active directory design

[dp]

Hi all,

at the moment I have a single server running Windows 2003 looking after 30
accounts in AD, also running exchange2003.

We will shortly be opening up a "branch office" with 20 staff. This remote
office will have to have its own server but it needs to be part of the
headoffice network and be running exchange 2003 too. What is the best way to
accomplish this ?

Should I be looking at a child domain and/or a seperate site under AD ? The
two offices will be connected by VPN over a 2MB network connection.

Any ideas would be gratefully taken on board.

thanks
dp

 

[Scott M]

Why not just tie them into your existing AD infrastructure?

 

[Herb Martin]

at the moment I have a single server running Windows 2003 looking after 30
accounts in AD, also running exchange2003.

We will shortly be opening up a "branch office" with 20 staff. This remote
office will have to have its own server but it needs to be part of the
headoffice network and be running exchange 2003 too. What is the best way to
accomplish this ?

On assumes that by "part of the headoffice network" you mean
they must be able to "share resources including email."

Obviously they are going to be on a "different network" but
connected by a WAN in some fashion (T1, DSL, etc.)

Should I be looking at a child domain and/or a seperate site under AD ? The
two offices will be connected by VPN over a 2MB network connection.

No one can say ABSOLUTELY for sure, but the quick and obvious
answers is "Same domain, Different Site."

Both AD and Exchange are designed for this. AD can replicate
efficiently over WANS (even for much larger domains than <100
people), and Exchange is designed to both use ADs info and to
"route email" efficiently between locations.

2Mbps is PLENTY of speed -- they could almost be "one site"
although let me make it clear: TWO SITES are the right thing
to do.

Any ideas would be gratefully taken on board.

 

[Tomasz Onyszko]

Hi all,

at the moment I have a single server running Windows 2003 looking after 30
accounts in AD, also running exchange2003.

We will shortly be opening up a "branch office" with 20 staff. This remote
office will have to have its own server but it needs to be part of the
headoffice network and be running exchange 2003 too. What is the best way to
accomplish this ?

Should I be looking at a child domain and/or a seperate site under AD ? The
two offices will be connected by VPN over a 2MB network connection.

Any ideas would be gratefully taken on board.

The same domain, separate sites for this two location, exchange servers
in the same organization with one of them acting as bridgejead server
which will accept internet traffic (both Exchange servers can accept
internet traffic if You want to have redundancy for Your MX)

 

[dp]

that was the question really,
The server will hopefully be part of the existing AD infrastructure, but I
am unsure if I should create a child domain for this remote office or just
have a seperate site and subnet under AD. The offices will be connected via
ADSL VPN.

 

[dp]

thanks guys....if this goes smoothly another 3-4 sites will be coming on
board with the same setup. Ideally it will be a hub and spoke topology. i
know it's a ad group, but Im looking at incorporating ISA Server to setup
the VPN site links. Is this recommended ?

 

[Herb Martin]

thanks guys....if this goes smoothly another 3-4 sites will be coming on
board with the same setup. Ideally it will be a hub and spoke topology. i
know it's a ad group, but Im looking at incorporating ISA Server to setup
the VPN site links. Is this recommended ?

Personally, I have a love/HATE relationship with ISA;
I really want to like it but it can seem flaky at times for
unknown reasons.

Sometimes a "reboot" when one shouldn't be necessary
fixes things, and sometimes a working system that is
rebooted quits working.

ISA's (current) integrattion with the Server product is
somewhat discomforting and it's probably got the most
confusing management console of the current services.

(Oh, and I use it.)

 

[Tomasz Onyszko]

thanks guys....if this goes smoothly another 3-4 sites will be coming on
board with the same setup. Ideally it will be a hub and spoke topology. i

Read this
http://www.microsoft.com/downloads/...f6-a8a8-40bb-9fa7-3a95c9540112&displaylang=en

know it's a ad group, but Im looking at incorporating ISA Server to setup
the VPN site links. Is this recommended ?

Why not - with proper configuration it should have no impact on AD

 

[dp]

taken a look at the download and docs....bit of overkill for maximum 50
users across 4 sites isnt it ?
Would anyone really follow all those steps ?

 

[Jim Singh]

Since you have a good VPN 2mb connectivity, you should really be looking for
a different site and same domain. Unless their are LOBs who want their own
domain and want firewall in between so that only necessary ports are being
opened i.e. 25, 53, 389 etc. The second site will have a GC that would
authenticate the users in the second site. There wouldnt be any replication
bottlenecks since you have decent size pipe going in between. You could
create additional child domain if you wanted to delegate the dns zone, but
again that could sometimes be a political question then a logical one.


- Jim

 

[ptwilliams]

I'd go with ISA. It's great for this kind of thing. And I don't think it's
overkill; if your business takes itself seriously then do not accept
anything other than an enterprise class firewall. I setup ISA server for a
client who only had about 75 clients and they were thrilled with it.

