Sign in with
Sign up | Sign in
Your question

Can I Bridge AD across a frame relay network??

Last response: in Windows 2000/NT
Share
Anonymous
January 19, 2005 11:51:53 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Is it possible to bridge AD services across a WAN. We run an AD domain in
our central office but each of our remote sites are workgroups. I've lobbied
for a pair of cheap servers at each location but lost. I am wondering if
it's possible to bridge those services? Our main goal is to centrally manage
logons and security settings

I don't know how chatty AD traffic is, would the traffic be to much of a
load on 256K frame relay circuits?
Anonymous
January 20, 2005 12:29:34 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I forgot to add, most sites only have 10 computers at most. We have two
larger sites that are around 40-50.
Each remote site is 256K, the two larger sites are 512K and the host site is
a full T1.


"jokes54321" <jokes54321@nospam.com> wrote in message
news:uNQygNq$EHA.3472@TK2MSFTNGP14.phx.gbl...
> Is it possible to bridge AD services across a WAN. We run an AD domain in
> our central office but each of our remote sites are workgroups. I've
> lobbied for a pair of cheap servers at each location but lost. I am
> wondering if it's possible to bridge those services? Our main goal is to
> centrally manage logons and security settings
>
> I don't know how chatty AD traffic is, would the traffic be to much of a
> load on 256K frame relay circuits?
>
Anonymous
January 20, 2005 1:02:22 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"jokes54321" <jokes54321@nospam.com> wrote in message
news:uNQygNq$EHA.3472@TK2MSFTNGP14.phx.gbl...
> Is it possible to bridge AD services across a WAN. We run an AD domain in
> our central office but each of our remote sites are workgroups. I've
lobbied
> for a pair of cheap servers at each location but lost. I am wondering if
> it's possible to bridge those services? Our main goal is to centrally
manage
> logons and security settings

Bridging the WAN or routing it is not a function of AD.

If you mean can you run an AD domain across such WANS,
then yes.

> I don't know how chatty AD traffic is, would the traffic be to much of a
> load on 256K frame relay circuits?

Probably not since you likely have a small domain even with
those extra sites but you didn't really tell us.

You can also set the replication schedule to avoid any time
period in which reduced traffic is necessary.

You CAN run such without DCs at the locations but it
will mean that access to resources may be limited if
the WAN is down.

Even a single DC at each location would be better.

DCs are cheap. A few hundred dollars for hardware and
buy the cheaper Standard Server product (on eBay if you
must) for a few hundred more.

--
Herb Martin


>
>
Related resources
Anonymous
January 20, 2005 2:27:32 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes, it is very possible and done all the time. The thing to consider is
that you will most likely want to set up some sort of Site-to-Site VPN ( aka
Firewall-to-Firewall VPN ). That is, unless you have a private link ( read:
T1 ) between the physical locations.

How you would normally ( okay, poor choice of terms...... ) set things up
when you have several physical locations is that you have at least two
Domain Controllers in the HQ and one Domain Controller in each 'Branch
Office'. Now, this depends on how many users are in each remote office! If
you have three users then you probably would not need a DC. In fact, you
would probably make user of Terminal Server!

So, let's assume that you have something like 35 users in each remote
office. You would probably have one Domain Controller in each of the two
remote offices. You would need to make sure that you set up the Sites
correctly ( done in the Active Directory Sites and Services MMC ) and that
you create a Subnet for each location ( so, 192.168.1.x for the HQ,
192.168.2.x for one remote office and 192.168.3.x for the other remote
office ) and then associate the Subnet with the correct Site. You would
then make sure that each DC is also a Global Catalog Server and that DNS and
DHCP was running on at least one DC in each location.

This accomplished two things: it allows you to speed up users log on ( as
they are authenticating against a local Domain Controller - meaning one in
the Site in which the are locating ) and you control Active Directory
Replication.

You would need to create the Site Links ( so, probably HQ-Site1 and
HQ-Site2 ). Stick with the defaults for the cost. The interval is, by
default, 180 minutes ( 3 hours ). Depending on how you do things would
determine if that was okay or not ( I would probably keep it there but you
might want to change it either way to 90 minutes or to 240 minutes ).

The server in each remote location would also be the File Server....you
really do not want to be saving things across a WAN. I used to work in an
environment where there were two Sites connected by a private T1. Really
small files were okay ( and I mean really small ) but when things got a bit
bigger ( like 256kb ) you would notice delays.

If you do not mind why was your suggestion denied?

