Another additional DC question

Discussion in 'MCSE' started by Hollywood0728, Sep 4, 2008.

  1. Good Morning -

    I wanted to kind of bounce a concern off anyone who may be able to help. My
    company has acquired an additional building and is looking to put some
    employees over at this new building for space reasons. Hes the situation:

    Site A = Main site where all servers are held now
    Site B = Branch site where clients use MS VPN client to remote to Site A

    Both Sites have a T1 for internet and a Point to Point T1 to connect the
    buildings together for our new phone system. Since we have the Point to Point
    in place with Layer 3 switches on each end, I figured rather than having
    Clients use VPN, why not have them log on to the domain that Site A hosts. My
    question is this, what is the advantage of having a DC/global catalog Server
    at the branch office? As long as my users are administrators on their local
    machines, they are able to log on to the domain profile even if a DC is not
    accessible (I know this cause I bring my laptop home all the time and never
    have problems) Now if the Point to Point goes down thay won't be able to
    access network resources at site A from Site B, but same is true even I have
    a DC at Site B.....So is there something I may not be thinking of? Is it safe
    to say that i can have the clients come over the Point to Point to site A
    from site B to logon to the domain?
    Hollywood0728, Sep 4, 2008
    #1
    1. Advertising

  2. Hollywood0728

    Dude Guest

    You would have better network performanceand security with a DC at Site B.
    You will probably need a Routing and Remote Access Server and a DNS server at
    Site B, so why not promote that server to be to a DC as well?

    Giving all users local admin rights is a bad idea. They would be able to
    download and install ANYTHING from the internet, not to mention brining in
    thumb drives in from home that contain viruses.

    "Hollywood0728" wrote:

    > Good Morning -
    >
    > I wanted to kind of bounce a concern off anyone who may be able to help. My
    > company has acquired an additional building and is looking to put some
    > employees over at this new building for space reasons. Hes the situation:
    >
    > Site A = Main site where all servers are held now
    > Site B = Branch site where clients use MS VPN client to remote to Site A
    >
    > Both Sites have a T1 for internet and a Point to Point T1 to connect the
    > buildings together for our new phone system. Since we have the Point to Point
    > in place with Layer 3 switches on each end, I figured rather than having
    > Clients use VPN, why not have them log on to the domain that Site A hosts. My
    > question is this, what is the advantage of having a DC/global catalog Server
    > at the branch office? As long as my users are administrators on their local
    > machines, they are able to log on to the domain profile even if a DC is not
    > accessible (I know this cause I bring my laptop home all the time and never
    > have problems) Now if the Point to Point goes down thay won't be able to
    > access network resources at site A from Site B, but same is true even I have
    > a DC at Site B.....So is there something I may not be thinking of? Is it safe
    > to say that i can have the clients come over the Point to Point to site A
    > from site B to logon to the domain?
    Dude, Sep 5, 2008
    #2
    1. Advertising

  3. Agreed Local Admin Rights is scary, but the powers to be have over ruled my
    opinion of this.....

    Would I need a routing and remote access server even if I have layer 3
    switches on each end creating the VPN tunnel to both sites? Isn't RRAS a
    software version of a layer 3 switch/router? DNS I was aware of so ya makes
    sense for DC as well, and probably DHCP too. But RRAS I wasn't thinking i
    needed if indeed I do?

    "Dude" wrote:

    > You would have better network performanceand security with a DC at Site B.
    > You will probably need a Routing and Remote Access Server and a DNS server at
    > Site B, so why not promote that server to be to a DC as well?
    >
    > Giving all users local admin rights is a bad idea. They would be able to
    > download and install ANYTHING from the internet, not to mention brining in
    > thumb drives in from home that contain viruses.
    >
    > "Hollywood0728" wrote:
    >
    > > Good Morning -
    > >
    > > I wanted to kind of bounce a concern off anyone who may be able to help. My
    > > company has acquired an additional building and is looking to put some
    > > employees over at this new building for space reasons. Hes the situation:
    > >
    > > Site A = Main site where all servers are held now
    > > Site B = Branch site where clients use MS VPN client to remote to Site A
    > >
    > > Both Sites have a T1 for internet and a Point to Point T1 to connect the
    > > buildings together for our new phone system. Since we have the Point to Point
    > > in place with Layer 3 switches on each end, I figured rather than having
    > > Clients use VPN, why not have them log on to the domain that Site A hosts. My
    > > question is this, what is the advantage of having a DC/global catalog Server
    > > at the branch office? As long as my users are administrators on their local
    > > machines, they are able to log on to the domain profile even if a DC is not
    > > accessible (I know this cause I bring my laptop home all the time and never
    > > have problems) Now if the Point to Point goes down thay won't be able to
    > > access network resources at site A from Site B, but same is true even I have
    > > a DC at Site B.....So is there something I may not be thinking of? Is it safe
    > > to say that i can have the clients come over the Point to Point to site A
    > > from site B to logon to the domain?
    Hollywood0728, Sep 5, 2008
    #3
  4. Hollywood0728

