site to site vpn with active directory

G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have one site/domain with active directory that has been operational
for the past 3 years. This first site is a win2000 server. We have
decided to use site to site vpn to our other office. The other office
has a server running 2000 as well, but is only operating as a
workgroup currently.(not really configured yet) I want to make the
server at location 2, a secondary domain controller of our domain and
operate it from location 2. The only problem I see is that if the VPN
goes down, the DC will be useless on its own. I want everything to be
self sufficient on the other side, but want the ease of setting shares
between the two locations.
I thought about creating a new tree in the same forest at the other
location so that it would have its own dns and have trusts with our
domain. The problem I am having with that scenario is setting up
trusts between the two. How do you set the two servers to communicate
as far as dns is concerned? Should I use the tree solution or the
secondary DC idea? I have been experimenting with virtual pc with the
two scenarios.

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-site-site-vpn-ftopict554252.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1759646
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

If you make this a second dc in the same domain and use Active Directory
Integrated dns then if you lose the connection the only functinality lost
will be connectivity between the two. There are no trusts to setup.

dcpromo and you have the second dc
Set up a new site at the newly promoted dc
point all the new clients to this new site and point the dns to this same dc


Your biggest concern is going to be bandwidth. If you start to replicate
data across a vpn how much bandwidth is the replication of AD and DNS. If
you are vpn'ing you need to make sure you have the proper firewalls open to
allow replication


Site and Services
http://pclan.calpoly.edu/plans_and_projects/ad_sites_&_services.pdf

DNS
http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns_02_sir.asp


Firewall ports
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q179/4/42.asp&NoWebContent=1

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


"raylward102" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:3_1759646_c63d4a5045ccaa226b72be30e8a7324f@windowsforumz.com...
>I have one site/domain with active directory that has been operational
> for the past 3 years. This first site is a win2000 server. We have
> decided to use site to site vpn to our other office. The other office
> has a server running 2000 as well, but is only operating as a
> workgroup currently.(not really configured yet) I want to make the
> server at location 2, a secondary domain controller of our domain and
> operate it from location 2. The only problem I see is that if the VPN
> goes down, the DC will be useless on its own. I want everything to be
> self sufficient on the other side, but want the ease of setting shares
> between the two locations.
> I thought about creating a new tree in the same forest at the other
> location so that it would have its own dns and have trusts with our
> domain. The problem I am having with that scenario is setting up
> trusts between the two. How do you set the two servers to communicate
> as far as dns is concerned? Should I use the tree solution or the
> secondary DC idea? I have been experimenting with virtual pc with the
> two scenarios.
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Active-Directory-site-site-vpn-ftopict554252.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=1759646
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"" wrote:
> If you make this a second dc in the same domain and use Active
> Directory
> Integrated dns then if you lose the connection the only
> functinality lost
> will be connectivity between the two. There are no trusts to
> setup.
>
> dcpromo and you have the second dc
> Set up a new site at the newly promoted dc
> point all the new clients to this new site and point the dns
> to this same dc
>
>
> Your biggest concern is going to be bandwidth. If you start
> to replicate
> data across a vpn how much bandwidth is the replication of AD
> and DNS. If
> you are vpn'ing you need to make sure you have the proper
> firewalls open to
> allow replication
>
>
> Site and Services
> http://pclan.calpoly.edu/plans_and_projects/ad_sites_&_services.pdf
>
> DNS
> http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns_02_sir.asp
>
>
> Firewall ports
> http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q179/4/42.asp&NoWebContent=1
>
> --
>
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and
> confers no rights.
>
>
> "raylward102" <UseLinkToEmail@WindowsForumz.com> wrote in
> message
> news:3_1759646_c63d4a5045ccaa226b72be30e8a7324f@windowsforumz.com...
> >I have one site/domain with active directory that has been
> operational
> > for the past 3 years. This first site is a win2000 server.
> We have
> > decided to use site to site vpn to our other office. The
> other office
> > has a server running 2000 as well, but is only operating as
> a
> > workgroup currently.(not really configured yet) I want to
> make the
> > server at location 2, a secondary domain controller of our
> domain and
> > operate it from location 2. The only problem I see is that
> if the VPN
> > goes down, the DC will be useless on its own. I want
> everything to be
> > self sufficient on the other side, but want the ease of
> setting shares
> > between the two locations.
> > I thought about creating a new tree in the same forest at
> the other
> > location so that it would have its own dns and have trusts
> with our
> > domain. The problem I am having with that scenario is
> setting up
> > trusts between the two. How do you set the two servers to
> communicate
> > as far as dns is concerned? Should I use the tree solution
> or the
> > secondary DC idea? I have been experimenting with virtual
> pc with the
> > two scenarios.
> >
> > --
> > Posted using the http://www.windowsforumz.com interface, at author's
> > request
> > Articles individually checked for conformance to usenet
> standards
> > Topic URL:
> > http://www.windowsforumz.com/Active-Directory-site-site-vpn-ftopict554252.html
> > Visit Topic URL to contact author (reg. req'd). Report
> abuse:
> > http://www.windowsforumz.com/eform.php?p=1759646