Naturally, I am assuming that you have WIN2000 Active Directory with WIN2000
or WINXP Clients. If you really want to manage everything centrally have
you looked into Terminal Server. maybe with Citrix? WIN2003 Terminal Server
is really nice. That might be what you want. But we would need some more
details!


--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"jokes54321" <jokes54321@nospam.com> wrote in message
news:uNQygNq$EHA.3472@TK2MSFTNGP14.phx.gbl...
> Is it possible to bridge AD services across a WAN. We run an AD domain in
> our central office but each of our remote sites are workgroups. I've
> lobbied for a pair of cheap servers at each location but lost. I am
> wondering if it's possible to bridge those services? Our main goal is to
> centrally manage logons and security settings
>
> I don't know how chatty AD traffic is, would the traffic be to much of a
> load on 256K frame relay circuits?
>
Anonymous
January 20, 2005 2:40:19 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"jokes54321" <jokes54321@nospam.com> wrote in message
news:epWfliq$EHA.3424@TK2MSFTNGP11.phx.gbl...
> I forgot to add, most sites only have 10 computers at most. We have two
> larger sites that are around 40-50.
> Each remote site is 256K, the two larger sites are 512K and the host site
is
> a full T1.
>

The key questions to ask yourself about a local DC
is this:

Are there local domain resources?

Would loss of access to these resources be unacceptable
(when the WAN is down)?

If the answer to both is "yes" then you need a DC (perhaps
two) in that site.

Without local domain resources the WAN will disconnect
the stations from any resources anyway so authentication is
not critical when the WAN is down.

With access to local domain resources being critical,
you cannot afford to lose that when the WAN is down,
the DC must be local.

There is also the minor reason of performance and WAN
usage but for only a few stations and only a small domain
it probably doesn't matter much.

IF you put a DC there, you almost certainly make it a DNS
server too.

--
Herb Martin


>
> "jokes54321" <jokes54321@nospam.com> wrote in message
> news:uNQygNq$EHA.3472@TK2MSFTNGP14.phx.gbl...
> > Is it possible to bridge AD services across a WAN. We run an AD domain
in
> > our central office but each of our remote sites are workgroups. I've
> > lobbied for a pair of cheap servers at each location but lost. I am
> > wondering if it's possible to bridge those services? Our main goal is to
> > centrally manage logons and security settings
> >
> > I don't know how chatty AD traffic is, would the traffic be to much of a
> > load on 256K frame relay circuits?
> >
>
>
Anonymous
January 20, 2005 5:46:05 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you all for your feedback. My boss shot down the servers at each
location because he feels it's not needed. His thinking is we've been
running fine for 10 years in a workgroup environment, why change now. I
explained the centralized management of user accounts, managing the machines
via group policies, file server services, DHCP instead of static IP
addresses. For every one of those he said that's what he pays me for.

We utilize Terminal Services heavily to central our custom written, in
house, applications. Since we depend on the private frame relay cloud to run
every aspect of our business (being everything is run over Terminal
Services), we do have 128K ISDN backup lines. The only program that is not
centralized is the Office suite, which is on a few workstations at each
location. Each user saves their files to their local computer and manually
backs them up to floppies or USB flash drives, so the only real WAN traffic
should be the group policies and logon validations.

I agree a server at each location would be ideal. Here in town we have three
AD servers in the Phoenix office and one AD server in our Scottsdale office,
which is connected via a point to point T1. The one AD server in the
Scottsdale office hosts DHCP and File server services. This is the office my
boss works out of. I explained it wouldn't be any different than his
location but still got shot down.

I've noticed a couple of you suggested the remote DC GC should run DNS. I'm
curious as to why? In our Phoenix/Scottsdale scenario we only run DNS at the
Phoenix location, but we do run WINS on one AD at each site.

How do I go about joining a remote machine to our domain over the WAN? Do I
just type in the fully qualified domain name like I would do locally?

