Announcement

Collapse
No announcement yet.

Adding an offsite office to a domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Adding an offsite office to a domain

    I currently run a small network with approx 10 local machines and several VPN users. We are looking to take over an office that has another 10 machines locally and several offsite via VPN.

    The VPN is easy enough as I can just have change the Host / settings to my network.

    The issue is the actual office.

    My setup > 4 Servers
    2 DC Servers (Windows 2000)
    1 Exchange Server (Windows 2003)
    1 Terminal Server (Windows 2003, with approx 20 users)
    Cisco ASA 5510 (250 VPN license) Dual T1 internet

    ---------
    Their setup > 3 Servers
    1 DC Server (Windows 2000)
    1 Exchange Server (Windows 2000)
    1 Terminal Server (Windows 2000)
    Sonicwall VPN device
    --------

    My thought was to remove their equipment (as it is 8 years old) and connect a Cisco ASA 5505 in their office to connect their office to mine via Site to Site VPN. All their machines would be joined to my network for Group Policy, Antivirus, etc.

    On the router I would tunnel all traffic via their local internet (SDSL) except port 25 / 3389 which would go via the VPN to my ASA 5510.

    My question..
    1) Should I create a DC and place it in their office for authentication or just handle it via the VPN link? Are there advantages one way or the other?

    2) Which ports are needed for DC inquires?

    3) Does this seem to make sense or am I way off base?

    Thanks!
    Hobie

  • #2
    Re: Adding an offsite office to a domain

    It seems to be pretty easy to setup another office and here's how i would do it.

    1. Create a new site in AD for the new office.
    2. Create a new IP range for the new site and associate that IP range with the previous created site.
    3. Setup a VPN between the offices, i prefer to setup the VPN's using our Sonicwall firewalls. You could use whatever.
    4. Get to the new site and install and configure your 2003 server with a static IP in the new IP range. This is not a necessity but makes it easier.
    5. Install DNS.
    6. Install AD as a new server in an existing forest.
    7. Check that the server has been added to the new site.
    8. Allow AD to replicate overnight. Again not always necessary but i do it to be safe.
    9. Configure a new DHCP scope for the new IP range.

    By the way is this going to be a brand new site or are you taking over another company???

    Comment


    • #3
      Re: Adding an offsite office to a domain

      we are in the process of taking over another company. I have probably another 3 months before I ned to do this, so I have some time to build and test.

      Whichever way I end up going my plan is to install a dummy site (probably at my house) and run tests from there to make sure the new office goes smooth.

      When you say AD do you mean make the server a DC?

      Thanks!
      Hobie

      Comment


      • #4
        Re: Adding an offsite office to a domain

        Originally posted by Hobie View Post
        When you say AD do you mean make the server a DC?
        Yes.

        Seeing as your taking over the company you could possibly create trusts between domains then migrate the users from the other domain.

        Comment


        • #5
          Re: Adding an offsite office to a domain

          I'm told their equipment is unreliable..

          I was thinking of just removing their equipment and break the domain on each PC and join mine.

          What is the advantage of installing a DC at their site instead of just tunneling the traffic via the vpn? I assume it is to create a lan segment so our lan traffic doesn't try to go everywhere?

          Thanks again!
          Hobie

          Comment


          • #6
            Re: Adding an offsite office to a domain

            There are advantages and disadvantages. You will loose centralisation of control giving them their own DC. It would then need to have its own domain an forest. There would need to be IT staff at that site.

            The main advantage would be that their equipment wouldn't effect them logging on to the network. You could consider setting up a separate domain off yours and place the DC on their site. Give them their own GC and should the connection be up and down, they will still function. Also, there is the possibility of considering SMTP replication, since the other site will be a different domain. An unreliable internet (VPN) wouldn't then be an issue. However, certificates would need to be set up for it.

