Active Directory with remote sites.
- From: bravofoxtrot35@xxxxxxxxx
- Date: 4 May 2007 12:55:38 -0700
Hi,
I have a configuration where I have 2 active directory computers with
Win2003. Each system is physically located in a different city.
These systems are located in main offices M1 and M2. They are
connected through a Cisco router VPN. Exchange users at sites M1 and
M2 communicate with local exchange servers. The users will attempt to
authenticate with the local AD first and then the AD at the other main
office. Each of the main offices is on a different subnet and have
different AD site objects. All systems at M1 and M2 are on the same
domain.
We recently have expanded to have 2 branch offices B1 and B2. The
number of users in each office is 6 or less. Each site currently has
a linux box acting as a domain controller. The XP clients have joined
the branch office domain and that computer provides backups,file
services, and user authentication. The connections are established to
both M1 and M2 from B1 and B2 using the Cisco routers to create a
VPN. The domains and subnets at B1 and B2 are different from each
other and M1/M2.
There really is no DNS at the branch sites to allow for resolution of
computers at M1 or M2 and M1 and M2 cannot resolve names at B1 or B2.
However, I have outlook clients at B1 and B2 connected to the exchange
server at M2. This is done by adding a entry in the workstations host
file. There are only a handful of systems at this point so it was the
quick and dirty solution for outlook connectivity (it was better than
outlook web access).
What I would like to do is one of the following:
1. Somehow have the linux box as slave to authenticate users to the
Active directory. I hoping this will reduce the chatter on the VPN.
This means when the user changes the password, the changes replicate
across the AD. Can this be done with LDAP or some other means.
2. Have each client authenticate across the VPN but still maintain its
existing connectivity to the linux server for file services. This
probably means having the linux server join the AD so users can still
access shares. Can anyone tell me how much chatter this would create?
I'm not sure which is the better solution. We would like to have
reduced network traffic in the event that the branches grow or more
branches are added. We are also not convinced (yet) to purchase
another Win2003 license plus 2nd box at each site. The existing linux
server must remain basically intact because it runs the phone system
and provides some other custom functions.
I would appreciate it if someone could point me in the right direction
and maybe even provide some good reference material.
I've played around a bit with one of the clients trying to get it to
join the domain at M1/M2. It couldn't find the domain across the
VPN. I'm guessing I need to provide better DNS support and possibly
create site objects in the AD for the subnets of B1 and B2.
Thanks.
.
- Prev by Date: Re: Display Name not imported for ForeignSecurityPrincipals
- Next by Date: Re: AD corruptingproblems
- Previous by thread: Computer Config login script from GPO copying file reports permission denied
- Next by thread: Re: AD corruptingproblems
- Index(es):
Relevant Pages
|
