Windows 10: Authenticating a user from a disparat domain over RDP

I have a Win10 work notebook which, many years ago, the desktop support guy set up so that I could RDP to the work notebook from my home computer. The reason for this is that the work notebook has a 14" screen and my home computer has 2x 28" screens so nuf said about that.


The work notebook is not attached to a domain, yet we log into the work notebooks using our own Azure hosted domain credentials. It took the support guy a few tries to get it working but it works. I'm not too sure technically how this is setup tho.


At home, I plug my work notebook into my home network and RDP from my home computer using my Azure credentials and I can log in and work away to my heart's content.


Today I received the dreaded call that Desktop Support want to upgrade my work notebook by sending me a new one. That means hours of setting up my apps, preferences, connections, etc. I spoke to the support guy and told him about my RDP-from-home-computer setup and he was puzzled as to how it would work.


So to help this guy out in order to setup the RDP function again, if I want to log via RDP into my work notebook using credentials from a domain which my work notebook is not connected, how does the work notebook find the domain controllers to do the authentication?


The work notebook is not on a domain, so it has a Public Connection as viewed in the Win10 Network Status, so there would be firewall settings to allow RDP over the Public network.

:)

 

Raising the windows domain and forest issues?


hi,

I run a domain that was all 2003 r2 servers. I recently upgraded all my domain controllers to windows 2012 r2.
That went off without any problems.. Our trust relationships had no issues also.

My first step was to raise the Domain and Forest levels past 2003 to 2008. This went off without a hitch.
These are the features for raising the levels to 2008:

• Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
• Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Forest Level Windows Server 2008

• Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

My next step is to raise the domain and forest to 2008 r2, then 2012, and finally 2012 r2. I have been trying to find out exactly what I could expect from raising the Domain and Forest for each step.

The step involving 2008 r2 seems relatively a non issue. But getting the couple of new features seem very nice

Domain Level Windows Server 2008 R2

• All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features

Forest Level Windows Server 2008 R2

• All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

• Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. <== New Feature very cool
• All domains subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Here is my big concerns for the next raising of domain and forest to 2012.

Forest Level Windows Server 2012:

• All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
• All domains subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Domain Level Windows Server 2012 R2: <=====Need to investigate more and why this post

• DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

• Authenticate with NTLM authentication <==============(what issues may arise)
• Use DES or RC4 cipher suites in Kerberos pre-authentication
• Be delegated with unconstrained or constrained delegation
• Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Will this affect my exchange anywhere users with remote access authenticating either clear of NTLM???
and what would/may not to work properly day 1 when I raise the domain and forest to 2012. I cant really find anyone that can answer a straight question.

Has anyone gone through this? what problems did you have, if any , if a lot???

Any thoughts and suggestions will be much appreciated??

thanks


- - - Updated - - -

One more point... I am not sure if I posted this to the correct forum.. So if I was wrong and it should be in a different one..
PLEASE LET ME KNOW

 

User/Domain missing from RDP log

I experienced a security issue today where I was logged out due to RDP session (while I was RDP'd) when I reconnected someone was using the webs browser. I pulled the plug on the ethernet and deleted my RDP rules on my router. As well as reset the windows
firewall to only allow private networks.

But now I'd like to see if I can figure out the IP that made those connections.

If I drill down to

Event viewer-->Microsoft-->Windows-->TerminalServices-RemoteConnectionManagerin TerminalServices-RemoteConnectionManager OperationalEvent ID: 1149

I do see several entries

I see user/domain and an ipv6 address for hich I believe is my current ipv6 (it doesnt match exactly what I see when I ipconfig, but when I log out and reconnect it's the same in the event viewer)

but then I see many other entries which have no user or domain, but have either an ipv4 or ipv6 (both which happen to be the pc I'm currently using)

How can user authentication succeed but not log the user and domain?

Is there any other item in event viewer that I can lookup to help find the intruding ip address?

 

RDP between two W10 PRO wihtout domain

Hi SeyoS,

Got it, thanks. Now, that's the issue. RDP only works using the local or domain users & not Microsoft account or any other Windows Hello authentication. Try to use the NET command to see your local username. On the PC you're trying to RDP to, search/open Command
Prompt > type the command below & press Enter.

NET USER

I hope this helps. Let me know how you go. Thank you!

Sincerely,

Paul A.

Independent Advisor