Thank you,

Denny



"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:o W$Xdhq$EHA.3428@TK2MSFTNGP10.phx.gbl...
> Yes, it is very possible and done all the time. The thing to consider is
> that you will most likely want to set up some sort of Site-to-Site VPN (
> aka Firewall-to-Firewall VPN ). That is, unless you have a private link
> ( read: T1 ) between the physical locations.
>
> How you would normally ( okay, poor choice of terms...... ) set things up
> when you have several physical locations is that you have at least two
> Domain Controllers in the HQ and one Domain Controller in each 'Branch
> Office'. Now, this depends on how many users are in each remote office!
> If you have three users then you probably would not need a DC. In fact,
> you would probably make user of Terminal Server!
>
> So, let's assume that you have something like 35 users in each remote
> office. You would probably have one Domain Controller in each of the two
> remote offices. You would need to make sure that you set up the Sites
> correctly ( done in the Active Directory Sites and Services MMC ) and that
> you create a Subnet for each location ( so, 192.168.1.x for the HQ,
> 192.168.2.x for one remote office and 192.168.3.x for the other remote
> office ) and then associate the Subnet with the correct Site. You would
> then make sure that each DC is also a Global Catalog Server and that DNS
> and DHCP was running on at least one DC in each location.
>
> This accomplished two things: it allows you to speed up users log on ( as
> they are authenticating against a local Domain Controller - meaning one in
> the Site in which the are locating ) and you control Active Directory
> Replication.
>
> You would need to create the Site Links ( so, probably HQ-Site1 and
> HQ-Site2 ). Stick with the defaults for the cost. The interval is, by
> default, 180 minutes ( 3 hours ). Depending on how you do things would
> determine if that was okay or not ( I would probably keep it there but you
> might want to change it either way to 90 minutes or to 240 minutes ).
>
> The server in each remote location would also be the File Server....you
> really do not want to be saving things across a WAN. I used to work in an
> environment where there were two Sites connected by a private T1. Really
> small files were okay ( and I mean really small ) but when things got a
> bit bigger ( like 256kb ) you would notice delays.
>
> If you do not mind why was your suggestion denied?
>
> Naturally, I am assuming that you have WIN2000 Active Directory with
> WIN2000 or WINXP Clients. If you really want to manage everything
> centrally have you looked into Terminal Server. maybe with Citrix?
> WIN2003 Terminal Server is really nice. That might be what you want. But
> we would need some more details!
>
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "jokes54321" <jokes54321@nospam.com> wrote in message
> news:uNQygNq$EHA.3472@TK2MSFTNGP14.phx.gbl...
>> Is it possible to bridge AD services across a WAN. We run an AD domain in
>> our central office but each of our remote sites are workgroups. I've
>> lobbied for a pair of cheap servers at each location but lost. I am
>> wondering if it's possible to bridge those services? Our main goal is to
>> centrally manage logons and security settings
>>
>> I don't know how chatty AD traffic is, would the traffic be to much of a
>> load on 256K frame relay circuits?
>>
>
>
Anonymous
January 20, 2005 8:46:28 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> I agree a server at each location would be ideal. Here in town we have
three
> AD servers in the Phoenix office and one AD server in our Scottsdale
office,
> which is connected via a point to point T1. The one AD server in the
> Scottsdale office hosts DHCP and File server services. This is the office
my
> boss works out of. I explained it wouldn't be any different than his
> location but still got shot down.
>
> I've noticed a couple of you suggested the remote DC GC should run DNS.
I'm
> curious as to why? In our Phoenix/Scottsdale scenario we only run DNS at
the
> Phoenix location, but we do run WINS on one AD at each site.

Because it is likely that if authentication is critical (e.g.,
access to domain resources is critical) then likely so
is name resolution in general, and DNS in particular
(which interfere directly with authentication as well as
with just finding the resource by name.)

If DNS is critical (as it is in such cases) then you don't
won't to lose it when the WAN goes down -- were that
acceptable you probably wouldn't need the DC either.

One note, it is POSSIBLE to do without the WINS servers
locally MORE EASILY than the DNS servers -- especially
when the site only has one subnet.

WINS clients can be set to M-node -- broadcast for all local
resources on the same (local) subnet, use WINS across the
WAN only for the remote resources, which will themselves
be unreachable any time a lost WAN removes access to the
WINS server.

Not really an issue for you, but for those with 2000 subnets
(especially single subnet per location) getting rid of all
those WINS servers is a BIG DEAL.

> How do I go about joining a remote machine to our domain over the WAN? Do
I
> just type in the fully qualified domain name like I would do locally?

Yes. As long as the WAN supports the traffic and the
Name Resolution (DNS) is setup it should just work.