    John R Guest

    "Hollywood0728" <> wrote in message
    news:...
    > Good Morning -
    >
    > I wanted to kind of bounce a concern off anyone who may be able to help.
    > My
    > company has acquired an additional building and is looking to put some
    > employees over at this new building for space reasons. Hes the situation:
    >
    > Site A = Main site where all servers are held now
    > Site B = Branch site where clients use MS VPN client to remote to Site A
    >
    > Both Sites have a T1 for internet and a Point to Point T1 to connect the
    > buildings together for our new phone system. Since we have the Point to
    > Point
    > in place with Layer 3 switches on each end, I figured rather than having
    > Clients use VPN, why not have them log on to the domain that Site A hosts.
    > My
    > question is this, what is the advantage of having a DC/global catalog
    > Server
    > at the branch office? As long as my users are administrators on their
    > local
    > machines, they are able to log on to the domain profile even if a DC is
    > not
    > accessible (I know this cause I bring my laptop home all the time and
    > never
    > have problems) Now if the Point to Point goes down thay won't be able to
    > access network resources at site A from Site B, but same is true even I
    > have
    > a DC at Site B.....So is there something I may not be thinking of? Is it
    > safe
    > to say that i can have the clients come over the Point to Point to site A
    > from site B to logon to the domain?


    Yes, clients can authenticate over the WAN. However, if the WAN is down, so
    are the clients. They might be able to use cached credentials to get to a
    desktop, but that's about it. If there are more than a handful of clients
    at the remote site, you will want a DC there (in Server 2008, you can have a
    read-only DC which is more secure).

    Make sure you establish your sites and subnets in Active Directory Sites and
    Services, and assign the subnets and the DCs to the appropriate sites. This
    will facilitate both network logons and replication traffic. Since you have
    a T1 between sites, and your company (at least so far) does not appear to be
    that big, I would not concern myself too much with replication traffic.
    Yes, monitor it for a while, but with only a few hundred users and machines,
    the traffic should not be noticeable.

    As to the users having local admin rights, well, that's a tough call.
    Certainly "best practice" is to not do that, but many companies (like mine)
    violate that all the time, and we have several hundred users over eight
    sites plus remotes. Yes, we do get the occasional "What is this spyware on
    my machine", but we deal with that. We are hoping that as we move towards
    Server 2008, we can get back to best practice. Under 2003, there are just
    too many things our environment forces our users to do that require local
    admin privs.

    Be careful not to overload that single T between sites with voice and data.
    And, if your phone system is like ours, don't forget to map your voice
    traffic so that you understand it. For example, if all incoming lines come
    into the pbx at site 1, all calls for users in site 2 are going over the T.
    If a user in site 2 conferences a site 1 user in on a call, that is two
    channels. Same call comes in to a site 1 user who conferences a site 2 user
    in only uses one channel. You might want to think of how that T is divided
    up, and guarantee a certain amount to voice.

    Consider placing a file/print server at the remote, and use DFS/FRS where
    appropriate. That can save considerable bandwidth.

    John R
    John R, Sep 5, 2008
    #4
  5. Thanks John, this is awesome feed back! Does your profile have a valid email
    address? I would love to send you a visio document or a overall project
    overview of my new phone system and my plan for site to site communication to
    give me more feedback. I have been working closely with my phone vendor who
    has been very helpful. And for the record I have 15 users at Site B and 50
    at Site A so I think a Point to Point T1 should be plenty, maybe overkill,
    but I have to plan for the future. Am I correct to assume I dont't need a
    RRAS server?


    "John R" wrote:

    >
    > "Hollywood0728" <> wrote in message
    > news:...
    > > Good Morning -
    > >
    > > I wanted to kind of bounce a concern off anyone who may be able to help.
    > > My
    > > company has acquired an additional building and is looking to put some
    > > employees over at this new building for space reasons. Hes the situation:
    > >
    > > Site A = Main site where all servers are held now
    > > Site B = Branch site where clients use MS VPN client to remote to Site A
    > >
    > > Both Sites have a T1 for internet and a Point to Point T1 to connect the
    > > buildings together for our new phone system. Since we have the Point to
    > > Point
    > > in place with Layer 3 switches on each end, I figured rather than having
    > > Clients use VPN, why not have them log on to the domain that Site A hosts.
    > > My
    > > question is this, what is the advantage of having a DC/global catalog
    > > Server
    > > at the branch office? As long as my users are administrators on their
    > > local
    > > machines, they are able to log on to the domain profile even if a DC is
    > > not
    > > accessible (I know this cause I bring my laptop home all the time and
    > > never
    > > have problems) Now if the Point to Point goes down thay won't be able to
    > > access network resources at site A from Site B, but same is true even I
    > > have
    > > a DC at Site B.....So is there something I may not be thinking of? Is it
    > > safe
    > > to say that i can have the clients come over the Point to Point to site A
    > > from site B to logon to the domain?

