Remote Office via VPN -- Domain or Workgroup?

[Leoghann]

I am "in charge" (read: people yell at me if it breaks, but I don't have the clout to fix it usually) of the network of a small division of a large company. We have a main office plus two small remote offices. The main office has an Active Directory server plus a permanent firewall-to-firewall VPN to the rest of the network.

The two remote sites, however, have no servers. They need frequent access to the main network for e-mail and file sharing purposes, so they will always need to access their domain accounts. They do this using the standard Microsoft PPTP VPN.

The powers that be have set forth these rules on my network:
1. I cannot install a server at either remote site. Everything will have to be done with their laptops.
2. We cannot install firewalls at those sites to permanently hook them in to the rest of the domain. The only way to establish a connection will be PPTP.
3. Any questions to the power that be as to the right way of doing things will be answered with vague and contradictory answers.

Now, to my questions... Is it better to have the remote sites in their own workgroups and let them try to log into the domain after the VPN is established? Or, should I join the machines there to the domain and have them use dial-up networking to log on?

If I've been to vague, let me know. My brain is a little scrambled right now!

 

[aftertaf]

I think you've been as non vague as possible considering how much the powers that be make your life fun to live as the guy in charge...

The sites thing wont help you much.. because it it to enable clients of an AD domain to locate their local DC. they have none, the only ones they have to authenticate against are in your location.

How well connected are the users in the remote offices to your remote location? Are they connected together on a network? Do then need to share resources that are local to them (ie file shares, printers...) ?

Your first suggestion (workgroup) can be the best if you dont need to set their PCs up to communicate and share things with each other....
Otherwise, it could be advisable to have them as domain members... downside being long (read llooooonnnngggggg) startup and logon times.

If i understand correctly, the users connect to your location using the vpn client in windows. Their remote offices are connected to the internet... don't you have a possibility of connecting the remote offices to your local main office (the one where they shout when it stops working and starts smoking) via VPN (e.g; with ADSL router ) ?

It's hard to give you a precise answer without knowing how their sites are connected to yours

Aftertaf (david)
MCSA 2003

 

[Leoghann]

As you can tell from my title, I'm a programmer by trade. All the network stuff is a tad vague to me, but here's what I know.

In both places, the users are networked together. They both have Internet service, although this is provided by the respective landlords. They provide us with a firewall and hub, and that's how it all gets hooked up. This is what eliminates the hardware VPN idea. The routers are out of our control. Our corporate IT won't let us do a firewall VPN without using one of their $1,500 firewalls, and the remote office landlords won't let us replace the firewalls there. So we have to use some kind of software solution.

Actually, it occurred to me about ten minutes after I wrote this that in at least one of the offices, there is a printer that is shared along with a few directories on a cast-off machine we sent them. With no permanent connection back to the AD servers, I realized that this alone should eliminate the domain idea.