Multisite AD Design

M

mk

My company has 2 sites (about 40 users each). Each site
has a T1 connection to the internet. There is no WAN
connection (ie: Frame Relay) connecting the sites.

We want to deploy Windows 2003 Server & Exchange 2003
Server. Each site will have it's own administrator.
Originally, I thought that a single forest with a single
domain and 2 OU's would be a good idea, however, without a
WAN link, how can we replicate AD & Exchange between the sites?

I've seen MS refer to two options:
- use firewall port mapping for all relevant ports
- user IPSec (more secure but harder to configure).
We are using ISA server, however I've read that IPSec won't
work with NAT (can we 'Publish' to get around that)?

Anyone have any experience here. Basically, we want to
connect two sites each of which have a T1 connection to the
internet but no direct connection to themselves.

tnx,
Michael
 
M

Matjaz Ladava [MVP]

If you ask me, I would connect those sites together using VPN solution (VPN
router,...) and then setup sites and replication as that this would be
normal network.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
M

mk

How would you set up the VPN? We have ISA server in both
locations, but supposedly AD Replication using IPsec over
ISA won't work due to NAT. Is there a workaround?

mk
 
C

Cary Shultz [MVP]

-----Original Message-----
How would you set up the VPN? We have ISA server in both
locations, but supposedly AD Replication using IPsec over
ISA won't work due to NAT. Is there a workaround?

mk

using
VPN solution (VPN the
.
Click to expand...
Michale,

I agree with Matjaz! I would simply set up a Site-to-
Site VPN and be done with it. A "Site-to-Site" VPN is
typically a Firewall-to-Firewall VPN.

As an example, we have a client who has four offices:
Roanoke ( VA ), Blacksburg ( VA ) , Richmond ( VA ) and
Raleigh ( NC ). This particular setup is a bit different
from yours in that Roanoke is the "HQ" and the other
three office users connect to the Terminal Server in
Roanoke. However, we have a Firewall-to-Firewall VPN set
up between Roanoke and Blacksburg, a Firewall-to-Firewall
VPN setup between Roanoke and Richmond and we will soon
be setting up a Firewall-to-Firewall VPN between Roanoke
and Raleigh. It works really well!

HTH,

Cary
 
M

mk

Do the remote sites have AD servers that replicate with HQ?
Getting Terminal Services to run is no big deal.
Getting AD to replicate across the VPN is more difficult.

What firewall are you using?

Are you using IPSec?

thanks,
Michael
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Site Topology 8
AD Sites and Services 2
Replication Topology Redesign 7
WAN Trusts 3
WAN, Sites, Subnets 2
site link design question 3
Frame Relay Site Link Design 6
Site Replication 2

Top