    >
    > Yes, clients can authenticate over the WAN. However, if the WAN is down, so
    > are the clients. They might be able to use cached credentials to get to a
    > desktop, but that's about it. If there are more than a handful of clients
    > at the remote site, you will want a DC there (in Server 2008, you can have a
    > read-only DC which is more secure).
    >
    > Make sure you establish your sites and subnets in Active Directory Sites and
    > Services, and assign the subnets and the DCs to the appropriate sites. This
    > will facilitate both network logons and replication traffic. Since you have
    > a T1 between sites, and your company (at least so far) does not appear to be
    > that big, I would not concern myself too much with replication traffic.
    > Yes, monitor it for a while, but with only a few hundred users and machines,
    > the traffic should not be noticeable.
    >
    > As to the users having local admin rights, well, that's a tough call.
    > Certainly "best practice" is to not do that, but many companies (like mine)
    > violate that all the time, and we have several hundred users over eight
    > sites plus remotes. Yes, we do get the occasional "What is this spyware on
    > my machine", but we deal with that. We are hoping that as we move towards
    > Server 2008, we can get back to best practice. Under 2003, there are just
    > too many things our environment forces our users to do that require local
    > admin privs.
    >
    > Be careful not to overload that single T between sites with voice and data.
    > And, if your phone system is like ours, don't forget to map your voice
    > traffic so that you understand it. For example, if all incoming lines come
    > into the pbx at site 1, all calls for users in site 2 are going over the T.
    > If a user in site 2 conferences a site 1 user in on a call, that is two
    > channels. Same call comes in to a site 1 user who conferences a site 2 user
    > in only uses one channel. You might want to think of how that T is divided
    > up, and guarantee a certain amount to voice.
    >
    > Consider placing a file/print server at the remote, and use DFS/FRS where
    > appropriate. That can save considerable bandwidth.
    >
    > John R
    >
    >
    Hollywood0728, Sep 5, 2008
    #5
  6. Hollywood0728

    LRM Guest

    "Hollywood0728" <> wrote in message
    news:...
    > Good Morning -
    >
    > I wanted to kind of bounce a concern off anyone who may be able to help.
    > My
    > company has acquired an additional building and is looking to put some
    > employees over at this new building for space reasons. Hes the situation:
    >
    > Site A = Main site where all servers are held now
    > Site B = Branch site where clients use MS VPN client to remote to Site A
    >
    > Both Sites have a T1 for internet and a Point to Point T1 to connect the
    > buildings together for our new phone system. Since we have the Point to
    > Point
    > in place with Layer 3 switches on each end, I figured rather than having
    > Clients use VPN, why not have them log on to the domain that Site A hosts.
    > My
    > question is this, what is the advantage of having a DC/global catalog
    > Server
    > at the branch office? As long as my users are administrators on their
    > local
    > machines, they are able to log on to the domain profile even if a DC is
    > not
    > accessible (I know this cause I bring my laptop home all the time and
    > never
    > have problems) Now if the Point to Point goes down thay won't be able to
    > access network resources at site A from Site B, but same is true even I
    > have
    > a DC at Site B.....So is there something I may not be thinking of? Is it
    > safe
    > to say that i can have the clients come over the Point to Point to site A
    > from site B to logon to the domain?


    As others have pointed out it is safe, but it can be extremely sloooooow and
    the users will complain constantly about this and try to use their local
    admin rights to download spyware, and adware to speed up their machines. I
    too have to give my users local admin rights and I don't like it but it is
    the reality.

    I recommend that if you authenticate over the WAN that you increase the size
    of your data center pipe and the size of the pipe at the site b. It isn't a
    panacea, but it will help. You therefore do not save money because even
    though you don't have to install a dc at site b, you have to pay for the
    bandwidth to prevent the aforementioned irritants. However, if you decide to
    install a server at the remote site for authentication (I do this all the
    time) you should create a DC that is a GC. This can be done on a fairly
    small box and which you can acquire for under a grand. That server should be
    configured for its own subnet. You will need to ensure your routers and
    firewalls understand all of this. Hopefully you are running a decent
    firewall like and ASA5505 or ASA5510 at the remote site.

    Please look up how to configure a new subnet in Sites and Services on the MS
    site.

    Try to move away from VPN's unless you can manage them completey with layer
    3 hardware. Also if you are using voip, have you looked into mpls?--you may
    benefit from that.


    Good luck
    LRM, Sep 5, 2008
    #6
  7. Hollywood0728

    John R Guest

    "Hollywood0728" <> wrote in message
    news:D...
    >
    > Thanks John, this is awesome feed back! Does your profile have a valid
    > email
    > address? I would love to send you a visio document or a overall project
    > overview of my new phone system and my plan for site to site communication
    > to
    > give me more feedback. I have been working closely with my phone vendor
    > who
    > has been very helpful. And for the record I have 15 users at Site B and
    > 50
    > at Site A so I think a Point to Point T1 should be plenty, maybe overkill,
    > but I have to plan for the future. Am I correct to assume I dont't need a
    > RRAS server?
    >
    >


    I don't normally do third party consulting, however there are probably
    several here who might be interested. And, as long as your VPNs and routing
    tables, gateways, etc. are correct, you should not need RRAS servers, but
    you should still invest in a good firewall.

    John R
    John R, Sep 5, 2008
    #7
  8. Hollywood0728

    catwalker63 Guest

    =?Utf-8?B?SG9sbHl3b29kMDcyOA==?= <> prattled
    ceaselessly in news::

    > Agreed Local Admin Rights is scary, but the powers to be have over
    > ruled my opinion of this.....
    >
    > Would I need a routing and remote access server even if I have layer 3
    > switches on each end creating the VPN tunnel to both sites? Isn't
    > RRAS a software version of a layer 3 switch/router? DNS I was aware
    > of so ya makes sense for DC as well, and probably DHCP too. But RRAS
    > I wasn't thinking i needed if indeed I do?



