question

BrianWoolf-2963 avatar image
BrianWoolf-2963 asked ·

Cannot connect to DC through OpenVPN

We need to connect 250 PC's to a cloud DC. When I connect the Azure VPN client it works normally however the Azure VPN has no practical way to connect before login, making it insufficient for a DC connection.

When I connect through OpenVPN the connection succeeds but I cannot connect to the DC.

azure-active-directoryazure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ShashiShailaj-MSFT avatar image
ShashiShailaj-MSFT answered ·

Hello @BrianWoolf-2963 ,

I understand that you are trying to connect to a Domain controller which is in the cloud. I assume that you have a Azure Virtual machine which is setup as a Domain controller and you have Azure VPN client on every machine which is trying to connect to Azure DC .

The first thing to start the troubleshooting will be to check why the Azure VPN client is failing. You could either be using Point to site(where users are at different remote locations) or site to site VPN configuration (with additional device in case all machines are in one single physical office). In order to troubleshoot point to site connection for azure VPN client , I would suggest you to check the point to site connection issues article and try to troubleshoot accordingly . Please check the site to site connection troubleshooter in case you are using a site to site VPN setup and troubleshoot accordingly.

The next thing to check would be if the Network security settings by using NSG which is associated with the gateway subnet where our Cloud Domain controller is mapped are correct . The NSG traffic rules must be confirming to the standard port requirements for an active directory services environment.

Once we are sure that the VPN is working fine and the Network security rules are properly setup we will check if the DNS connectivity and DC discovery is possible using current DNS setting. You need to point the client machines to a DNS server which has all the relevant Active directory domain dns zone where we would like our clients to connect to .

nslookup -type=srv _ldap._tcp.dc._msdcs.contoso.com DNS-IP-Address

If you get a proper reply then the records are present in the DNS and the machine is able to reach the DNS server . You would then need to check if the CLDAP ping to the DC is succeeding or not . this is a LDAP connection by client to DC over UDP 389 . After this the authentication starts. If you reach till this point after troubleshooting then you will need to take a network trace and analysis of network trace can provide some more clarification.

In all probability the issue is of Domain controller discovery . You can check the netsetup log(%windir%\debug) in case you are trying to join them to the domain for the first time and if they are already joined to domain then you will need to start with checking the VPN connection as suggested above. The machines may not be able to reach to the DNS after openVPN succeeds.

I would generally recommend against this kind of AD infrastructure. I am not sure what kind of local LOB applications you run within your local environment . If you have remote workers , I would suggest you to use active directory and update all client machines to windows 10 latest . Then you can manage these using Intune if you have a corresponding Microsoft 365 license . M365 business ouwld be great if you are a small business. But yeah if you have legacy applications which rely on Kerberos , NTLM authentication , then you may have to move those to the cloud enable Azure AD domain services on your azure AD tenant and join the application server to Azure AD domain services instance. All of this has different costs associated with it but the ease of management that it brings would be huge and a YoY return on investment would be higher than running and managing a Active Directory Domain controller in the cloud. If you do not have any legacy application which you use in-house as LOB(line-of-business) applications , then you can migrate to Azure AD only setup completely without an issue as they would all support modern Auth protocol like oAuth and users can use a browser to logon to them without any issue. But I do not have complete information about your information ad I agree that you may have other considerations too which I am not aware of. But I hope the above information provides you definite idea on how to troubleshoot the existing issue.

Hope the above information helps. I have linked some articles as they have better explanation and it may take some time but I suggest you to check them out to understand more. In case the information in the post is helpful to you , please accept this as answer so that it is helpful to other members of the community and the relevancy of this answer improves.

Thank you.


1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Azure AD works fine to connect and get to the AD server. The problem is Windows 10 always on VPN is very difficult to deploy.

OpenVPN connects but I cannot reach the AD server. They are both connecting to the same Gateway under the same virtual network.


We have moved permanently to work from home and I need to manage the individual PC's group policy (passwords, timeouts, disk encryption, scanning, etc.). We are every open to the best ways to do this.

0 Votes 0 · ·