Re: Another additional DC question

Hollywood0728 wrote:
No VOIP. Too expensive. I do have layer 3 switches that will handle the VPN tunneling on both ends of the Point to Point T1. They are kentrox Q2200. They are provided by the phone vendor. As I have never had the chance to do this branch office scenario, I am trying to gather all the pieces. Appearently there is a Domain controller at this branch office with a different domain name, I think its possible to connect the two forests together and share the resources with a cross forest trust in place, correct? I wonder if that is the way to go for now then slowly get a DC in place with the main office domain name and migrate the users and resources. I hate planning, cause you always have to be concerned about the endloser. But when the guys at GM build a car, they dont care about the buyer!

"Kurt" wrote:

Hollywood0728 wrote:
Good Morning -

I wanted to kind of bounce a concern off anyone who may be able to help. My company has acquired an additional building and is looking to put some employees over at this new building for space reasons. Hes the situation:

Site A = Main site where all servers are held now Site B = Branch site where clients use MS VPN client to remote to Site A

Both Sites have a T1 for internet and a Point to Point T1 to connect the buildings together for our new phone system. Since we have the Point to Point in place with Layer 3 switches on each end, I figured rather than having Clients use VPN, why not have them log on to the domain that Site A hosts. My question is this, what is the advantage of having a DC/global catalog Server at the branch office? As long as my users are administrators on their local machines, they are able to log on to the domain profile even if a DC is not accessible (I know this cause I bring my laptop home all the time and never have problems) Now if the Point to Point goes down thay won't be able to access network resources at site A from Site B, but same is true even I have a DC at Site B.....So is there something I may not be thinking of? Is it safe to say that i can have the clients come over the Point to Point to site A from site B to logon to the domain?
If all the remote users are doing is authenticating to the DC at the main office they could share the T1 with the phones - it'll consume very little bandwidth. If the phones are VoIP, as long as you have QoS (which I'm sure you do if you have Layer-3 switches at both ends), you can still share the T1 with the phones. The MS PPTP VPN sucks grapes at best for performance, and a LAN-to-LAN IPSec VPN would be a better way to connect via the dedicated Internet T1, and cost is minimal. Cisco (Linksys), Netgear, Secure Computing all make very decent VPN routers for under $200. If you really wanted to make it redundant, you could have routes across both T1s with costs favoring your preferred path, then it would just fail-over to the other T1 if you dropped the first one.

Kurt

Well, if it were me I'd dump the T1s for DSL. You can get DSL that goes way faster for way less. Put cheaper VPN routers (The Kentrox 2200 is a NICE router, but expensive) for the LAN-to-LAN VPN and a reasonable number of users can authenticate across the WAN to the remote DC (like 30 or so). If you want DHCP, you can set up an additional scope on the DC at the main office (as long as you don't have a DHCP server running on the local subnet) and have the router at the branch office act as a DHCP relay. If you already have DHCP running at the branch, just make sure the default gateway is the VPN router. 10Mb x 1.5Mb DSL is about $80 per end here in Washington State, vs $350 for T1 service. The routers will pay for themselves the first month.

You can still do a trust if you want to integrate the two networks, but unless you are severing the ties between your remote users and the main office you'd be better off keeping them in the domain they're already in. Then unless current users in the other domain need that trust, you won't have to bother with it. Not that it's a big deal, but there are some "i's" to dot to make a trust work across a routed connection (think DNS).

I do branch offices all the time, and it's really pretty easy if you don't go out of your way to make it complicated. Just have your routes in place at both ends, make sure the branch office is using the DNS server on the DC at the main office, and set up remote desktop or VNC for all of your remote users so you can do helpdesk without making the drive to the remote site.
.

Relevant Pages

  • Re: Another additional DC question
    ... I do have layer 3 switches that will handle the VPN ... this branch office scenario, I am trying to gather all the pieces. ... If the phones are VoIP, as long as you have QoS (which ...
    (microsoft.public.cert.exam.mcse)
  • Re: Setting up a VPN through SBS 2003
    ... What OS is on the remote machine? ... Does the branch office have broadband Internet access? ... a straight RDP connection or a VPN + RDP for remote maintenance. ... Merv Porter [SBS MVP] ...
    (microsoft.public.windows.server.sbs)
  • RE: OT: How to configure with VPN endpoints outside ISA2K4?
    ... I understand that you want to setup a branch office ... the easiest method is to setup site to site VPN for your ... Connecting a Remote Office to a Small Business Server 2000 Network ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: Branch Office
    ... we indeed to set the remote side clients in different ... I suggest you use 10.10.X.X on the branch office. ... we have to set the branch office clients' DNS ... I KNOW that they need a domain controller at the remote site. ...
    (microsoft.public.windows.server.sbs)
  • Re: Is This Even Practical?
    ... The branch office currently opens some Excel files over ... the current VPN configuration, ... A direct connection to Exchange would be the other major item. ...
    (microsoft.public.windows.server.general)