    RRAS is for the test. Not for the real world

    --
    Catwalker
    MCNGP #43
    www.mcngp.com
    "Definitely not wearing any underwear."
    catwalker63, Sep 5, 2008
    #8
  9. Hollywood0728

    catwalker63 Guest

    =?Utf-8?B?SG9sbHl3b29kMDcyOA==?= <> prattled
    ceaselessly in news::

    > Agreed Local Admin Rights is scary, but the powers to be have over
    > ruled my opinion of this.....
    >
    > Would I need a routing and remote access server even if I have layer 3
    > switches on each end creating the VPN tunnel to both sites? Isn't
    > RRAS a software version of a layer 3 switch/router? DNS I was aware
    > of so ya makes sense for DC as well, and probably DHCP too. But RRAS
    > I wasn't thinking i needed if indeed I do?



    RRAS is for the test. Not for the real world

    --
    Catwalker
    MCNGP #43
    www.mcngp.com
    "Definitely not wearing any underwear."
    catwalker63, Sep 5, 2008
    #9
  10. Well after many thoughts and posts from various people, here's what I have
    come up with. The Phone is not VOIP so PTP T1 should be ok. I have been
    made aware that we want both sites on 1 domain, no child domains, so AD sites
    and services is out. So I have decided that putting a secondary DC and
    Secondary DNS at the remote site would better suited for keeping the
    authentication traffic down. The DC would be a GC of course. Both locations
    have their own T1 for internet and both are protected by ISA Server 2006. So
    my goal is to get the VPN tunnel working over the point to point for data,
    build a secondary DC here at the main site, let it replicate and bring it to
    the remote site. The DC's would be in the same site. Now I guess as i am
    thinking about this all my users will be getting email at remote site from
    main site exchange server, so their outlook client connections will be
    connected all the time, what type of bandwidth does one think this will have
    on my PTP? There is only about 15 users at remote site. I am assumming that
    the 70-297 book will help with all this. Does anyone have a better
    suggestion for reading material?
    "LRM" wrote:

    > "Hollywood0728" <> wrote in message
    > news:...
    > > Good Morning -
    > >
    > > I wanted to kind of bounce a concern off anyone who may be able to help.
    > > My
    > > company has acquired an additional building and is looking to put some
    > > employees over at this new building for space reasons. Hes the situation:
    > >
    > > Site A = Main site where all servers are held now
    > > Site B = Branch site where clients use MS VPN client to remote to Site A
    > >
    > > Both Sites have a T1 for internet and a Point to Point T1 to connect the
    > > buildings together for our new phone system. Since we have the Point to
    > > Point
    > > in place with Layer 3 switches on each end, I figured rather than having
    > > Clients use VPN, why not have them log on to the domain that Site A hosts.
    > > My
    > > question is this, what is the advantage of having a DC/global catalog
    > > Server
    > > at the branch office? As long as my users are administrators on their
    > > local
    > > machines, they are able to log on to the domain profile even if a DC is
    > > not
    > > accessible (I know this cause I bring my laptop home all the time and
    > > never
    > > have problems) Now if the Point to Point goes down thay won't be able to
    > > access network resources at site A from Site B, but same is true even I
    > > have
    > > a DC at Site B.....So is there something I may not be thinking of? Is it
    > > safe
    > > to say that i can have the clients come over the Point to Point to site A
    > > from site B to logon to the domain?

    >
    > As others have pointed out it is safe, but it can be extremely sloooooow and
    > the users will complain constantly about this and try to use their local
    > admin rights to download spyware, and adware to speed up their machines. I
    > too have to give my users local admin rights and I don't like it but it is
    > the reality.
    >
    > I recommend that if you authenticate over the WAN that you increase the size
    > of your data center pipe and the size of the pipe at the site b. It isn't a
    > panacea, but it will help. You therefore do not save money because even
    > though you don't have to install a dc at site b, you have to pay for the
    > bandwidth to prevent the aforementioned irritants. However, if you decide to
    > install a server at the remote site for authentication (I do this all the
    > time) you should create a DC that is a GC. This can be done on a fairly
    > small box and which you can acquire for under a grand. That server should be
    > configured for its own subnet. You will need to ensure your routers and
    > firewalls understand all of this. Hopefully you are running a decent
    > firewall like and ASA5505 or ASA5510 at the remote site.
    >
    > Please look up how to configure a new subnet in Sites and Services on the MS
    > site.
    >
    > Try to move away from VPN's unless you can manage them completey with layer
    > 3 hardware. Also if you are using voip, have you looked into mpls?--you may
    > benefit from that.
    >
    >
    > Good luck
    >
    >
    >
    Hollywood0728, Sep 5, 2008
    #10
  11. Well after many thoughts and posts from various people, here's what I have
    come up with. The Phone is not VOIP so PTP T1 should be ok. I have been
    made aware that we want both sites on 1 domain, no child domains, so AD sites
    and services is out. So I have decided that putting a secondary DC and
    Secondary DNS at the remote site would better suited for keeping the
    authentication traffic down. The DC would be a GC of course. Both locations
    have their own T1 for internet and both are protected by ISA Server 2006. So
    my goal is to get the VPN tunnel working over the point to point for data,
    build a secondary DC here at the main site, let it replicate and bring it to
    the remote site. The DC's would be in the same site. Now I guess as i am
    thinking about this all my users will be getting email at remote site from
    main site exchange server, so their outlook client connections will be
    connected all the time, what type of bandwidth does one think this will have
    on my PTP? There is only about 15 users at remote site. I am assumming that
    the 70-297 book will help with all this. Does anyone have a better
    suggestion for reading material?
    "LRM" wrote:

