Alberto Ortega’s Blog

This is a common problem IT Administrators face when a member Server/Workstation reaches it’s Domain Controller only via a VPN connection. We need the VPN connection to be established before the logon time, so the member Server can Authenticate agains it’s Domain Controller, otherwise (unless be have cached credentials) we’ll get a “No Domain Controller Could Be Contacted” error message.

Here I present a solution I’ve used on a Windows 2003 member server. These steps are easily extended to accomplish the same task on a Windows 2000/XP system.

Step 1: Create a command-line that establishes de VPN connection
I’m assuming that you have already created the VPN connection and it’s working properly if you dial it up manually. So we will get focused only on it’s automation.

We will use the Rasdial command to accomplish this first step. You should test the following command on a Command Line window and test if you can successfully establish the VPN connection:

rasdial ConnectionName Domain\VPNUser Password

For example:
rasdial Southworks-HQ EXTRANET\beto p@ssw0rd

If running that command line success, then you can move forward t the next step.

Step 2: Wrap the Command-Line as a Service
The best approach when trying to do any task before logon time always is trying to use a Windows Service. You can Wrap any command line as a Windows Service using the XYNTService tool provided by The Code Project.

Once you have downloaded the GUI program to configure XYNTService, use it to wrap your Command Line created on Step 1 as a Windows Service. You should get to something like this:

When you click the Install button your service will be listed as any other service on the Services Snap-In.

Now go on and do a little Test. When you start your service (from Services Snap-In) the VPN connection should be established.

Note: Take care that the account under the service is running is Local System and depending on your configuration this account may not have sufficient rights to establish the VPN connection, you should consider running the service under another account with higher privileges. And, of course, check that your service is configured for Automatic Startup.

Step 3: Setting service Dependencies
We already have our service created, now we need it to start at the proper time when Windows starts.

Q: How can you control the startup time of any Windows Service?
A: Adding a dependency.

For our service it’s enough if we guarantee that it will start after the LanmanWorkstation Windows Service, so we can ensure that we have network connectivity and the NetLogon service has not yet started.

Adding a dependency is just creating a registry Multi-String value in the proper registry key. So, open Regedit and find the registry key that holds your Service configuration, that should be located on:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<<ServiceName>>

Under that key, create a Multi-String value named “DependOnService” edit the value adding the String “LanmanWorkstation” that will create a dependency for your service on the LanmanWorkstation service.

That’s all, restart your computer and your VPNDialService will Dial the VPN connection before logon time, so now you can login using a domain account.

Hope that helps!!