50 replies to this topic

[Drashna (WGS)]

Article here: http://social.techne...f5-8f8d030a7c13
Quoted for ease

This post describes a tempory solution that allows client computers to connect to Windows Server 2012 Essentials without joining the Windows Server 2012 Essentials domain. Please read the following Notes carefully before you take any actions.

Description


When deploying Pro/Enterprise/Ultimate Windows client computers in a Windows Server 2012 Essentials network, joining the Windows Server 2012 Essentials domain is mandatory. If the client computer is already joined to another domain, you are required to manually leave the existing domain; otherwise, the client deployment process will be blocked.

Currently we have received requests from customers asking for the option to skip domain joining in a client deployment. As a result, in this article we provide a solution so that the client can connect to the server and utilize the majority of client features without joining the domain.
Before you take any action, please read the following note.

Note:

If you skip joining the domain, the following areas will be impacted:

•All features that require that you be joined to the domain will not be available, including domain credentials, Group Policy, and VPN.
•Any third-party add-ons and applications that require that you join the domain will not be working properly.
•Skipping domain joining in an off-premises client deployment is not supported.
•This solution is only supported on the following Windows client versions:

•Windows 7 Professional
•Windows 7 Enterprise
•Windows 7 Ultimate
•Windows 8 Pro
•Windows 8 Enterprise

To skip joining the domain during a client deployment


1.On your client computer, go to Start and search for command prompt "cmd".
2.In the search results, find cmd.exe and run as administrator.
3.Type the following command prompt:
reg add "HKLM\SOFTWARE\Microsoft\Windows Server\ClientDeployment" /v SkipDomainJoin /t REG_DWORD /d 1
4.Complete the steps on the Connect Computers to the Server Help topic.

[ikon]

Doesn't apply to me, but this could be useful for people who bring work domain-joined computers home and want to access their personal WSE2012. I wonder if it would permit backing up the client to the WSE2012?

And just what does "Skipping domain joining in an off-premises client deployment is not supported." actually mean?

[Drashna (WGS)]

Doesn't really apply to me other than my parents computer, but it's nice to have the option.

And no idea what that was supposed to mean.

Sent from my HTC Sensation 4G using Tapatalk 2

[Andne]

One of the new features I remember seeing for WS2012E is the ability to join a client computer without being on the same network. I'm guessing that it refers to it.

See the bullet-point Remote Client Join and Connection Monitoring.

http://windowsteambl...-available.aspx

[no-control]

Doesn't apply to me, but this could be useful for people who bring work domain-joined computers home and want to access their personal WSE2012. I wonder if it would permit backing up the client to the WSE2012?

I still cannot fathom why anyone would want their work PC to access anything other than wifi. Even still once on the LAN, presumably via a separate network profile (home) couldn't you just browse to via network to the server and use credentials to access shares?

And just what does "Skipping domain joining in an off-premises client deployment is not supported." actually mean?

An off-prem domain join is just when a computer is configured to join a domain without actually contacting a DC. Try it out djoin.exe

Doesn't really apply to me other than my parents computer, but it's nice to have the option.

But do your parents really care if they on a domain or not? Would they even notice? Would they pay $425 over the $50 for 2011?

To me this would create a huge hole in the security of the network. That maybe a little extreme, but at the very least now you have a system(s) that have none of the benefits of AD/GP and all of the hassles of setting up Share and NTFS permissions in the ACL. No thanks I'll take the simple check box interface of 2012e and a domain. For the end user, especially the tech ignorant only the logon is an issue and let be honest. EVERYONE regardless of how clueless they are, should be required to logon with a base level password.

[Andne]

For a general purpose PC, I agree that logon's should be required. For my media center PC, I don't want a logon. I (finally) have a remote to use the media center, and want be able to turn it on and have media center start up. I have auto-logon enabled on that computer in order to make this happen. That said, the auto-logon account is a specific account for media center usage that can't actually modify anything on the network. It has read-only access to those file shares that it uses, and even those are only the shares that have media on them - my documents folder, software folder, etc... do not allow that account to access them. While this means that I have to log out and log into my account in order to install new versions of MyMovies, I can live with that requirement. This may mean that my environment is slightly less secure, but I think that only having a very limited account allowing this is still secure enough for my needs, compared to enabling guest access on several of my shares in order to let the media center PC contact them to play movies and such.

[jmwills]

Okay, you are going to be in a Domain, so create a special OU for the HTPC's and apply a group policy that weakens the default password policy and apply it to that OU. No other machines will be affected.

[Drashna (WGS)]

But do your parents really care if they on a domain or not? Would they even notice? Would they pay $425 over the $50 for 2011?

As I live with my parents (due to various financial/medical issues), no, they don't care about what it's connected to. THe only thing they care about is is being able to log into their computer easily. Which is why I wouldn't want it joined to a domain in the first place. As for would they notice? Definitely. Both of my parents have suffered minor strokes. Any big changes would have them confused for weeks, if not months. Not to mention, trying to get them to use, let alone REMEMBER a secure password. I'm just happy the wife actually does.

Also, for HTPCs, it's important. If you're one of those weirdos that still uses WIndows Media Center and extenders... joining a domain will break the Extender sessions. Unless you want to get into some really heavy GPO stuff, or just add the media center to the Domain Controller OU. While I'd personally create a new OU and set a new GPO for it, not everyone will want to do this or even know how to. While MSFT is basically backtracking and saying that 2012 Essentials isn't meant to be a "Home Server", they've sure made it very "home friendly". (eg, media streaming)

To me this would create a huge hole in the security of the network. That maybe a little extreme, but at the very least now you have a system(s) that have none of the benefits of AD/GP and all of the hassles of setting up Share and NTFS permissions in the ACL. No thanks I'll take the simple check box interface of 2012e and a domain. For the end user, especially the tech ignorant only the logon is an issue and let be honest. EVERYONE regardless of how clueless they are, should be required to logon with a base level password.