    > "Hollywood0728" <> wrote in message
    > news:...
    > > Good Morning -
    > >
    > > I wanted to kind of bounce a concern off anyone who may be able to help.
    > > My
    > > company has acquired an additional building and is looking to put some
    > > employees over at this new building for space reasons. Hes the situation:
    > >
    > > Site A = Main site where all servers are held now
    > > Site B = Branch site where clients use MS VPN client to remote to Site A
    > >
    > > Both Sites have a T1 for internet and a Point to Point T1 to connect the
    > > buildings together for our new phone system. Since we have the Point to
    > > Point
    > > in place with Layer 3 switches on each end, I figured rather than having
    > > Clients use VPN, why not have them log on to the domain that Site A hosts.
    > > My
    > > question is this, what is the advantage of having a DC/global catalog
    > > Server
    > > at the branch office? As long as my users are administrators on their
    > > local
    > > machines, they are able to log on to the domain profile even if a DC is
    > > not
    > > accessible (I know this cause I bring my laptop home all the time and
    > > never
    > > have problems) Now if the Point to Point goes down thay won't be able to
    > > access network resources at site A from Site B, but same is true even I
    > > have
    > > a DC at Site B.....So is there something I may not be thinking of? Is it
    > > safe
    > > to say that i can have the clients come over the Point to Point to site A
    > > from site B to logon to the domain?

    >
    > As others have pointed out it is safe, but it can be extremely sloooooow and
    > the users will complain constantly about this and try to use their local
    > admin rights to download spyware, and adware to speed up their machines. I
    > too have to give my users local admin rights and I don't like it but it is
    > the reality.
    >
    > I recommend that if you authenticate over the WAN that you increase the size
    > of your data center pipe and the size of the pipe at the site b. It isn't a
    > panacea, but it will help. You therefore do not save money because even
    > though you don't have to install a dc at site b, you have to pay for the
    > bandwidth to prevent the aforementioned irritants. However, if you decide to
    > install a server at the remote site for authentication (I do this all the
    > time) you should create a DC that is a GC. This can be done on a fairly
    > small box and which you can acquire for under a grand. That server should be
    > configured for its own subnet. You will need to ensure your routers and
    > firewalls understand all of this. Hopefully you are running a decent
    > firewall like and ASA5505 or ASA5510 at the remote site.
    >
    > Please look up how to configure a new subnet in Sites and Services on the MS
    > site.
    >
    > Try to move away from VPN's unless you can manage them completey with layer
    > 3 hardware. Also if you are using voip, have you looked into mpls?--you may
    > benefit from that.
    >
    >
    > Good luck
    >
    >
    >
    Hollywood0728, Sep 5, 2008
    #11
  12. Hollywood0728

    LRM Guest

    "Hollywood0728" <> wrote in message
    news:...
    >
    > Well after many thoughts and posts from various people, here's what I have
    > come up with. The Phone is not VOIP so PTP T1 should be ok. I have been
    > made aware that we want both sites on 1 domain, no child domains, so AD
    > sites
    > and services is out. So I have decided that putting a secondary DC and
    > Secondary DNS at the remote site would better suited for keeping the
    > authentication traffic down. The DC would be a GC of course. Both
    > locations
    > have their own T1 for internet and both are protected by ISA Server 2006.
    > So
    > my goal is to get the VPN tunnel working over the point to point for data,
    > build a secondary DC here at the main site, let it replicate and bring it
    > to
    > the remote site. The DC's would be in the same site. Now I guess as i am
    > thinking about this all my users will be getting email at remote site from
    > main site exchange server, so their outlook client connections will be
    > connected all the time, what type of bandwidth does one think this will
    > have
    > on my PTP? There is only about 15 users at remote site. I am assumming
    > that
    > the 70-297 book will help with all this. Does anyone have a better
    > suggestion for reading material?


    Ok, so you are ptp t1, not t1 to the Internet?
    You are fine to run dc/gc at remote site with same domain. I do this all the
    time only I don't use ISA, Pain in the "A" if you ask me. I run cisco
    hardware and leverage the cli for data and bandwidth manipulation. I also
    prefer to run T1's to the Internet simply because I don't want the users
    hogging my datacenter bandwidth. So they are pointed out to the Internet and
    use their own circuit and stay off mine when downloading their daily fix of
    MSN garbage.

    On the Outlook question, if you have set up your messaging system i.e.
    Exchange to allow only 10mb attachments or something in that range then you
    should not have too much difficulty with the users and their bandwidth.
    However, I strongly suggest that you do not have them head back to your Data
    Center to access the Internet. Your DC can be a dns server as well so you
    shouldn't have any trouble with that. Otherwise, outlook won't be your
    problem, downloads from the Internet will be. As you said they have admin
    priv. on local desktop so you are going to have a zoo on your hands. I know
    MS says that you should have no issue with the users point to the Data
    Center (read corporate network) to receive Internet pages and the users
    could bounce off of the dns server in the Data Center, but in real life that
    is just silly. T1's are cheap and pointing them to the Internet and creating
    a tunnel with cisco hardware (not ISA) is way better and easier to manage at
    the cli rather than the silly gui of ISA. In its own right, ISA can be very
    cool, just not practical for your situation.

