site to site vpn with active directory

[raylward102]

I have one site/domain with active directory that has been operational
for the past 3 years. This first site is a win2000 server. We have
decided to use site to site vpn to our other office. The other office
has a server running 2000 as well, but is only operating as a
workgroup currently.(not really configured yet) I want to make the
server at location 2, a secondary domain controller of our domain and
operate it from location 2. The only problem I see is that if the VPN
goes down, the DC will be useless on its own. I want everything to be
self sufficient on the other side, but want the ease of setting shares
between the two locations.
I thought about creating a new tree in the same forest at the other
location so that it would have its own dns and have trusts with our
domain. The problem I am having with that scenario is setting up
trusts between the two. How do you set the two servers to communicate
as far as dns is concerned? Should I use the tree solution or the
secondary DC idea? I have been experimenting with virtual pc with the
two scenarios.

 

[Paul Bergson]

If you make this a second dc in the same domain and use Active Directory
Integrated dns then if you lose the connection the only functinality lost
will be connectivity between the two. There are no trusts to setup.

dcpromo and you have the second dc
Set up a new site at the newly promoted dc
point all the new clients to this new site and point the dns to this same dc


Your biggest concern is going to be bandwidth. If you start to replicate
data across a vpn how much bandwidth is the replication of AD and DNS. If
you are vpn'ing you need to make sure you have the proper firewalls open to
allow replication


Site and Services
http://pclan.calpoly.edu/plans_and_projects/ad_sites_&_services.pdf

DNS
http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns_02_sir.asp


Firewall ports
http://support.microsoft.com/defaul...port/kb/articles/q179/4/42.asp&NoWebContent=1

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jorge_de_Almeida_Pinto]

I have one site/domain with active directory that has been
operational for the past 3 years. This first site is a
win2000 server. We have decided to use site to site vpn to
our other office. The other office has a server running 2000
as well, but is only operating as a workgroup currently.(not
really configured yet) I want to make the server at location
2, a secondary domain controller of our domain and operate it
from location 2. The only problem I see is that if the VPN
goes down, the DC will be useless on its own. I want
everything to be self sufficient on the other side, but want
the ease of setting shares between the two locations.
I thought about creating a new tree in the same forest at the
other location so that it would have its own dns and have
trusts with our domain. The problem I am having with that
scenario is setting up trusts between the two. How do you set
the two servers to communicate as far as dns is concerned?
Should I use the tree solution or the secondary DC idea? I
have been experimenting with virtual pc with the two
scenarios.

what do you mean with "The only problem I see is that if the VPN goes
down, the DC will be useless on its own. I want everything to be self
sufficient on the other side, but want the ease of setting shares
between the two locations. "

what is in your opinion the difference between a DC in the same domain
and a DC in another domain?

Establish a site-to-site VPN and you should use a second DC for the
domain in its own site. Configure replication between the sites
accordingly. If you only had one DC for the current it is already a
good idea to install a second DC. If you have one DC and it dies and
your backups are crap, you have a big problem!

DCs is a forest must be able to replicate with each other. If they do
not replicate with each other for more than the tombstone lifetime
(default = 60 days) you get another challenge!

Cheers,

 

[raylward102]

If you make this a second dc in the same domain and use Active
Directory
Integrated dns then if you lose the connection the only
functinality lost
will be connectivity between the two. There are no trusts to
setup.

dcpromo and you have the second dc
Set up a new site at the newly promoted dc
point all the new clients to this new site and point the dns
to this same dc


Your biggest concern is going to be bandwidth. If you start
to replicate
data across a vpn how much bandwidth is the replication of AD
and DNS. If
you are vpn'ing you need to make sure you have the proper
firewalls open to
allow replication


Site and Services
http://pclan.calpoly.edu/plans_and_projects/ad_sites_&_services.pdf

DNS
http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns_02_sir.asp


Firewall ports
http://support.microsoft.com/defaul...port/kb/articles/q179/4/42.asp&NoWebContent=1

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and
confers no rights.


message

I just tried it out with virtual PC. I created a secondary DC from
the original domain and then I installed active directoy integrated
DNS on it.
It seems to work ok. The only transfer between vpn sites should be
replication and terminal services. No other data will be travelling
the vpn. I have set the clients at the remote site to point to the
dns at the new DC. Is this the right way to do it? I also set the
remote clients alternate dns to our main DC just in case their DC goes
down. I tested it and it works. The only thing I need to know more
about is site replication. I know it is happening now because I saw
changes in AD go from one site to the other. I want to know more
about how to control site rep. Let me know if this is the way to go.
I am new at this. Thanks!!!

 

[Paul Bergson]

Inline comments

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

I just tried it out with virtual PC. I created a secondary DC from
the original domain and then I installed active directoy integrated
DNS on it.
It seems to work ok. The only transfer between vpn sites should be
replication and terminal services. No other data will be travelling
the vpn. I have set the clients at the remote site to point to the
dns at the new DC. Is this the right way to do it?

Yes. That way if you lose connectivity the clients are able to resolve
names.


I also set the

remote clients alternate dns to our main DC just in case their DC goes
down. I tested it and it works.

This is also correct

The only thing I need to know more

about is site replication. I know it is happening now because I saw
changes in AD go from one site to the other. I want to know more
about how to control site rep. Let me know if this is the way to go.
I am new at this. Thanks!!!

Let AD (The Knowledge Consistency Checker or KCC) handle the layout just
make sure you define a second site and place the clients for each site
(There IP subnets) in their proper site.

You have done very well and grasped things quickly. You should do well.