Controlling logons over WAN with Sites and Services

[Ned Hart]

Hello,


What is the best way to prevent workstations from logging into DC's
over a WAN connection? I have 8 buildings connected by a 155Mbps WAN
with 150 workstations each and 400 at the main building and a DC in
each building. AD sites and services has a single default site which
contains all DC's. Would creating a site for each building, adding
subnets, and moving DC's be enough?

Any suggestions for improvements would be welcome.
NH

 

[Cary Shultz [A.D. MVP]]

Ned,

That could be a really good start. I would generically state that you
should set up a Site for each building, create the appropriate Subnet(s) and
then associate each one with the appropriate Site. You could then move a DC
to each Site. Consider making each DC also a Global Catalog Server. Again,
these are very generic suggestions. You would have to manually create the
Site Links and most probably the appropriate Site Link Bridges.

How far away is each building from each other? Is it a logistical problem
to move DCs? This would help control Active Directory replication as well
as user logons. I would also suggest a Firewall-to-Firewall VPN between
each building ( consider using the building with 400 users as the 'hub' and
the other seven locations as 'spokes' ).

However, the WAN connections are very very fast! How long has this been
going? Are there other issues - other than the clients authenticating
against a DC over the WAN connection?

Does this help you get started? I can provide you with a ton of links if
you so desire.

HTH,

Cary

 

[Ned Hart]

Hi Cary

Thanks for responding. I didn't understand the benefit of a GC at
each site until I after I read your post. I did some more reading
online and from what I understand, a GC will contain a full replica of
AD objects within its host domain. I guess I'll have to read more to
understand how best to replicate this information.

The buildings range anywhere from 1/4 mile to 5 miles away from
eachother and I've noticed the problems since day one (2 years ago),
but I never tried to correct it because of the speed of the
connection. These days I'm finding more free time and I'd like to use
it to optimize my environment.

What's the firewall-to-firewall vpn for?

I am not aware of any other issues at this time. I did have a problem
with a DC a while back that stopped replicating. I was surprised that
clients were still being authenticated by this DC and outdated group
policies were applied to their workstations.

Thanks again. Yes, your response has pointed me in the right
direction. I just need to do some reading and some planning.

Thanks again!
NH

 

[Cary Shultz [A.D. MVP]]

Ned,

Glad that I could help. The Site-to-Site VPN is so that you can have a
secure communication channel between each Site. It keeps things private.
You also do not need to open up your Firewalls so that they look like swiss
cheese.

HTH,

Cary

Hi Cary

Thanks for responding. I didn't understand the benefit of a GC at
each site until I after I read your post. I did some more reading
online and from what I understand, a GC will contain a full replica of
AD objects within its host domain. I guess I'll have to read more to
understand how best to replicate this information.

The buildings range anywhere from 1/4 mile to 5 miles away from
eachother and I've noticed the problems since day one (2 years ago),
but I never tried to correct it because of the speed of the
connection. These days I'm finding more free time and I'd like to use
it to optimize my environment.

What's the firewall-to-firewall vpn for?

I am not aware of any other issues at this time. I did have a problem
with a DC a while back that stopped replicating. I was surprised that
clients were still being authenticated by this DC and outdated group
policies were applied to their workstations.

Thanks again. Yes, your response has pointed me in the right
direction. I just need to do some reading and some planning.

Thanks again!
NH


"Cary Shultz [A.D. MVP]" <[email protected]> wrote in message

Ned,

That could be a really good start. I would generically state that you
should set up a Site for each building, create the appropriate Subnet(s) and
then associate each one with the appropriate Site. You could then move a DC
to each Site. Consider making each DC also a Global Catalog Server. Again,
these are very generic suggestions. You would have to manually create the
Site Links and most probably the appropriate Site Link Bridges.

How far away is each building from each other? Is it a logistical problem
to move DCs? This would help control Active Directory replication as well
as user logons. I would also suggest a Firewall-to-Firewall VPN between
each building ( consider using the building with 400 users as the 'hub' and
the other seven locations as 'spokes' ).

However, the WAN connections are very very fast! How long has this been
going? Are there other issues - other than the clients authenticating
against a DC over the WAN connection?

Does this help you get started? I can provide you with a ton of links if
you so desire.

HTH,

Cary