Results 1 to 6 of 6

Thread: Second domain controller

  1. #1
    Junior Member Sambo's Avatar
    Join Date
    Apr 2006
    Location
    Windsor near London
    Posts
    40

    Second domain controller

    hello

    our company are setting up a new small office in europe. i have knocked up a box with win 2003 as a file server so that they dont have to vpn to our office in the uk all the time but then i realised that there would be a problem with authentication within the domain. So now the file server has to be connected via vpn at all times as do our users.
    if i add the new fileserver as a second domain controller would it have to be connected via vpn to our network to authenticate or could it authenitcate its own users??. thus saving some bandwidth for me.
    if i do add a new domain controller, what would be the best way for me to go about it??

    cheers
    sam

  2. #2
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,735
    It really comes down to how 'connected' do you want or need the second office to be to your Headquarters.

    How much sharing of files/emails/services will there be between offices?

    I think the only way for domain controllers to be connected is through a VPN, but you might be able to get some WAN / VPN optimizers that compress and QoS the traffic to minimise your bandwidth constraints...

    Alternatively, you could just set up a totally separate domain, and either use a POP3/IMAP plug-in for your emails, and perhaps Terminal Services for File Share and Admin.

    I'm sure you'll get some good input from the other TZ members too. Goodluck.

    --- 0wN3D by 3gG ---

  3. #3
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638
    I would consider a totally separate domain as cash_site suggested. I'm sure there are many ways to do what you are attempting, but IMO this seems easiest. Although I don't like having a DC perform any other functions. I prefer having the DC just perform that and maybe DNS. Email, VPN, and such I like to have on a different machine if possible. I've also been able to run those on VM's.

    Hardware and software limitations always dictate what we can do and how we can do it.

  4. #4
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Active directory is replicated across DCs but server roles are specific to servers for some parts of the directory. The traffic across the vpn would be lessened by making the office a seperate domain. A domain is a security boundary so all roles would then be taken up by the new DCs (you really want 2). They can be part of the same forest with links across the VPN and trusts set up for your domain. As has already been said the level of interoperation required depends on the amount of access across to the main office you need.
    I'm using Windows 7 - you got a problem with that?

  5. #5
    Junior Member Sambo's Avatar
    Join Date
    Apr 2006
    Location
    Windsor near London
    Posts
    40
    thank u i think its all pretty Unanimous in which way to go. a new domain its is. Thanks for your help

    cheers

    sambo

  6. #6
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,366
    With Windows 2003 R2 you can set up the DC as a remote office DC, and thus saving on bandwith since it will sync the DC information on a schedule and not continuously.
    The AD can be on the same server as a file server (since AD is actually a file server role), but the important thing is that the AD does not have a web server on it.
    AD is disk and network intensive (not in high bandwith, but short quick burst) like a web server, and the web server add security concerns. Another service you don't want on a DC is email server.
    that Aside, you can setup the W2k3 server as AD/File and print server with a schedule to sync. This server will also have a GC, so the end result is that your remote clients connect to the remote DC and the remote DC syncs ourside peak hours.
    MS has information about the remote/branch DC deployment on their web site (I think in the technet section)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •