Initial Network Design (Two Offices)

[bigernmckracken]

Hi everybody,

I am in the process of setting up my plan for two new networks for the company I work for. One office being the Main office and the other being a satellite office. They will both be running Windows Server 2k3 and connected through VPN. All users in the company need access in both offices.

My questions are am I better off to setup the main office as the primary domain controller and have the satellite office by a child domain? Can I set them up individually and then change the satellite office to a child domain later?

Also does anyone have any recommendations on books or other resources that could help me with my planning?

Thanks

Big Ern

 

[Tightpants]

We have recently set up a similar arrangement where we have two separate offices. We have two servers in the main office and a single server in the remote office all connected via a VPN. The whole setup exists as a single domain. Ideally the two offices should be set up as separate "sites" in Active Directory to ensure replication is handled efficiently.

Any user can log in at any workstation at either site although we are having problems with roaming profiles. With help from others I have a possible solution to this problem though.

I found the guidance on Microsoft's Technet quite helpful. Although you have to tailor the advice to suit your requirements. Much of it does assume that one day you will be a global organisation so the recommendations might be a little over the top.

 

[ntinlin]

Mark Minasi's Windows 2003 book is pretty good, although you wouldn't want to carry it far.

As Tightpants says a single domain, two AD site would be best for you.

There isn't really a PDC in AD anymore, all DC's are theoretically equal, although some are more equal than others. You may have seen the term PDC emulator bandied about though, in a native AD domain this doesn't do too much except it will always get priority for password updates. i.e. A PW update on one DC will always be immediately replicated to the PDC emulator. Account lockout status and other attributes would go during the normal replication period.

You'd be best to set up your first DC in the main office, get DNS, DHCP etc. etc. working and then bring up the second DC when needed. Either in your own office and ship to the subsidiary site, changing the site location when it gets there or bring it up at the sub. As long as you have network connectivity you should be fine.

Are you going to have Exchange servers and if so at one site or both sites because that introduces other complexities.

Neill

 

[bigernmckracken]

Thanks Tightpants and ntinlin for you responses. They are leading me in the right direction.

I have a couple of questions in regards to setting up the domain in the way that both of you have suggested.

The first is when I run DC promo on the Server for the satellite office do I create it as a Child domain in an Existing forest or as a Domain Tree in an Existing forest?

Also in regards to naming conventions for the domains what is the best practice when naming domains that are in a single domain, two AD site?

ntinlin, as for exchange we are not hosting our own mail so no need to be concerned with that. At least not yet.

Thanks again
Big Ern

 

[Tightpants]

Both of our sites are in the same domain, ie. <ourcompany>.co.uk. We haven't used a different domain name for each site although each site does have a different subnet - 192.168.1.x for site 1 and 192.168.2.x for site 2.

The consultant who installed the server in the satellite office was concerned that he might not be able to add the server to the existing domain unless it was physically connected to the network in the main office. However he managed to do it very easily via the VPN connection. I'm not sure of the exact steps he followed though.

The server in the satellite office acts as a DHCP and DNS server for that office. We only have one Exchange Server in the main office; users run Outlook 2003 with cached exchange mode and it all works fine.

 

[ntinlin]

It's been about a year since I added a DC but there should be an option to add the DC to an existing domain.

As to naming conventions I presume you mean naming DC's?

We called ours DC3charcityname01, DC3charcityname02 etc.
e.g. for San Francisco it would be DCSFO01 and 2nd one there would be DCSFO01.
I didn't want to bother about the 01 for the first server but I was overruled.

As for site names we just used the country code - plant / office codes we had from NT.

e.g. US-HQ for our headquarters site, SE-STO for Stockholm.

As long as you have access to the subs LAN over the WAN you should be fine.

You need to decide how you want to run DHCP as well, each DC running DHCP for their site, master site running DHCP and DHCP relay set on your router.

You should also take say the first 20 addresses in each subnet and remove them from the DHCP scope, for use as static addresses for printers, servers etc.