Announcement

Collapse
No announcement yet.

Remote DC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remote DC

    Hi,

    We have a CRM system installed with a hosting company, which I need to upgrade to a domain controller.

    If I did the following:- what problems, if any could it cause?

    Rather than setting up a remote site \ subnet, the CRM server will be upgraded to a DC.

    The DC will be part of our head office on a subnet of 192.168.10.X.

    The DC at the hosted company will connect back to the head office via a standard PPTP VPN connection. I will give the connection a static IP of 192.168.10.x.

    Will this be OK? As long as the VPN is connected. What problems could occur if the VPN sometimes disconnects?

    Is this bad pactrice?

    Thanks for all your help!!

  • #2
    Re: Remote DC

    What other DCs do you have at the Head Office? It will depend on your placement of FSMO roles and GC. What are you hoping to achieve from making it a DC? What CRM system is it and how many people connect to that server?

    Comment


    • #3
      Re: Remote DC

      Hi,

      The head office has two doamin controllers, the GC and FSMO.

      The crm, MS dynamtics needs the DC to allow user autentication. At the moment the CRM server has a PPTP VPN back to our head office. Only 15 users on the CRM.

      Thanks for your help

      Comment


      • #4
        Re: Remote DC

        Not sure of your precise version of Dynamics CRM but this article is worth a read.

        http://www.crmlady.com/ms_crm_installing/

        Comment


        • #5
          Re: Remote DC

          Originally posted by ITLondon View Post
          The DC will be part of our head office on a subnet of 192.168.10.X.

          The DC at the hosted company will connect back to the head office via a standard PPTP VPN connection. I will give the connection a static IP of 192.168.10.x.
          You should create different subnets per location. Go for a 192.168.11.x for example.
          Otherwise you can create some weird routing issues.
          A firewall will not forward the traffic the "other side" because the destination traffic is the same as the source network.
          If a firewall detects 2 times the same subnet it should block it as it could be a spoofed network.

          What I should do is:
          Create a Site-to-Site VPN using ISA or other firewalls
          Choose for a more secure VPN connection then PPTP, Rather go for LT2P/IPsec (if possible) or for a IPSEC tunnel configuration.
          LT2P/IPSEC is only possible with MS systems (such as ISA) This because it uses a certificate and an username/password combination to authenticate.

          IPSEC tunnel is fine either however you don't have a 2 way authentication mechanism.

          Make a new subnet at the remote office, configure it in sites and services to separate things out.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Remote DC

            Strange one this, we can't do a site to site VPN becuase the server is with a hosted company.

            It's acutally got a public IP on it's LAN NIC.

            What would you suggest? Would the client to VPN be okay of I set the subnet as the public one?

            Thanks for your help!

            Comment


            • #7
              Re: Remote DC

              Originally posted by ITLondon View Post
              Strange one this, we can't do a site to site VPN becuase the server is with a hosted company.

              It's acutally got a public IP on it's LAN NIC.

              What would you suggest? Would the client to VPN be okay of I set the subnet as the public one?

              Thanks for your help!
              In which case, in it's current configuration, I wouldn't make it a DC for security reasons. Are you sure a firewall rule doesn't point at the internal IP of the server? It will be worth chatting to the provider. They can sometimes offer an internet feed to achieve a site-to-site VPN.

              Comment

              Working...
              X