
  Can we join these machines in domain via Direct Access implementation ? or for implementing Direct Access we required to join those non domain & out of office network machine to Domain first ?
  secondly, can we implement the Direct access without any public certificate purchase, and without any IPV6 configuring in internal network,machines and in servers .currently i am using IPv4  IP on all Machines & Servers.
  I have gone through the Direct Access Technet guide but i feel very complex document there ...can you please brief me about direct access implementation in simpale way, i want to implement direct access to join the internet based client machines  to
  domain and manage via/for SCCM ...
  Shailendra Dev

  Correct, DirectAccess clients must be domain joined. Also, only Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise clients are able to be DirectAccess connected, so that may also make a difference to your situation. I see many customers deploy
  DirectAccess for those Win7/Win8 domain-joined systems, and then make use of the traditional (RRAS) VPN on the same DirectAccess server for connecting any other operating systems or non-domain-joined machines. Those would just have to launch a manual VPN connection,
  where the DirectAccess connections are of course automatically connected.
  You don't "have" to use an SSL certificate that you purchased from a public CA, but you really should. It is definitely a best practice to use a trusted public certificate on your DirectAccess server. Further, if you have Windows 8 client computers,
  you don't even need to distribute the machine certificates inside your network, but it is also a best practice that you do this anyway, to strengthen the authentication process.
  No, you do not need IPv6 inside your network at all for DirectAccess to work.
  Sounds like you might be interested in some additional reading on DA, here are the two books available on the subject:
  https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting
  https://www.packtpub.com/networking-and-servers/windows-server-2012-unified-remote-access-planning-and-deployment

• Non-Domain joined clients connect to server initially but cannot connect via Launchpad

  Running SBS 2011 Essentials in a small office. Running XP/Vista/7 clients. All working fine until we swapped routers. Old router died, new router was installed. 
  Now all domain-joined PC's connect as normal, but all NON-Domain-Joined PC's cannot access the server via the launchpad. I get the "The server appears to be offline. Do you want to sign in to offline mode?" box. 
  Tried removing PC from the SBS Dashboard, uninstalling the connector from the client, restarting client, and reinstalling the connector. I can install the connector (using
  http://<server ip>/connect , but not http://<servername>/connect
  ). Connector installs but it still tells me the server is offline when trying to use dashboard or launchpad on the client.
  Note: I can add a network location or Map a network drive to ther server after inputting my network password from Windows.
  Any Services to check? Firewalls exceptions to ensure? Advice?
  EDIT: Dashboard on Server shows Client, sometimes as online, sometimes as offline. 

  Sounds like name resolution issue to me.
  Are all your clients set to use the IP of the Essentials Server for their primary DNS?
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• Non domain-joined Clients (CES/CEP)

  Hello Everyone!
  This is my first post to the security forum and it is not an overly familiar tech for me so please be gentle. :)
  I am looking at building a lab to test a web based application for a client.  The client has very stringent security requirements and as such have mandated the need for both the web server to be secured using SSL certs and requires the connecting
  users to have a certificate.  The infrastructure will be hosted in a central DC in it's own AD forest whilst the users connecting in will have their own AD as they work for different companies.  Each user will have an AD account within the hosted
  environment.  My initial thought was to provide public certs for the web servers but my problem was providing certificates to the clients.  Clearly using public certs would be very expensive.  After a bit of research I stumbled across the following:
  http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
  What I am trying to understand is, will the combination of Certificate services & CES/CEP effectively do away with the need for public certs in this instance?  Can I simply use the internal authority to publish certificates to the web server and
  to the end users?

  Yes - I think this is one of the scenarios CES/CEP have been developed for.
  End users would have to trust your internal CA and validate the chain, so intermediate CAs should be found via AIA URLs. But since you need user - not computer - certificates this is simpler than described in the article as users do not need to be local
  admins to import a root. (But on principle the admin of a user's home AD could restrict this though I have never encountered that.)
  You would need to publish the CES/CEP services via a reverse proxy and external users would have to configure the enrollment HTTP URLs and enter their AD credentials in the hosted AD when connecting.
  As users have imported your CA certificate they will also trust the web server's certificate issued from the same CA.
  Elke

• Exchange 2010 Autodiscocer for non-domain computers.

  Hello. I have problems with autodiscover for non -domain computers. Somebody can explain me in turn what i must do for configuration. 