--
Herb Martin


"jokes54321" <jokes54321@nospam.com> wrote in message
news:o KpAVlz$EHA.3592@TK2MSFTNGP09.phx.gbl...
> Thank you all for your feedback. My boss shot down the servers at each
> location because he feels it's not needed. His thinking is we've been
> running fine for 10 years in a workgroup environment, why change now. I
> explained the centralized management of user accounts, managing the
machines
> via group policies, file server services, DHCP instead of static IP
> addresses. For every one of those he said that's what he pays me for.
>
> We utilize Terminal Services heavily to central our custom written, in
> house, applications. Since we depend on the private frame relay cloud to
run
> every aspect of our business (being everything is run over Terminal
> Services), we do have 128K ISDN backup lines. The only program that is not
> centralized is the Office suite, which is on a few workstations at each
> location. Each user saves their files to their local computer and manually
> backs them up to floppies or USB flash drives, so the only real WAN
traffic
> should be the group policies and logon validations.
>
> I agree a server at each location would be ideal. Here in town we have
three
> AD servers in the Phoenix office and one AD server in our Scottsdale
office,
> which is connected via a point to point T1. The one AD server in the
> Scottsdale office hosts DHCP and File server services. This is the office
my
> boss works out of. I explained it wouldn't be any different than his
> location but still got shot down.
>
> I've noticed a couple of you suggested the remote DC GC should run DNS.
I'm
> curious as to why? In our Phoenix/Scottsdale scenario we only run DNS at
the
> Phoenix location, but we do run WINS on one AD at each site.
>
> How do I go about joining a remote machine to our domain over the WAN? Do
I
> just type in the fully qualified domain name like I would do locally?
>
> Thank you,
>
> Denny
>
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:o W$Xdhq$EHA.3428@TK2MSFTNGP10.phx.gbl...
> > Yes, it is very possible and done all the time. The thing to consider
is
> > that you will most likely want to set up some sort of Site-to-Site VPN (
> > aka Firewall-to-Firewall VPN ). That is, unless you have a private link
> > ( read: T1 ) between the physical locations.
> >
> > How you would normally ( okay, poor choice of terms...... ) set things
up
> > when you have several physical locations is that you have at least two
> > Domain Controllers in the HQ and one Domain Controller in each 'Branch
> > Office'. Now, this depends on how many users are in each remote office!
> > If you have three users then you probably would not need a DC. In fact,
> > you would probably make user of Terminal Server!
> >
> > So, let's assume that you have something like 35 users in each remote
> > office. You would probably have one Domain Controller in each of the
two
> > remote offices. You would need to make sure that you set up the Sites
> > correctly ( done in the Active Directory Sites and Services MMC ) and
that
> > you create a Subnet for each location ( so, 192.168.1.x for the HQ,
> > 192.168.2.x for one remote office and 192.168.3.x for the other remote
> > office ) and then associate the Subnet with the correct Site. You would
> > then make sure that each DC is also a Global Catalog Server and that DNS
> > and DHCP was running on at least one DC in each location.
> >
> > This accomplished two things: it allows you to speed up users log on (
as
> > they are authenticating against a local Domain Controller - meaning one
in
> > the Site in which the are locating ) and you control Active Directory
> > Replication.
> >
> > You would need to create the Site Links ( so, probably HQ-Site1 and
> > HQ-Site2 ). Stick with the defaults for the cost. The interval is, by
> > default, 180 minutes ( 3 hours ). Depending on how you do things would
> > determine if that was okay or not ( I would probably keep it there but
you
> > might want to change it either way to 90 minutes or to 240 minutes ).
> >
> > The server in each remote location would also be the File Server....you
> > really do not want to be saving things across a WAN. I used to work in
an
> > environment where there were two Sites connected by a private T1.
Really
> > small files were okay ( and I mean really small ) but when things got a
> > bit bigger ( like 256kb ) you would notice delays.
> >
> > If you do not mind why was your suggestion denied?
> >
> > Naturally, I am assuming that you have WIN2000 Active Directory with
> > WIN2000 or WINXP Clients. If you really want to manage everything
> > centrally have you looked into Terminal Server. maybe with Citrix?
> > WIN2003 Terminal Server is really nice. That might be what you want.
But
> > we would need some more details!
> >
> >
> > --
> > Cary W. Shultz
> > Roanoke, VA 24014
> > Microsoft Active Directory MVP
> >
> > http://www.activedirectory-win2000.com
> > http://www.grouppolicy-win2000.com
> >
> >
> >
> > "jokes54321" <jokes54321@nospam.com> wrote in message
> > news:uNQygNq$EHA.3472@TK2MSFTNGP14.phx.gbl...
> >> Is it possible to bridge AD services across a WAN. We run an AD domain
in
> >> our central office but each of our remote sites are workgroups. I've
> >> lobbied for a pair of cheap servers at each location but lost. I am
> >> wondering if it's possible to bridge those services? Our main goal is
to
> >> centrally manage logons and security settings
> >>
> >> I don't know how chatty AD traffic is, would the traffic be to much of
a
> >> load on 256K frame relay circuits?
> >>
> >
> >
>
>
Anonymous
January 20, 2005 8:46:29 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you so much. I will attempt to join one of our New York computers to
our domain tomorrow.