    HTH
    LRM, Sep 5, 2008
    #12
  13. Hollywood0728

    LRM Guest

    "Hollywood0728" <> wrote in message
    news:...
    >
    > Well after many thoughts and posts from various people, here's what I have
    > come up with. The Phone is not VOIP so PTP T1 should be ok. I have been
    > made aware that we want both sites on 1 domain, no child domains, so AD
    > sites
    > and services is out. So I have decided that putting a secondary DC and
    > Secondary DNS at the remote site would better suited for keeping the
    > authentication traffic down. The DC would be a GC of course. Both
    > locations
    > have their own T1 for internet and both are protected by ISA Server 2006.
    > So
    > my goal is to get the VPN tunnel working over the point to point for data,
    > build a secondary DC here at the main site, let it replicate and bring it
    > to
    > the remote site. The DC's would be in the same site. Now I guess as i am
    > thinking about this all my users will be getting email at remote site from
    > main site exchange server, so their outlook client connections will be
    > connected all the time, what type of bandwidth does one think this will
    > have
    > on my PTP? There is only about 15 users at remote site. I am assumming
    > that
    > the 70-297 book will help with all this. Does anyone have a better
    > suggestion for reading material?


    Ok, so you are ptp t1, not t1 to the Internet?
    You are fine to run dc/gc at remote site with same domain. I do this all the
    time only I don't use ISA, Pain in the "A" if you ask me. I run cisco
    hardware and leverage the cli for data and bandwidth manipulation. I also
    prefer to run T1's to the Internet simply because I don't want the users
    hogging my datacenter bandwidth. So they are pointed out to the Internet and
    use their own circuit and stay off mine when downloading their daily fix of
    MSN garbage.

    On the Outlook question, if you have set up your messaging system i.e.
    Exchange to allow only 10mb attachments or something in that range then you
    should not have too much difficulty with the users and their bandwidth.
    However, I strongly suggest that you do not have them head back to your Data
    Center to access the Internet. Your DC can be a dns server as well so you
    shouldn't have any trouble with that. Otherwise, outlook won't be your
    problem, downloads from the Internet will be. As you said they have admin
    priv. on local desktop so you are going to have a zoo on your hands. I know
    MS says that you should have no issue with the users point to the Data
    Center (read corporate network) to receive Internet pages and the users
    could bounce off of the dns server in the Data Center, but in real life that
    is just silly. T1's are cheap and pointing them to the Internet and creating
    a tunnel with cisco hardware (not ISA) is way better and easier to manage at
    the cli rather than the silly gui of ISA. In its own right, ISA can be very
    cool, just not practical for your situation.

    HTH
    LRM, Sep 5, 2008
    #13
  14. Hollywood0728

    John R Guest

    "Hollywood0728" <> wrote in message
    news:...
    > I have been
    > made aware that we want both sites on 1 domain, no child domains, so AD
    > sites
    > and services is out.


    Wrong. AD Sites and Services describes the physical layout of your network
    and has nothing to do with domains. If you have two sites and you do not
    define them, they are all considered as one site, and full replication will
    happen whenever there is any change to AD.

    > So I have decided that putting a secondary DC and
    > Secondary DNS at the remote site would better suited for keeping the
    > authentication traffic down.


    Think about integrating DNS with AD.

    > The DC would be a GC of course.


    That is probably preferrable, especially for exchange directory services.

    > Both locations
    > have their own T1 for internet and both are protected by ISA Server 2006.
    > So
    > my goal is to get the VPN tunnel working over the point to point for data,
    > build a secondary DC here at the main site, let it replicate and bring it
    > to
    > the remote site. The DC's would be in the same site.


    The size of your AD doesn't seem that large. It probably won't matter as
    the initial replication is a one time thing anyway.

    John R
    John R, Sep 5, 2008
    #14
  15. Hollywood0728

    John R Guest

    "Hollywood0728" <> wrote in message
    news:...
    > I have been
    > made aware that we want both sites on 1 domain, no child domains, so AD
    > sites
    > and services is out.


    Wrong. AD Sites and Services describes the physical layout of your network
    and has nothing to do with domains. If you have two sites and you do not
    define them, they are all considered as one site, and full replication will
    happen whenever there is any change to AD.

    > So I have decided that putting a secondary DC and
    > Secondary DNS at the remote site would better suited for keeping the
    > authentication traffic down.


    Think about integrating DNS with AD.

    > The DC would be a GC of course.


    That is probably preferrable, especially for exchange directory services.

    > Both locations
    > have their own T1 for internet and both are protected by ISA Server 2006.
    > So
    > my goal is to get the VPN tunnel working over the point to point for data,
    > build a secondary DC here at the main site, let it replicate and bring it
    > to
    > the remote site. The DC's would be in the same site.


    The size of your AD doesn't seem that large. It probably won't matter as
    the initial replication is a one time thing anyway.