  Hi,
  For your Non-domain joined clients, the Outlook would connect to Exchange mailbox from the Internet. We need to enable Outlook Anywhere for your external users:
  Enable-OutlookAnywhere -Server:Exch10 -ExternalHostname:mail.contoso.com
  -ClientAuthenticationMethod:Ntlm -SSLOffloading:$true
  For autodiscover service, when Outlook is started on a client that is not domain-connected, it first tries to locate the Autodiscover service by looking up the SCP object in Active Directory. Because the client is unable to contact Active
  Directory, it tries to locate the Autodiscover service by using Domain Name System (DNS). In this scenario, the client will determine the right side of the user’s email address, that is, contoso.com, and check DNS by using two predefined URLs. For example,
  if your email address is [email protected], Outlook will try the following two URLs to try to connect to the Autodiscover service:
  https://contoso.com/autodiscover/autodiscover.xml
  https://autodiscover.contoso.com/autodiscover/autodiscover.xml
  For more information about autodiscover service in Exchange 2010, please refer to:
  http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
  Therefore, you don’t need to change any configuration for Autodiscover. Just make sure your Exchange certificate which is assigned with IIS service has included aotodiscover.contoso.com name and the certificate is valid and trusted for external
  user using. If not, please create a new SRV record for your autodiscover service and pointed to
  mail.contoso.com. For more information about SRV record of autodiscover, please click:
  http://support.microsoft.com/kb/940881
  Regards,
  Winnie Liang
  TechNet Community Support

• App-V 5 over https for non-domain clients

  Hello, Is this scenario possible?

  Hi,
  here's how I have it set in my lab. Your mileage may vary, but hopefully this should give you all the different components of how I managed to get it to work, and allow you to try something similar.
  Firstly, my publishing server is: HTTPS://CSC-APPV5.CSC.local:8016
  I have an application published through the app-v console, with the package URL configured to be:
  HTTPS://CSC-APPV5.CSC.local/APPVSHARE/Notepadplusplusx86/notepadplusplusx86.appv
  This is published to the AD group CSC.local\notepadplusplus, of which the user CSC.local\appvuser is a member of.
  On my Windows 8 non domain joined computer, Press Start, type "credential manager", and click on this option under settings.
  Click on "Windows Credentials", then click "Add a Windows credential".
  It will ask you for the Internet or network address. Based on the information I stated earlier, I entered the address: CSC-APPV5.CSC.local
  for User name, I entered: CSC.local\appvuser
  and lastly for password I entered the current valid credentials for this user.
  To test this, I then browsed to the publishing server mentioned above, but found that it still prompted me for a password (but remembered the user ID I had specified), and that the app-v client would not sync through powershell.
  I then added http://csc-appv5.csc.local into this devices local intranet zone (im sure you can avoid this step by adjusting a various number of settings, this was just the first quick test I performed).
  Browsing to the publishingserver address now no longer prompted for a username/pw - correctly showing the application published to this user. I then performed a restart (unlikely to be required, but I just wanted to have a clean run from a user perspective),
  and straight away, there was my shortcut to the appv application, and running it resulted in the normal streaming you would expect.
  The one thing I will add is I was very particular around fully quilifying everything, to eliminate this as a potential issue, and would be one of the first places I would start if you are attempting to troubleshoot why you were not able to get this to work.

• Windows Domain Controller certificate for non domain clients

  Hi,
  Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
  Regards

  Hi,
  Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
  Not sure that what you want to achieve here.
  However, yes, it is possible to export certificates (with private keys) from domain machines then import them to non-domain machines, and some certificates can even function well based on key usages. Please note that Domain Controller certificates are only
  meaningful to Domain Controllers. Possession of domain certificates doesn’t indicate machines are part of domain.
  Without joining a machine to a domain (or without a trust), the machine is always treated as untrusted by the domain members no matter what kind of certificates it holds.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• RDP using Smartcard fails with NLA for non-domain members

  We have to administer Windows 2008 R2 servers which are in domains we are not members of - typically domains that support a particular application. We have DoD smartcards (CAC) and we admin from our Windows 7 desktops. If we disable NLA, we can CAC-authenticate
  over RDP just fine. With NLA enabled, though, we get "The remote computer you are trying to connect to requires NLA but your Windows domain controller cannot be contacted to perform NLA".
  My assumption would be that the Win7 desktops would never know where the particular ADCs are, since we're not domain members, but that they actually need to verify the DoD root cert that signed our CAC. Said root cert has been installed on our desktops and
  on the servers in the domains.
  What is necessary to get NLA with smart cards working for non-domain members?
  Edit: With NLA enabled I *can* connect over RDP from one of the domain members to another, so this really seems specific to the non-member desktop settings and how it performs NLA

  Hi,
  Thank you for posting in Windows Server Forum.
  If you use the credential SSP on Windows Vista or Windows 7 to log on with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel
  cannot be established without the root certification of the domain controller.
  You can use following command for adding certificate.
  certutil –addstore –enterprise NTAUTH <CertFile> 
  Where <CertFile> is the root certificate of the KDC certificate issuer.
  More information.
  Smart Card and Remote Desktop Services
  http://technet.microsoft.com/en-us/library/ff404286(WS.10).aspx
  Apart there is one Hotfix might resolve your case, go through beneath link once.
  RDS client computer cannot connect to the RDS server by using a remote desktop connection in Windows
  http://support.microsoft.com/kb/2752618
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Windows 2012 R2 ADRMS domain controller version and Non-domain-joined Mac Client with outlook 2011

