No announcement yet.

domains and sites and routers oh my

  • Filter
  • Time
  • Show
Clear All
new posts

  • domains and sites and routers oh my

    I am planning to setup AD in my company, and would like a little clarificaiton if anyone can help.
    My setup is going to involve one ADS at the main location, and one DC at each branch office.

    How do "Sites" differ from the "Domain"? is it best practice to configure both for one location? for example setting up as well as a "site" in the sites and services utility.

    my branch offices have static IPs but all computers are behind the router/firewall. I have read that port forwarding doesn't work. is it wise to setup a VPN connection to the AD Server? basically, will windows maintain the connection when it comes time to replicate?

    I hope this wasn't too much in one post.
    I have a thousand questions


  • #2
    From a networking stand point, it is probably best to have the routers/firewalls establish the VPN connections (tunnels) between them. That is if you are using the Internet, if you are using a private network (frame relay or dedicated service) you don't need to use the firewalls at all.

    By establishing the VPN through the firewall/routers you allow them to take on the burden of processing the network traffic and allow the server to do its job as a server. I never have been much of a fan of allow Microsoft to perform routing & firewalling.

    You will not need to 'port forward' unless you have specific applications homed on a specific server. You will need to have NAT, network address translation, turned on. Since you are already online this is probably done.

    Once you get the VPN established you can work with the servers and set them up either as site domain controllers, communicating with the main AD controller, or as plain servers. Option one is probably better as the updates will be minimal .

    As an example, imagine if you have the main AD server set up and then you are in one of the remote locations- You get onto the web and type a address, your machine will have to query the AD machine for the look up and then report it back to you. Takes time and wastes network bandwidth.

    Hope this helps.


    • #3

      our locations have only one static IP, and our gateway routers/firewall is controlled by our ISP. I will ask them if the currently installed routers are VPN compatible.

      any insite on the doamins and sites?



      • #4
        VPN is a very good idea if you are running your connection over the internet, I would STRONGLY recommend against doing it without a VPN. If this is a private WAN then the routing should already be setup and there would be no need for NAT\PAT.

        If you are using VPN then create two on-demand tunnels (one in each direction) then there is no need for NAT or PAT either.

        As for
        How do "Sites" differ from the "Domain"?
        A Domain is a Security Boundry, this bears no resembence to loaction or otherwise, Sites are setup for a single domain spread over multiple locations, Sites control replication between your DC's, if you have a slow link then you don't want replication to occur every 5 minutes, so you can change replication intervals for different connections between sites, thus saving bandwidth.

        * Shamelessly mentioning "Don't forget to add reputation!"


        • #5
          so, even though a location (branch office) will contain a domain controller, its acts as if it were the primary for that location?

          sites: town1, town2 town3,etc

          I like the "on-demand" VPN connection.. it makes sense.

          Thank you for your help


          • #6
            Yea, in sites and services you can setup subnets, clients in these subnets look for DC's in the same subnet.

            Then replication between DC's occurs at your specified intervals that you set on the connector.
            * Shamelessly mentioning "Don't forget to add reputation!"