Thank you again,

Denny


"Herb Martin" <news@LearnQuick.com> wrote in message
news:utDqSv0$EHA.2600@TK2MSFTNGP09.phx.gbl...
>> I agree a server at each location would be ideal. Here in town we have
> three
>> AD servers in the Phoenix office and one AD server in our Scottsdale
> office,
>> which is connected via a point to point T1. The one AD server in the
>> Scottsdale office hosts DHCP and File server services. This is the office
> my
>> boss works out of. I explained it wouldn't be any different than his
>> location but still got shot down.
>>
>> I've noticed a couple of you suggested the remote DC GC should run DNS.
> I'm
>> curious as to why? In our Phoenix/Scottsdale scenario we only run DNS at
> the
>> Phoenix location, but we do run WINS on one AD at each site.
>
> Because it is likely that if authentication is critical (e.g.,
> access to domain resources is critical) then likely so
> is name resolution in general, and DNS in particular
> (which interfere directly with authentication as well as
> with just finding the resource by name.)
>
> If DNS is critical (as it is in such cases) then you don't
> won't to lose it when the WAN goes down -- were that
> acceptable you probably wouldn't need the DC either.
>
> One note, it is POSSIBLE to do without the WINS servers
> locally MORE EASILY than the DNS servers -- especially
> when the site only has one subnet.
>
> WINS clients can be set to M-node -- broadcast for all local
> resources on the same (local) subnet, use WINS across the
> WAN only for the remote resources, which will themselves
> be unreachable any time a lost WAN removes access to the
> WINS server.
>
> Not really an issue for you, but for those with 2000 subnets
> (especially single subnet per location) getting rid of all
> those WINS servers is a BIG DEAL.
>
>> How do I go about joining a remote machine to our domain over the WAN? Do
> I
>> just type in the fully qualified domain name like I would do locally?
>
> Yes. As long as the WAN supports the traffic and the
> Name Resolution (DNS) is setup it should just work.
>
> --
> Herb Martin
>
>
> "jokes54321" <jokes54321@nospam.com> wrote in message
> news:o KpAVlz$EHA.3592@TK2MSFTNGP09.phx.gbl...
>> Thank you all for your feedback. My boss shot down the servers at each
>> location because he feels it's not needed. His thinking is we've been
>> running fine for 10 years in a workgroup environment, why change now. I
>> explained the centralized management of user accounts, managing the
> machines
>> via group policies, file server services, DHCP instead of static IP
>> addresses. For every one of those he said that's what he pays me for.
>>
>> We utilize Terminal Services heavily to central our custom written, in
>> house, applications. Since we depend on the private frame relay cloud to
> run
>> every aspect of our business (being everything is run over Terminal
>> Services), we do have 128K ISDN backup lines. The only program that is
>> not
>> centralized is the Office suite, which is on a few workstations at each
>> location. Each user saves their files to their local computer and
>> manually
>> backs them up to floppies or USB flash drives, so the only real WAN
> traffic
>> should be the group policies and logon validations.
>>
>> I agree a server at each location would be ideal. Here in town we have
> three
>> AD servers in the Phoenix office and one AD server in our Scottsdale
> office,
>> which is connected via a point to point T1. The one AD server in the
>> Scottsdale office hosts DHCP and File server services. This is the office
> my
>> boss works out of. I explained it wouldn't be any different than his
>> location but still got shot down.
>>
>> I've noticed a couple of you suggested the remote DC GC should run DNS.
> I'm
>> curious as to why? In our Phoenix/Scottsdale scenario we only run DNS at
> the
>> Phoenix location, but we do run WINS on one AD at each site.
>>
>> How do I go about joining a remote machine to our domain over the WAN? Do
> I
>> just type in the fully qualified domain name like I would do locally?
>>
>> Thank you,
>>
>> Denny