  Hi,
  What is the AD version for Windows 2012R2 ADRMS?  Is it possible to have Windows 2003 R2 DC with Windows 2012R2 ADRMS?
  Any installation guide Non-domain-joined Mac Client with outlook 2011?
  What is the SQL version for Windows 2012R2 ADRMS?
  Please advise.  Thanks.
  Kelvin Teang

  Hi Kelvin -
  There is no RMS Client for Macs.  That functionality is actually provided through the Office for Mac application (this is different compared to the PC).  Domain-joined clients will autodiscover the RMS server and should be able to create and consume
  protected content.  Non-domain-joined clients cannot automatically discover their RMS server.  In this scenario, prepare a protected document or email from a domain-joined machine and send it to your non-domain-joined users.  They will open
  the document or email up and the URLs contained in the publishing license of the document will direct them to the correct RMS server. 
  I hope that helps!
  Micah LaNasa
  Synergy Advisors
  synergyadvisors.biz

• RemoteApp file associations for non-domain computers

  I have a customer with a simple AD domain, and some joined and some workgroup computers, all windows 8.1 pro. I want to connect them to my remote app service. We want to create a "default connection" for this remote app service, specifically for
  the file type associations. We tried using the default connection group policy, but credentials are a problem. The remote app service has its own domain. So the "default connection" created by the group policy is trying to use the local logon credentials.
  Is there a way to specify what default credentials are to be used for the remoteapp "default connection" using credential manager? Or is there a better way to accomplish remote app file type associations all together using non-domain joined Windows
  8.1 and 2012R2 remote app on a different domain?

  Hi,
  For your case, you can try the following way. You can create the RDP file as what you want and then publish that RDP file as RemoteApp with default user credentials. When non-domain joined system will get access to RD Web they will launch the RemoteApp as they
  are using the other apps, the RDP file App will first get connect to the RDS Farm server name which is displayed and try to resolve that name through gateway or any other method which is configured. Once got resolve it will use the default user credentials
  to connect to that user and then the user can use that RDP file to connect to the respective Server.
  Apart for file type association you can go through the detailed article for more information.
  Windows Server 2012 RemoteApp and Desktop Connections: Default Connections and File Type Associations
  http://blogs.msdn.com/b/rds/archive/2013/05/21/windows-server-2012-remoteapp-and-desktop-connections-default-connections-and-file-type-associations.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Problems connecting a non-domain joined outlook to exchange

  Hello,
  i'm having issues configuring outlook (be it 2007, 2010 or 2013 all fail the same) on non-domain joined computers in the LAN to a exchange 2013 server.
  I select manual config, in server we put "mail.domain.local" and user "domain\user" and it bounces with "cannot complete action, the connection to exchange is not available, outlook must be online".
  We tried with external full email address, nothing
  tried setting the outlook anywhere proxy, same, tried using ip address, same
  it simply refuses to configure.
  any ideaS?

  Hi,
  Generally, the external non-domain joined computers can connect to Exchange 2013 by using Outlook Anywhere and the Autodiscover service to auto-setup the Exchange account.
  If the auto-setup for Exchange account fails, please check the Autodiscover service and Outlook Anywhere configuration by the following command:
  Get-OutlookAnywhere | FL
  Directly access the following URL in IE respectively, and check whether an Error 600 returns:
  Https://autodiscover.domain.com/autodiscover/autodiscover.xml
  Https://mail.domain.com/autodiscover/autodiscover.xml
  Please make sure the the ExternalHostName parameter for Outlook Anywhere is configured to your external namespace for Exchange 2013 (for example: mail.domain.com).
  In Exchange certificate, please make sure the namespace mail.domain.com is included in your trusted certificate which is assigned with IIS service.
  For manual Exchange account setup, please run the following command to get the mailbox GUID for server name configuration:
  Get-Mailbox UserA | FL Identity,ExchangeGuid
  Then go to Control Pane > Mail to configure the Outlook profile. In Server Settings, import the [email protected] into the Server box and click Check Name to have a try.
  Regards,
  Winnie Liang
  TechNet Community Support

• Install AADSync on a Workgroup server (non-domain joined)

  Does anyone has experiences with installing AADSync on a non-domain joined server (workgroup). A company with multiple forests wants to have a "neutral" server for the identity synchronisation. It looks like the tool is installing fine, but can
  there be some configuration issues?

  This is supported.  See here:
  "Your computer can be stand-alone, a member server or a domain controller. "
  ref: http://msdn.microsoft.com/en-us/library/azure/dn757602.aspx
  Mike Crowley | MVP
  My Blog --
  Planet Technologies

• Change default key size on non Domain joined CA.

  Hello,
  I have one standalone non domain joined CA I would like to change the default key size of all issued certs to 2048.  Since it is a stand along, there are no AD template to modify.  Can this be changed in the registry?
  Shawn

  CAPolicy.inf is the way to go.
  See the following thread
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/ce001d8f-c722-4429-83cb-328b92876292/how-to-change-root-certificate-keys-length-and-validity-period?forum=winserversecurity
  Hth, Anders Janson Enfo Zipper