I'll agree with the AD part. But as for the shares? Seriously? Just make sure the computer uses the same username and password as an account on the domain (or vice versa) and it will work just fine. I was running WHSv1 with AD for years and it work like that. And I'm running my HTPC not joined to the SBSe2011 domain and it works just fine.

Other than no GPOs, I don't really see the issue for a home user.

Okay, you are going to be in a Domain, so create a special OU for the HTPC's and apply a group policy that weakens the default password policy and apply it to that OU. No other machines will be affected.

It's more than that. If you use Media Center and extenders, you have to change logon rights and a few other policies to get the extender session to even work. The Domain Controller OU works, but that's not really a great idea....

[jmwills]

Wiht GPO's, you can basically turn those HTPC's into workgroup mimicking machines. Autologons, no password policies, etc

I prefer not to hack something just to beat a system....work with what is there. But everyone is different

[ikon]

Thanks for the interesting debate guys. Lots of good points of view to consider.

[Jason]

Does Remote Join on WSE2012 mean a client PC with connector installed can securely backup to a remote WSE2012 server over the Internet? Currently I use LogMeIn Hamachi 2 on family PCs out of state to accomplish this with WHS2011.

[jmwills]

That does appear to be the case or at least "connect to the server".

[ikon]

OK, now that would definitely be a new feature. It would be brutal on my bandwidth cap, but it would also be pretty cool.

[jmwills]

Almost seems to be a "poor man's VPN"

[ikon]

I'm sure you're right, in that I'll bet it uses VPN technology to establish the connection. However, it seems like it might have the advantage that it's way easier to use (i.e. set up) than standard VPN.

[Jason]

I'm sure you're right, in that I'll bet it uses VPN technology to establish the connection. However, it seems like it might have the advantage that it's way easier to use (i.e. set up) than standard VPN.

I agree with ikon. This will be pretty cool if it works. Speaking of "poor man's VPN", I currently run the LogMeIn Hamach 2 VPN client on my WHS 2011 VM in a hub-and-spoke configuration and backup family PCs to my WHS via the internet w/ encryption. Sure, it's not military grade, but it maintains a constant tunnel connection and backups up automatically as if the client PC resided in the house on my home LAN.

[tinkererguy]

Tried em both, and yeah, the VPN built in is amazingly easy!

So if the above tweak to keep from joining the domain means permanently loosing VPN access capabilities, then yes, instead, I'd say I'll stick with this procedure (particular for media center autologon PCs and test VMs in a lab):

• installing the connector
• reboot
• choosing this user only, saying no to migrating user data
• then on first login, go right back to COMPUTERNAME\username and password for local login
• go to System, Change, re-join the workgroup instead of the domain
• double-check that the domain join didn't hard code the Windows Server 2012 IP as your DNS (while leaving the IP as DHCP), this can be a problem if you're trying to install remotely (and lose connection after reboot)
• reboot

Then you're all set, no side-effects, all the functionality (VPN, network shares, backups, etc).

After installing the connector and rebooting, just click on your network icon in the taskbar, then click on the name.remotewebaccess.com item to connect the VPN, no password prompt, it just works. But haven't gotten it to autostart yet, if that's easy enough, then it could become a replacement for my multi year success with Hamachi VPN. I did notice that the remote PC can only get to/ping the Windows Server 2012 Essentials server. This means you can't access other network resources from the remote PCs, which is a good thing or a bad thing, depending upon your needs/wishes.

[no-control]

@ Drashna while I quoted your posts for purposes of discussion, I was answering in a general way. Not addressing you're specific situation. There will always be special circumstances.

For everyone else.....in general
I'm still failing to understand the need to have every PC on your network in the domain. An HTPC can live outside of the domain and access the shares via using a user name and password for accessing those shares. You can still auto logon (or not use a logon at all) HTPC are specialized PCs once its working create a backup image, and enable system restore. More than enough disaster recovery.

If you just HAVE to have it in the domain I'm with jmwlls on this use GPO and an HTPC OU to control the behavior.

Better yet why do you guys even want this product on your network if you don't want to deal with a domain? Someone explain this logic to me?

Does Remote Join on WSE2012 mean a client PC with connector installed can securely backup to a remote WSE2012 server over the Internet? Currently I use LogMeIn Hamachi 2 on family PCs out of state to accomplish this with WHS2011.

No it does not. I said JOIN a domain, not CONNECT. Very different, its not a VPN. Normally when you want to join a computer to a domain you need to have it turned on and have network access to the domain controller. Offline domain join allows you to join the domain with out a connection to the DC. Its a bit of a moot point since WS2012e doesn't support this feature anyway. Read more here.

Edited by no-control, 07 September 2012 - 11:50 PM.

[ikon]

No it does not. I said JOIN a domain, not CONNECT. Very different, its not a VPN. Normally when you want to join a computer to a domain you need to have it turned on and have network access to the domain controller. Offline domain join allows you to join the domain with out a connection to the DC. Its a bit of a moot point since WS2012e doesn't support this feature anyway. Read more here.

Ah. So NOT a new feature then. Oh well, nice idea; maybe some day.

[Jason]

If you elect to install the connector on a client PC and skip the domain join step, is it possible to go back and manually join that client PC to the WS2012e domain or must you uninstalled and re-install the connector to do this?

I currently have a remote client PC on which I've already installed the connector that is NOT currently on the domain. Am trying to avoid having to re-install connector and reset my client backup for this PC if possible. Thanks.