Win2k server in remote office

[Randall]

Hello;

I am going to deploy a Win2k servers in remote offices for file storage and
printing. Currently, all workstations are in the domain. The AD
controllers are at the corporate office. The users transverse the WAN to
authenticate to the Domain. The office will be connected via a VPN to the
corporate office. DNS and WINS are also controlled from the corporate
office, however, each office has it's own internet connection.

Here's my questions:

Any problems using a Branch to Branch VPN with Win2k/AD?

Do I want the server in the remote office to be a Domain Controller?

Do I want to make the remote office server a DNS server as well?

Do I want to make the server a WINS server for the office?

Thanks

 

[Mark Warbeck]

Not sure about possible VPN issues, but with regard to making the server a
DC, you should consider if you can physically secure the machine (place it
behind locked doors with limited key distribution). In not, don't make it a
DC, since without physical security there is no security at all. If you can
secure it, try to determine how much authentication traffic the users in the
remote office will generate. If you have more than five or ten users, it may
be a good idea to make it a DC. DNS doesn't add much load to a machine so it
may be wise to make it a DNS server with an AD-integrated zone. Since
clients will be looking to DNS for locating the DC, WINS shouldn't be needed
unless you're running applications that need it.

 

[Jason Hall [MSFT]]

--------------------

From: "Mark Warbeck" <[email protected]>
References: <[email protected]>
Subject: Re: Win2k server in remote office
Date: Fri, 28 May 2004 12:29:36 -0400

Not sure about possible VPN issues, but with regard to making the server a
DC, you should consider if you can physically secure the machine (place it
behind locked doors with limited key distribution). In not, don't make it a
DC, since without physical security there is no security at all. If you can
secure it, try to determine how much authentication traffic the users in the
remote office will generate. If you have more than five or ten users, it may
be a good idea to make it a DC. DNS doesn't add much load to a machine so it
may be wise to make it a DNS server with an AD-integrated zone. Since
clients will be looking to DNS for locating the DC, WINS shouldn't be needed
unless you're running applications that need it.

-----------------------

All good points.
I don't think you have anything to worry about with the VPN.
Definitely put DNS at the remote offices, WINS only if you use it a lot.

If you are going to deply the DCs in remote offices (as per Mark's advice),
you should
also consider making each remote office a separate AD site
Benefits:
- DC replication will occur only when you define it to, which saves WAN
link bandwidth during peak hours
- Users will authenticate to their local DC, again saving WAN link bandwidth


--
~~ JASON HALL ~~
~ Performance Support Specialist,
~ Microsoft Enterprise Platforms Support
~ This posting is provided "AS IS" with no warranties, and confers no
rights.
~ Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
~ Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Guest]

You can use Microsoft VPN, which is free. You can also
select many other VPNs, but some are cost a lot of money.

Do you have firewalls in each office?

Lingzhen Zhao