    John R
    John R, Sep 5, 2008
    #15
  16. Well it sounds like my plan is good then. Each location does have their own
    circuit for internet....so no going over the PTP T1 to get out. And the
    Point to Point circuit will be handled by two layer 3 Kentrox Q2200 switches,
    so no ISA on the PTP. Only ISA on the outgoing internet circuits at each
    location....No way to trash that firewall, my company is MS partner so ISA is
    free to us. My attachments are limited to 10mb as we speak so no prob there.
    So it sounds like I have all the parts to puzzle on the table now I just
    need to assemble them efficiently without my users getting upset. Thanks.

    "LRM" wrote:

    >
    >
    > "Hollywood0728" <> wrote in message
    > news:...
    > >
    > > Well after many thoughts and posts from various people, here's what I have
    > > come up with. The Phone is not VOIP so PTP T1 should be ok. I have been
    > > made aware that we want both sites on 1 domain, no child domains, so AD
    > > sites
    > > and services is out. So I have decided that putting a secondary DC and
    > > Secondary DNS at the remote site would better suited for keeping the
    > > authentication traffic down. The DC would be a GC of course. Both
    > > locations
    > > have their own T1 for internet and both are protected by ISA Server 2006.
    > > So
    > > my goal is to get the VPN tunnel working over the point to point for data,
    > > build a secondary DC here at the main site, let it replicate and bring it
    > > to
    > > the remote site. The DC's would be in the same site. Now I guess as i am
    > > thinking about this all my users will be getting email at remote site from
    > > main site exchange server, so their outlook client connections will be
    > > connected all the time, what type of bandwidth does one think this will
    > > have
    > > on my PTP? There is only about 15 users at remote site. I am assumming
    > > that
    > > the 70-297 book will help with all this. Does anyone have a better
    > > suggestion for reading material?

    >
    > Ok, so you are ptp t1, not t1 to the Internet?
    > You are fine to run dc/gc at remote site with same domain. I do this all the
    > time only I don't use ISA, Pain in the "A" if you ask me. I run cisco
    > hardware and leverage the cli for data and bandwidth manipulation. I also
    > prefer to run T1's to the Internet simply because I don't want the users
    > hogging my datacenter bandwidth. So they are pointed out to the Internet and
    > use their own circuit and stay off mine when downloading their daily fix of
    > MSN garbage.
    >
    > On the Outlook question, if you have set up your messaging system i.e.
    > Exchange to allow only 10mb attachments or something in that range then you
    > should not have too much difficulty with the users and their bandwidth.
    > However, I strongly suggest that you do not have them head back to your Data
    > Center to access the Internet. Your DC can be a dns server as well so you
    > shouldn't have any trouble with that. Otherwise, outlook won't be your
    > problem, downloads from the Internet will be. As you said they have admin
    > priv. on local desktop so you are going to have a zoo on your hands. I know
    > MS says that you should have no issue with the users point to the Data
    > Center (read corporate network) to receive Internet pages and the users
    > could bounce off of the dns server in the Data Center, but in real life that
    > is just silly. T1's are cheap and pointing them to the Internet and creating
    > a tunnel with cisco hardware (not ISA) is way better and easier to manage at
    > the cli rather than the silly gui of ISA. In its own right, ISA can be very
    > cool, just not practical for your situation.
    >
    > HTH
    >
    >
    >
    Hollywood0728, Sep 5, 2008
    #16
  17. Well it sounds like my plan is good then. Each location does have their own
    circuit for internet....so no going over the PTP T1 to get out. And the
    Point to Point circuit will be handled by two layer 3 Kentrox Q2200 switches,
    so no ISA on the PTP. Only ISA on the outgoing internet circuits at each
    location....No way to trash that firewall, my company is MS partner so ISA is
    free to us. My attachments are limited to 10mb as we speak so no prob there.
    So it sounds like I have all the parts to puzzle on the table now I just
    need to assemble them efficiently without my users getting upset. Thanks.

    "LRM" wrote:

    >
    >
    > "Hollywood0728" <> wrote in message
    > news:...
    > >
    > > Well after many thoughts and posts from various people, here's what I have
    > > come up with. The Phone is not VOIP so PTP T1 should be ok. I have been
    > > made aware that we want both sites on 1 domain, no child domains, so AD
    > > sites
    > > and services is out. So I have decided that putting a secondary DC and
    > > Secondary DNS at the remote site would better suited for keeping the
    > > authentication traffic down. The DC would be a GC of course. Both
    > > locations
    > > have their own T1 for internet and both are protected by ISA Server 2006.
    > > So
    > > my goal is to get the VPN tunnel working over the point to point for data,
    > > build a secondary DC here at the main site, let it replicate and bring it
    > > to
    > > the remote site. The DC's would be in the same site. Now I guess as i am
    > > thinking about this all my users will be getting email at remote site from
    > > main site exchange server, so their outlook client connections will be
    > > connected all the time, what type of bandwidth does one think this will
    > > have
    > > on my PTP? There is only about 15 users at remote site. I am assumming
    > > that
    > > the 70-297 book will help with all this. Does anyone have a better
    > > suggestion for reading material?

