Single W2K3 domain DHCP confusion...

[troubleahead]

Evening,

I'm starting to get a sore head thinking about this, so I thought I'd throw it out here, so that someone can set me straight as I'm starting to go round in loops. Let me set the scene first...

I've been asked to integrate a remote site office which we've purchased. My company is small <50 users, and we have a single domain forest, dns, dhcp scope etc - you know the type nothing fancy. We've put in a hardware site to site VPN with Cisco 2800 series routers, which will go live on hand-over. The plan is that I go out, and commission a new 2k3 DC and exchange box, which I'm semi-confortable with and then redomain the existing member servers.

What I can't understand is how DHCP is going to work in this environment. With the VPN in place surely both sides will be logically part of the same network. What I can't understand is how setting up a new scope an attaching the subnet to the site in AD will actually make any of the (local) clients use that scope instead of the one on the other side of the VPN. It seems to me that what I'll have in this case is 2 DHCP servers with 2 exclusive scopes on the same subnet?

What I want is the following

Site 1 (A side of VPN)
DC/GC with Subnet eg 192.168.1.x
DHCP
DNS
Exchange
Servers
Users

Site 2 (B side of VPN)
DC/GC with Subnet eg 192.168.2.x
DHCP
DNS
Exchange
Servers
Users

Basically the sites are and will remain for the most part self sufficient, but need to share a single domain. I just need to make sure that if the VPN goes down, neither site is without any network services. I think to be honest it's the VPN part of this that's confusing me, but I've lost focus on this.

TIA.

 

[58sniper]

DHCP doesn't go through routers unless the helper agent is enabled on the routers (which, IIRC, it's not).

You should be safe in having DHCP running on both sides of the VPN. Just make sure you properly configure AD Sites & Services so that clients authenticate to the correct site.

If you have <50 users, putting in Exchange in site B is WAY overkill. You'd be better off just using a single server in site A.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[Dublin73]

Hi, if you have a DHCP server on each subnet, you'll be fine. When your remote clients boot up, they're going to send out a DHCP broadcast asking for an IP address. These broadcasts will only make it as far as the local DHCP server and won't traverse across the VPN to your head office.

The same is true for your head office computers. Their DHCP broadcasts won't make it through the VPN over to your remote office.

You could... in theory... set up just one DHCP server in your head office, and configure your VPN to forward DHCP broadcasts coming from your remote office, but to be honest, that's a lot of messing about. Go with your original plan and implement a DHCP server in each office.

I see that you're going to go with a global catalog server in the remote office, that's also good practice so that's fine.

If the number of users in your remote office is minimal, it might make more sense to go with a Terminal Services or Citrix setup. Terminal server licenses aren't overly expensive per device. They should run around $100 or so each. The only disadvantage with a Terminal server setup is... if your VPN goes down (which may be highly unlikely), you've lost all connectivity.

 

[firthm]

As these guys say above, this should be fine.

When a machine boots up, it gets its IP address from your local router, and contacts what it knows is the closest domain controller (the quickest one to respond) which will always be the one on the LAN, not VPN.

Exchange is overkill for so few users but if you have the £ to spend I would go for it, as you say, it provides resiliency for each office if the link goes down.

Mike

Michael Firth
DIY MCSE

http://www.diymcse.com

~If it's not broke, break it and LEARN~