>>
>>
>>
>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> news:o W$Xdhq$EHA.3428@TK2MSFTNGP10.phx.gbl...
>> > Yes, it is very possible and done all the time. The thing to consider
> is
>> > that you will most likely want to set up some sort of Site-to-Site VPN
>> > (
>> > aka Firewall-to-Firewall VPN ). That is, unless you have a private
>> > link
>> > ( read: T1 ) between the physical locations.
>> >
>> > How you would normally ( okay, poor choice of terms...... ) set things
> up
>> > when you have several physical locations is that you have at least two
>> > Domain Controllers in the HQ and one Domain Controller in each 'Branch
>> > Office'. Now, this depends on how many users are in each remote
>> > office!
>> > If you have three users then you probably would not need a DC. In
>> > fact,
>> > you would probably make user of Terminal Server!
>> >
>> > So, let's assume that you have something like 35 users in each remote
>> > office. You would probably have one Domain Controller in each of the
> two
>> > remote offices. You would need to make sure that you set up the Sites
>> > correctly ( done in the Active Directory Sites and Services MMC ) and
> that
>> > you create a Subnet for each location ( so, 192.168.1.x for the HQ,
>> > 192.168.2.x for one remote office and 192.168.3.x for the other remote
>> > office ) and then associate the Subnet with the correct Site. You
>> > would
>> > then make sure that each DC is also a Global Catalog Server and that
>> > DNS
>> > and DHCP was running on at least one DC in each location.
>> >
>> > This accomplished two things: it allows you to speed up users log on (
> as
>> > they are authenticating against a local Domain Controller - meaning one
> in
>> > the Site in which the are locating ) and you control Active Directory
>> > Replication.
>> >
>> > You would need to create the Site Links ( so, probably HQ-Site1 and
>> > HQ-Site2 ). Stick with the defaults for the cost. The interval is, by
>> > default, 180 minutes ( 3 hours ). Depending on how you do things would
>> > determine if that was okay or not ( I would probably keep it there but
> you
>> > might want to change it either way to 90 minutes or to 240 minutes ).
>> >
>> > The server in each remote location would also be the File Server....you
>> > really do not want to be saving things across a WAN. I used to work in
> an
>> > environment where there were two Sites connected by a private T1.
> Really
>> > small files were okay ( and I mean really small ) but when things got a
>> > bit bigger ( like 256kb ) you would notice delays.
>> >
>> > If you do not mind why was your suggestion denied?
>> >
>> > Naturally, I am assuming that you have WIN2000 Active Directory with
>> > WIN2000 or WINXP Clients. If you really want to manage everything
>> > centrally have you looked into Terminal Server. maybe with Citrix?
>> > WIN2003 Terminal Server is really nice. That might be what you want.
> But
>> > we would need some more details!
>> >
>> >
>> > --
>> > Cary W. Shultz
>> > Roanoke, VA 24014
>> > Microsoft Active Directory MVP
>> >
>> > http://www.activedirectory-win2000.com
>> > http://www.grouppolicy-win2000.com
>> >
>> >
>> >
>> > "jokes54321" <jokes54321@nospam.com> wrote in message
>> > news:uNQygNq$EHA.3472@TK2MSFTNGP14.phx.gbl...
>> >> Is it possible to bridge AD services across a WAN. We run an AD domain
> in
>> >> our central office but each of our remote sites are workgroups. I've
>> >> lobbied for a pair of cheap servers at each location but lost. I am
>> >> wondering if it's possible to bridge those services? Our main goal is
> to
>> >> centrally manage logons and security settings
>> >>
>> >> I don't know how chatty AD traffic is, would the traffic be to much of
> a
>> >> load on 256K frame relay circuits?
>> >>
>> >
>> >
>>
>>
>
>
Anonymous
January 20, 2005 11:48:14 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"jokes54321" <jokes54321@nospam.com> wrote in message
news:o hgdV50$EHA.2180@TK2MSFTNGP10.phx.gbl...
> Thank you so much. I will attempt to join one of our New York computers to
> our domain tomorrow.
>