            Comment


            • #7
              Re: Adding an offsite office to a domain

              Originally posted by Virtual View Post
              There are advantages and disadvantages. You will loose centralisation of control giving them their own DC. It would then need to have its own domain an forest. There would need to be IT staff at that site.
              I was meaning to add a DC to an existing domain and not creating a new one. Centralised management from the OP site would mean that no staff would be needed at the remote site.

              Comment


              • #8
                Re: Adding an offsite office to a domain

                Certainly agree with you Wullieb1. Hobie mentioned unreliable equipment at the other site and gave me the impression that they may not use the VPN for piping traffic down it. I may have got the wrong idea. If another DC in the same domain is put on the other site, traffic would still go down the VPN for replication traffic. It perhaps doesn't matter with regards to reliability for that as such providing a GC is at the others site.

                Comment


                • #9
                  Re: Adding an offsite office to a domain

                  Originally posted by Virtual View Post
                  Certainly agree with you Wullieb1. Hobie mentioned unreliable equipment at the other site and gave me the impression that they may not use the VPN for piping traffic down it. I may have got the wrong idea. If another DC in the same domain is put on the other site, traffic would still go down the VPN for replication traffic. It perhaps doesn't matter with regards to reliability for that as such providing a GC is at the others site.
                  Exactly my thinking.

                  If the VPN connection is unreliable then having a DC acting as a GC on the other site would allow users to keep working, even if the VPN goes down.

                  Comment


                  • #10
                    Re: Adding an offsite office to a domain

                    I think I might have confused things..

                    The equipment that is unreliable is their current server systems. I do not currently have a reason to believe their SDSL is unreliable and I would place my Cisco VPN device on their side to connect to mine.

                    Another piece I might not have been clear on. I will have a terminal server on my side that all of their machines will need access to (which is why I am going to establish the Site to Site VPN instead of individual cisco clients on each pc).

                    If they all need access to my Terminal Server (all 10 machines will be remoting in) would you still recommend a local DC/GC?

                    Thanks!
                    Hobie

                    Comment


                    • #11
                      Re: Adding an offsite office to a domain

                      If there are only 10 machines then you probably won't need a local DC/GC. At the end of the day, if the line does go down at any time, they wouldn't be able to work effectively anyway due to the requirements for accessing the Terminal Server.

                      I take it they won't be hosting any software or other systems that rely on a GC, at their site?

                      Comment


                      • #12
                        Re: Adding an offsite office to a domain

                        The only application they will be using on their local machines is probably outlook.

                        The Terminal server hosts the other applications we use in a thin environment.

                        Thanks,
                        Hobie

                        Comment


                        • #13
                          Re: Adding an offsite office to a domain

                          I see. Providing the VPN connection bandwidth is not too slow, I would have thought you wouldn't need the DC/GC at the other site.

                          Comment


                          • #14
                            Re: Adding an offsite office to a domain

                            Yep that changes things a bit.

                            With the small number of users working on the server and using outlook i would check out what bandwidth you would be using first and foremost. This will then tell you if your line is quick enough to host the TS and outlook connections.

                            You will also need to see if the connection is reliable and see what the SLA is for getting the line back on if there is an outage. This could also create problems as you then have 10 staff not working at whatever it costs to pay them and the cost to the business.

                            Are you thinking of implementing a second line as a fall back???

                            Comment


                            • #15
                              Re: Adding an offsite office to a domain

                              The main site has two internet lines: 3mb Dual T1, 10mb antenna (fallback as the latency is terrible).

                              The 2nd site currently has a 3mb SDSL line (which I am told has never gone down, yeah right).. They are looking to get a 2nd line (Cable internet) before we take them over.

                              I currently run approx 10 connections at a time over the VPN and have never been over 300kb (on a 3000kb connection). I run split tunneling and only serve my TSS rdp app, the TSS gets the internet traffice from my antenna internet if they happen to surf while on my server.

                              Thanks for everyones advice here!
                              Hobie

                              Comment

                              Working...
                              X