I just tried it out with virtual PC. I created a secondary DC from
the original domain and then I installed active directoy integrated
DNS on it.
It seems to work ok. The only transfer between vpn sites should be
replication and terminal services. No other data will be travelling
the vpn. I have set the clients at the remote site to point to the
dns at the new DC. Is this the right way to do it? I also set the
remote clients alternate dns to our main DC just in case their DC goes
down. I tested it and it works. The only thing I need to know more
about is site replication. I know it is happening now because I saw
changes in AD go from one site to the other. I want to know more
about how to control site rep. Let me know if this is the way to go.
I am new at this. Thanks!!!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Inline comments

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


"raylward102" <DoNotEmail@WindowsForumz.com> wrote in message
news:3_1760298_90527ffa0c4d71868caea90257e4524f@windowsforumz.com...
> "" wrote:
> > If you make this a second dc in the same domain and use Active
> > Directory
> > Integrated dns then if you lose the connection the only
> > functinality lost
> > will be connectivity between the two. There are no trusts to
> > setup.
> >
> > dcpromo and you have the second dc
> > Set up a new site at the newly promoted dc
> > point all the new clients to this new site and point the dns
> > to this same dc
> >
> >
> > Your biggest concern is going to be bandwidth. If you start
> > to replicate
> > data across a vpn how much bandwidth is the replication of AD
> > and DNS. If
> > you are vpn'ing you need to make sure you have the proper
> > firewalls open to
> > allow replication
> >
> >
> > Site and Services
> > http://pclan.calpoly.edu/plans_and_projects/ad_sites_&_services.pdf
> >
> > DNS
> > http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns_02_sir.asp
> >
> >
> > Firewall ports
> > http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q179/4/42.asp&NoWebContent=1
> >
> > --
> >
> >
> > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
> >
> > This posting is provided "AS IS" with no warranties, and
> > confers no rights.
> >
> >
> > "raylward102" <UseLinkToEmail@WindowsForumz.com> wrote in
> > message
> > news:3_1759646_c63d4a5045ccaa226b72be30e8a7324f@windowsforumz.com...
> > >I have one site/domain with active directory that has been
> > operational
> > > for the past 3 years. This first site is a win2000 server.
> > We have
> > > decided to use site to site vpn to our other office. The
> > other office
> > > has a server running 2000 as well, but is only operating as
> > a
> > > workgroup currently.(not really configured yet) I want to
> > make the
> > > server at location 2, a secondary domain controller of our
> > domain and
> > > operate it from location 2. The only problem I see is that
> > if the VPN
> > > goes down, the DC will be useless on its own. I want
> > everything to be
> > > self sufficient on the other side, but want the ease of
> > setting shares
> > > between the two locations.
> > > I thought about creating a new tree in the same forest at
> > the other
> > > location so that it would have its own dns and have trusts
> > with our
> > > domain. The problem I am having with that scenario is
> > setting up
> > > trusts between the two. How do you set the two servers to
> > communicate
> > > as far as dns is concerned? Should I use the tree solution
> > or the
> > > secondary DC idea? I have been experimenting with virtual
> > pc with the
> > > two scenarios.
> > >
> > > --
> > > Posted using the http://www.windowsforumz.com interface, at author's
> > > request
> > > Articles individually checked for conformance to usenet
> > standards
> > > Topic URL:
> > > http://www.windowsforumz.com/Active-Directory-site-site-vpn-ftopict554252.html
> > > Visit Topic URL to contact author (reg. req'd). Report
> > abuse:
> > > http://www.windowsforumz.com/eform.php?p=1759646
>
> I just tried it out with virtual PC. I created a secondary DC from
> the original domain and then I installed active directoy integrated
> DNS on it.
> It seems to work ok. The only transfer between vpn sites should be
> replication and terminal services. No other data will be travelling
> the vpn. I have set the clients at the remote site to point to the
> dns at the new DC. Is this the right way to do it?

Yes. That way if you lose connectivity the clients are able to resolve
names.


I also set the
> remote clients alternate dns to our main DC just in case their DC goes
> down. I tested it and it works.

This is also correct

The only thing I need to know more
> about is site replication. I know it is happening now because I saw
> changes in AD go from one site to the other. I want to know more
> about how to control site rep. Let me know if this is the way to go.
> I am new at this. Thanks!!!

Let AD (The Knowledge Consistency Checker or KCC) handle the layout just
make sure you define a second site and place the clients for each site
(There IP subnets) in their proper site.

You have done very well and grasped things quickly. You should do well.