If you have problems on an open connection (no firewalls
stopping you) where you can ping, then it is almost certainly
a DNS error.

You are probably good on this stuff but the CLIENT part is
also crticial....

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /server:D C-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

--
Herb Martin


>
> Thank you again,
>
> Denny
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:utDqSv0$EHA.2600@TK2MSFTNGP09.phx.gbl...
> >> I agree a server at each location would be ideal. Here in town we have
> > three
> >> AD servers in the Phoenix office and one AD server in our Scottsdale
> > office,
> >> which is connected via a point to point T1. The one AD server in the
> >> Scottsdale office hosts DHCP and File server services. This is the
office
> > my
> >> boss works out of. I explained it wouldn't be any different than his
> >> location but still got shot down.
> >>
> >> I've noticed a couple of you suggested the remote DC GC should run DNS.
> > I'm
> >> curious as to why? In our Phoenix/Scottsdale scenario we only run DNS
at
> > the
> >> Phoenix location, but we do run WINS on one AD at each site.
> >
> > Because it is likely that if authentication is critical (e.g.,
> > access to domain resources is critical) then likely so
> > is name resolution in general, and DNS in particular
> > (which interfere directly with authentication as well as
> > with just finding the resource by name.)
> >
> > If DNS is critical (as it is in such cases) then you don't
> > won't to lose it when the WAN goes down -- were that
> > acceptable you probably wouldn't need the DC either.
> >
> > One note, it is POSSIBLE to do without the WINS servers
> > locally MORE EASILY than the DNS servers -- especially
> > when the site only has one subnet.
> >
> > WINS clients can be set to M-node -- broadcast for all local
> > resources on the same (local) subnet, use WINS across the
> > WAN only for the remote resources, which will themselves
> > be unreachable any time a lost WAN removes access to the
> > WINS server.
> >
> > Not really an issue for you, but for those with 2000 subnets
> > (especially single subnet per location) getting rid of all
> > those WINS servers is a BIG DEAL.
> >
> >> How do I go about joining a remote machine to our domain over the WAN?
Do
> > I
> >> just type in the fully qualified domain name like I would do locally?
> >
> > Yes. As long as the WAN supports the traffic and the
> > Name Resolution (DNS) is setup it should just work.
> >
> > --
> > Herb Martin
> >
> >
> > "jokes54321" <jokes54321@nospam.com> wrote in message
> > news:o KpAVlz$EHA.3592@TK2MSFTNGP09.phx.gbl...
> >> Thank you all for your feedback. My boss shot down the servers at each
> >> location because he feels it's not needed. His thinking is we've been
> >> running fine for 10 years in a workgroup environment, why change now. I
> >> explained the centralized management of user accounts, managing the
> > machines
> >> via group policies, file server services, DHCP instead of static IP
> >> addresses. For every one of those he said that's what he pays me for.
> >>
> >> We utilize Terminal Services heavily to central our custom written, in
> >> house, applications. Since we depend on the private frame relay cloud
to
> > run
> >> every aspect of our business (being everything is run over Terminal
> >> Services), we do have 128K ISDN backup lines. The only program that is
> >> not
> >> centralized is the Office suite, which is on a few workstations at each
> >> location. Each user saves their files to their local computer and
> >> manually
> >> backs them up to floppies or USB flash drives, so the only real WAN
> > traffic
> >> should be the group policies and logon validations.
> >>
> >> I agree a server at each location would be ideal. Here in town we have
> > three
> >> AD servers in the Phoenix office and one AD server in our Scottsdale
> > office,
> >> which is connected via a point to point T1. The one AD server in the
> >> Scottsdale office hosts DHCP and File server services. This is the
office
> > my
> >> boss works out of. I explained it wouldn't be any different than his
> >> location but still got shot down.
> >>
> >> I've noticed a couple of you suggested the remote DC GC should run DNS.
> > I'm
> >> curious as to why? In our Phoenix/Scottsdale scenario we only run DNS
at
> > the
> >> Phoenix location, but we do run WINS on one AD at each site.
> >>
> >> How do I go about joining a remote machine to our domain over the WAN?
Do
> > I
> >> just type in the fully qualified domain name like I would do locally?
> >>
> >> Thank you,
> >>
> >> Denny
> >>
> >>
> >>
> >> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> >> news:o W$Xdhq$EHA.3428@TK2MSFTNGP10.phx.gbl...
> >> > Yes, it is very possible and done all the time. The thing to
consider
> > is
> >> > that you will most likely want to set up some sort of Site-to-Site
VPN
> >> > (
> >> > aka Firewall-to-Firewall VPN ). That is, unless you have a private
> >> > link
> >> > ( read: T1 ) between the physical locations.
> >> >
> >> > How you would normally ( okay, poor choice of terms...... ) set
things
> > up
> >> > when you have several physical locations is that you have at least
two
> >> > Domain Controllers in the HQ and one Domain Controller in each
'Branch
> >> > Office'. Now, this depends on how many users are in each remote
