Active Directory site link through WAN connections

[Steven T]

Our company have some regional offices around the globe and would like to
plan for a single domain(multi-site) AD architecture.
Say, we have location A, B and C. The offices do not have VPN connection
between them and the only form of communication is through the Internet.
What I am going to do is to place 2 DC(One carrying all the FSMO roles and
the other a GC) in site A and 1 DC(GC also) for each of B and C.
I am just wondering if I really need a VPN connection. I may want to just
allow the ports that replication need with IP restrictions. However, I know
that DC replication requires RPC communication between servers and this may
not work over a WAN connection? Any suggestions are welcomed.

By the way, I am actually asking for "Possiblity" only. I know that even if
it works, it should have potential security problems. Thank you.

 

[Herb Martin]

Our company have some regional offices around the globe and would like to
plan for a single domain(multi-site) AD architecture.
Say, we have location A, B and C. The offices do not have VPN connection
between them and the only form of communication is through the Internet.

Best would be to SETUP a VPN between them then.
(You can easily do that with even a moderate router or
even a Windows server.)

What I am going to do is to place 2 DC(One carrying all the FSMO roles and
the other a GC) in site A and 1 DC(GC also) for each of B and C.

Ok, and with only one domain you can just make every DC (from
now on) a GC.

[Even SMALL multi-domain forests can do this.]

I am just wondering if I really need a VPN connection. I may want to just
allow the ports that replication need with IP restrictions. However, I
know that DC replication requires RPC communication between servers and
this may not work over a WAN connection? Any suggestions are welcomed.

No, you do not "need" a VPN but it will be much easier, and
probably safer if you set one up.

By the way, I am actually asking for "Possiblity" only. I know that even
if it works, it should have potential security problems. Thank you.

Understood. I recommend the VPN but it COULD (at least in theory)
work without it.

 

[Andrei Ungureanu [MVP]]

and in case you stick to you original idea (not recomended) this may help
you:
http://www.microsoft.com/technet/pr.../activedirectory/deploy/confeat/adrepfir.mspx

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

Our company have some regional offices around the globe and would like to
plan for a single domain(multi-site) AD architecture.
Say, we have location A, B and C. The offices do not have VPN connection
between them and the only form of communication is through the Internet.

Best would be to SETUP a VPN between them then.
(You can easily do that with even a moderate router or
even a Windows server.)

What I am going to do is to place 2 DC(One carrying all the FSMO roles
and the other a GC) in site A and 1 DC(GC also) for each of B and C.

Ok, and with only one domain you can just make every DC (from
now on) a GC.

[Even SMALL multi-domain forests can do this.]

I am just wondering if I really need a VPN connection. I may want to just
allow the ports that replication need with IP restrictions. However, I
know that DC replication requires RPC communication between servers and
this may not work over a WAN connection? Any suggestions are welcomed.

No, you do not "need" a VPN but it will be much easier, and
probably safer if you set one up.

By the way, I am actually asking for "Possiblity" only. I know that even
if it works, it should have potential security problems. Thank you.

Understood. I recommend the VPN but it COULD (at least in theory)
work without it.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]