    >
    > Ok, so you are ptp t1, not t1 to the Internet?
    > You are fine to run dc/gc at remote site with same domain. I do this all the
    > time only I don't use ISA, Pain in the "A" if you ask me. I run cisco
    > hardware and leverage the cli for data and bandwidth manipulation. I also
    > prefer to run T1's to the Internet simply because I don't want the users
    > hogging my datacenter bandwidth. So they are pointed out to the Internet and
    > use their own circuit and stay off mine when downloading their daily fix of
    > MSN garbage.
    >
    > On the Outlook question, if you have set up your messaging system i.e.
    > Exchange to allow only 10mb attachments or something in that range then you
    > should not have too much difficulty with the users and their bandwidth.
    > However, I strongly suggest that you do not have them head back to your Data
    > Center to access the Internet. Your DC can be a dns server as well so you
    > shouldn't have any trouble with that. Otherwise, outlook won't be your
    > problem, downloads from the Internet will be. As you said they have admin
    > priv. on local desktop so you are going to have a zoo on your hands. I know
    > MS says that you should have no issue with the users point to the Data
    > Center (read corporate network) to receive Internet pages and the users
    > could bounce off of the dns server in the Data Center, but in real life that
    > is just silly. T1's are cheap and pointing them to the Internet and creating
    > a tunnel with cisco hardware (not ISA) is way better and easier to manage at
    > the cli rather than the silly gui of ISA. In its own right, ISA can be very
    > cool, just not practical for your situation.
    >
    > HTH
    >
    >
    >
    Hollywood0728, Sep 5, 2008
    #17
  18. Good point. I should set up sites, so that I can set up replication time
    frames, otherwise it checks for replication like every 15 seconds or
    something. Intergrating AD with DNS? What do you mean by this? Thanks.



    "John R" wrote:

    >
    > "Hollywood0728" <> wrote in message
    > news:...
    > > I have been
    > > made aware that we want both sites on 1 domain, no child domains, so AD
    > > sites
    > > and services is out.

    >
    > Wrong. AD Sites and Services describes the physical layout of your network
    > and has nothing to do with domains. If you have two sites and you do not
    > define them, they are all considered as one site, and full replication will
    > happen whenever there is any change to AD.
    >
    > > So I have decided that putting a secondary DC and
    > > Secondary DNS at the remote site would better suited for keeping the
    > > authentication traffic down.

    >
    > Think about integrating DNS with AD.
    >
    > > The DC would be a GC of course.

    >
    > That is probably preferrable, especially for exchange directory services.
    >
    > > Both locations
    > > have their own T1 for internet and both are protected by ISA Server 2006.
    > > So
    > > my goal is to get the VPN tunnel working over the point to point for data,
    > > build a secondary DC here at the main site, let it replicate and bring it
    > > to
    > > the remote site. The DC's would be in the same site.

    >
    > The size of your AD doesn't seem that large. It probably won't matter as
    > the initial replication is a one time thing anyway.
    >
    > John R
    >
    >
    Hollywood0728, Sep 8, 2008
    #18
  19. Good point. I should set up sites, so that I can set up replication time
    frames, otherwise it checks for replication like every 15 seconds or
    something. Intergrating AD with DNS? What do you mean by this? Thanks.



    "John R" wrote:

    >
    > "Hollywood0728" <> wrote in message
    > news:...
    > > I have been
    > > made aware that we want both sites on 1 domain, no child domains, so AD
    > > sites
    > > and services is out.

    >
    > Wrong. AD Sites and Services describes the physical layout of your network
    > and has nothing to do with domains. If you have two sites and you do not
    > define them, they are all considered as one site, and full replication will
    > happen whenever there is any change to AD.
    >
    > > So I have decided that putting a secondary DC and
    > > Secondary DNS at the remote site would better suited for keeping the
    > > authentication traffic down.

    >
    > Think about integrating DNS with AD.
    >
    > > The DC would be a GC of course.

    >
    > That is probably preferrable, especially for exchange directory services.
    >
    > > Both locations
    > > have their own T1 for internet and both are protected by ISA Server 2006.
    > > So
    > > my goal is to get the VPN tunnel working over the point to point for data,
    > > build a secondary DC here at the main site, let it replicate and bring it
    > > to
    > > the remote site. The DC's would be in the same site.

    >
    > The size of your AD doesn't seem that large. It probably won't matter as
    > the initial replication is a one time thing anyway.
    >
    > John R
    >
    >
    Hollywood0728, Sep 8, 2008
    #19
  20. Hollywood0728

    John R Guest

    "Hollywood0728" <> wrote in message
    news:D...
    > Good point. I should set up sites, so that I can set up replication time
    > frames, otherwise it checks for replication like every 15 seconds or
    > something. Intergrating AD with DNS? What do you mean by this? Thanks.
    >
    >


    Within the same site, replication is full uncompressed and happens with
    every change. Within sites, the replication is scheduled and compressed.

    You can choose to store your DNS within Active Directory. That allows DNS
    to replicate with AD, so you don't have to setup a separate DNS replication
    strategy.

    John R
    John R, Sep 8, 2008
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. raindog
    Replies:
    3
    Views:
    546
    raindog
    Sep 13, 2004
  2. H
    Replies:
    5
    Views:
    1,086
    John Thompson
    Nov 3, 2004
  3. Dave S.

    Additional news accounts

    Dave S., Oct 15, 2004, in forum: Firefox
    Replies:
    2
    Views:
    389
    Moz Champion
    Oct 16, 2004
  4. dave
    Replies:
    3
    Views:
    1,119
    bill yohler
    Dec 5, 2004
  5. Lee
    Replies:
    4
    Views:
    2,005
Loading...

Share This Page