> >> > office!
> >> > If you have three users then you probably would not need a DC. In
> >> > fact,
> >> > you would probably make user of Terminal Server!
> >> >
> >> > So, let's assume that you have something like 35 users in each remote
> >> > office. You would probably have one Domain Controller in each of the
> > two
> >> > remote offices. You would need to make sure that you set up the
Sites
> >> > correctly ( done in the Active Directory Sites and Services MMC ) and
> > that
> >> > you create a Subnet for each location ( so, 192.168.1.x for the HQ,
> >> > 192.168.2.x for one remote office and 192.168.3.x for the other
remote
> >> > office ) and then associate the Subnet with the correct Site. You
> >> > would
> >> > then make sure that each DC is also a Global Catalog Server and that
> >> > DNS
> >> > and DHCP was running on at least one DC in each location.
> >> >
> >> > This accomplished two things: it allows you to speed up users log on
(
> > as
> >> > they are authenticating against a local Domain Controller - meaning
one
> > in
> >> > the Site in which the are locating ) and you control Active Directory
> >> > Replication.
> >> >
> >> > You would need to create the Site Links ( so, probably HQ-Site1 and
> >> > HQ-Site2 ). Stick with the defaults for the cost. The interval is,
by
> >> > default, 180 minutes ( 3 hours ). Depending on how you do things
would
> >> > determine if that was okay or not ( I would probably keep it there
but
> > you
> >> > might want to change it either way to 90 minutes or to 240 minutes ).
> >> >
> >> > The server in each remote location would also be the File
Server....you
> >> > really do not want to be saving things across a WAN. I used to work
in
> > an
> >> > environment where there were two Sites connected by a private T1.
> > Really
> >> > small files were okay ( and I mean really small ) but when things got
a
> >> > bit bigger ( like 256kb ) you would notice delays.
> >> >
> >> > If you do not mind why was your suggestion denied?
> >> >
> >> > Naturally, I am assuming that you have WIN2000 Active Directory with
> >> > WIN2000 or WINXP Clients. If you really want to manage everything
> >> > centrally have you looked into Terminal Server. maybe with Citrix?
> >> > WIN2003 Terminal Server is really nice. That might be what you want.
> > But
> >> > we would need some more details!
> >> >
> >> >
> >> > --
> >> > Cary W. Shultz
> >> > Roanoke, VA 24014
> >> > Microsoft Active Directory MVP
> >> >
> >> > http://www.activedirectory-win2000.com
> >> > http://www.grouppolicy-win2000.com
> >> >
> >> >
> >> >
> >> > "jokes54321" <jokes54321@nospam.com> wrote in message
> >> > news:uNQygNq$EHA.3472@TK2MSFTNGP14.phx.gbl...
> >> >> Is it possible to bridge AD services across a WAN. We run an AD
domain
> > in
> >> >> our central office but each of our remote sites are workgroups. I've
> >> >> lobbied for a pair of cheap servers at each location but lost. I am
> >> >> wondering if it's possible to bridge those services? Our main goal
is
> > to
> >> >> centrally manage logons and security settings
> >> >>
> >> >> I don't know how chatty AD traffic is, would the traffic be to much
of
> > a
> >> >> load on 256K frame relay circuits?
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Anonymous
January 21, 2005 10:34:54 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In article <uNQygNq$EHA.3472@TK2MSFTNGP14.phx.gbl>, jokes54321
@nospam.com says...
> Is it possible to bridge AD services across a WAN. We run an AD domain in
> our central office but each of our remote sites are workgroups. I've lobbied
> for a pair of cheap servers at each location but lost. I am wondering if
> it's possible to bridge those services? Our main goal is to centrally manage
> logons and security settings
>
> I don't know how chatty AD traffic is, would the traffic be to much of a
> load on 256K frame relay circuits?

We have one client with 8 offices in various parts of the country - each
office has 2 computers. The two computers connect with the home office
through a VPN router across either a T1, Business Class Cable modem, or
a wireless internet connection. With the VPN's they are part of the
domain as much as any other node, but they are slower.

Logon takes 3~5 times as long as being part of the home office LAN.
Storage of files in the My Documents folder makes logon longer. No files
are stored on the local computers (business documents), and users have 6
~12 mapped drives to the main server - clicking on a document takes
seconds to respond (and users often click many times before the first
item opens, leading to many instances of the same document). Outlook
2003 is setup for all users, not in cached mode, and users experience
slowness anytime they have attachments (most never have attachments).
For the users that have large email boxes we did implement cached mode,
but it's still slow for the new mail.

One big thing is when the VPN's go down, even with many instances of
telling them to check to see if they can get to GOOGLE.COM or MSN.COM,
they still don't understand that they have to be able to get to the
INTERNET for the VPN's to work....

A 256k line, for files/email, would be very slow in my experience - our
Cable connections are 3mbps downstream and 1mbps upstream and I still
think it's slow when I'm at the remote offices.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
!