I see what Herb is saying, I frequent the isaserver.org boards enough to see
a lot of people having issues and have come across some 'funnies' myself,
but generally if you do the ground work and set it up correctly you'll have
no problems. Just read up on the subject first. Dr. Tom'll have another
customer shortly ;-)

And Herb, yes the GUI is a little confusing ;-) 2004 looks *much* better.
But for real confusion you want to look at SMS in a large environment where
nobody does any housework... ;-)

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


thanks guys....if this goes smoothly another 3-4 sites will be coming on
board with the same setup. Ideally it will be a hub and spoke topology. i
know it's a ad group, but Im looking at incorporating ISA Server to setup
the VPN site links. Is this recommended ?

 

[Eric Chamberlain, CISSP]

I'd hardly consider ISA or any other PC form factor device an enterprise
class firewall.

After you factor in the cost of the OS, hardware, and ISA it's the same
price or cheaper to go with a more reliable Cisco or Netscreen solution.

--
Eric Chamberlain, CISSP

I'd go with ISA. It's great for this kind of thing. And I don't think it's
overkill; if your business takes itself seriously then do not accept
anything other than an enterprise class firewall. I setup ISA server for a
client who only had about 75 clients and they were thrilled with it.

I see what Herb is saying, I frequent the isaserver.org boards enough to see
a lot of people having issues and have come across some 'funnies' myself,
but generally if you do the ground work and set it up correctly you'll have
no problems. Just read up on the subject first. Dr. Tom'll have another
customer shortly ;-)

And Herb, yes the GUI is a little confusing ;-) 2004 looks *much* better.
But for real confusion you want to look at SMS in a large environment where
nobody does any housework... ;-)

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


thanks guys....if this goes smoothly another 3-4 sites will be coming on
board with the same setup. Ideally it will be a hub and spoke topology. i
know it's a ad group, but Im looking at incorporating ISA Server to setup
the VPN site links. Is this recommended ?


after

30

?

 

[Enkidu]

at the moment I have a single server running Windows 2003 looking after 30
accounts in AD, also running exchange2003.

We will shortly be opening up a "branch office" with 20 staff. This remote
office will have to have its own server but it needs to be part of the
headoffice network and be running exchange 2003 too. What is the best way to
accomplish this ?

Well, on the face of it, I'd say that one Domain, two Sites would be
the best. But why have multiple Exchange servers? That would make
things much more complicated and it would be simpler with one Exchange
server.

You really need some resilience back in the hub though. One server as
DC and Exchange server is putting all your eggs in one basket.

You need to consider a second DC, even if it is only a workstation
class machine. If money permits, I'd have two DCs in the headoffice,
one also running Exchange. I'd have a DC in each site, part of the
same Domain, but no Exchange servers!

Cheers,

Cliff

 

[dp]

I would prefer a single exchange server, but unfortunately the site managers
have insisted on their own mail server. office politics!!

Whats the best/simplest way to create these extra DC's at the sites.. should
I create a domain controller at the main hub, let it replicate then move it
out to the remote site? or get the site vpn up and running, create the site
links in AD then promote the server at the sites ?

Any recommendations on DNS setup ? Obvisoulsly the main site is an AD
integrated dns, should the site servers just use this for ad and name
resolution or would u suggest installing DNS at each site too. If this is
the case, the local dns server would be primary, the secondary the hub
server?

thanks guys

 

[ptwilliams]

Don't let the Shinder's hear you say that ;-)

I believe that hardware holds no advantages over software anymore. Servers
are so powerful that software based firewall's can perform as well as the
h/w variety.

I guess it comes down to what you know and like (and what the MD wants).

Perhaps I shouldn't be having this article with an CISSP, but I feel ISA
holds up to the job. Although you are obviously correct about price -
there's not much in it...

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


message I'd hardly consider ISA or any other PC form factor device an enterprise
class firewall.

After you factor in the cost of the OS, hardware, and ISA it's the same
price or cheaper to go with a more reliable Cisco or Netscreen solution.

--
Eric Chamberlain, CISSP

I'd go with ISA. It's great for this kind of thing. And I don't think it's
overkill; if your business takes itself seriously then do not accept
anything other than an enterprise class firewall. I setup ISA server for a
client who only had about 75 clients and they were thrilled with it.

I see what Herb is saying, I frequent the isaserver.org boards enough to see
a lot of people having issues and have come across some 'funnies' myself,
but generally if you do the ground work and set it up correctly you'll have
no problems. Just read up on the subject first. Dr. Tom'll have another
customer shortly ;-)

And Herb, yes the GUI is a little confusing ;-) 2004 looks *much* better.
But for real confusion you want to look at SMS in a large environment where
nobody does any housework... ;-)

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


thanks guys....if this goes smoothly another 3-4 sites will be coming on
board with the same setup. Ideally it will be a hub and spoke topology. i
know it's a ad group, but Im looking at incorporating ISA Server to setup
the VPN site links. Is this recommended ?


after

30

?