Setup - DC in public ip and DC in private IP at branch office.

  • Thread starter Thread starter rt
  • Start date Start date
R

rt

I have a question in regards to setting up our domain. (All servers are
Win2003)

I have a DC sitting at a public IP (actually handles a few IPs). This
machine hosts web and exchange. We have a branch office where we have a
shared connection (1 IP address). This connection is via a DSL modem so
everything behind the modem is at 192.168.1.x.

My question is what is the best way to set up the DC in the private IP? All
call this DC DCbranch. DCBranch will have a DNS installed so I hestitant
making it part of the same domain because replicating the DNS entries to the
main DC means nothing to it since the private IPs won't do it any good. (DNS
is ActiveDirectory intigrated)

The main DC has the accounts so I need to have them available at the branch
office. So, which is my best option of the following:

1) Make DCbranch a PDC in the same domain (I don't know the implications of
having two PDCs even with one across the WAN.
2) Make DCbranch a subdomain.
3) Make DCbranch a new domain in the same forest

"Direct RPC" is not working across theWAN so I will be using RPC via HTTP
for replication.

One more thing, I prefer users in the branch office to not get email from
the main server so I will be installing exchange in the branch office and
replicating data from the main exchange server. While this requirement is
secondary I have concerns about this working if the branch domain is not the
same domain as the primary. Thus, I'm not sure if options 2 or 3 would work
for this scenario. Again, this is not a primary concern but if possible it
would be nice.

Thanks,

Rick
 
I have a question in regards to setting up our domain. (All servers are
Win2003)

I have a DC sitting at a public IP (actually handles a few IPs). This
machine hosts web and exchange. We have a branch office where we have a
shared connection (1 IP address). This connection is via a DSL modem so
everything behind the modem is at 192.168.1.x.

My question is what is the best way to set up the DC in the private IP? All
call this DC DCbranch. DCBranch will have a DNS installed so I hestitant
making it part of the same domain because replicating the DNS entries to the
main DC means nothing to it since the private IPs won't do it any good. (DNS
is ActiveDirectory intigrated)

The main DC has the accounts so I need to have them available at the branch
office. So, which is my best option of the following:

1) Make DCbranch a PDC in the same domain (I don't know the implications of
having two PDCs even with one across the WAN.
2) Make DCbranch a subdomain.
3) Make DCbranch a new domain in the same forest

"Direct RPC" is not working across theWAN so I will be using RPC via HTTP
for replication.

One more thing, I prefer users in the branch office to not get email from
the main server so I will be installing exchange in the branch office and
replicating data from the main exchange server. While this requirement is
secondary I have concerns about this working if the branch domain is not the
same domain as the primary. Thus, I'm not sure if options 2 or 3 would work
for this scenario. Again, this is not a primary concern but if possible it
would be nice.
Click to expand...
I would think very seriously about this set up. If the DC has a public
IP you are potentially exposing your whole network to hackers. To
access the branch office via the Internet you will have to allow all
the needed ports to be open on the DC. This is very dangerous.

Please consider the following:

1) Move the DC inside a firewall. It doesn't have to be an expensive
device, but you DO need to protect your network.

2) The firewall device will allow you to give you DC only one internal
address. Multi-homed DCs are almost always trouble.

3) The firewall will have the external address that the DC currently
has. It will NAT (translate) the address on packets coming to the DC
from the external address to the DC's internal address

4) Similarly, put the Branch office behind a firewall, same as the
Home office. This will protect the Branch office from hackers.

5) Construct a VPN tunnel between the two sites. The firewall devices
may be able to do this if you pick the right ones. Some are sold
specifically for this purpose. This protects your two private networks
and allows them to communicate.

6) Make the two locations two sites, one Domain. Much easier to
maintain.

7) I'm not sure why you want to seperate the email. However that's no
problem. You can configure the Exchange in both sites to receive mail
from the Internet. However for the best way to do it, I suggest asking
the Exchange newsgroups.

8) Replication. If you use two sites, one Domain, make at least one DC
in each site a Global Catalog. Configure replication for whatever your
bandwidth can handle. Ensure that there is at least a caching DNS
server in the Branch site.

Whatever you do please realise that your current setup is not safe.

Cheers,

Cliff
Christmas comes but once a year, thank the gods. I don't think
that I could cope with twice.
 
Thanks for the info,

Here is more detail.

We actually have more than one branch office. The branch offices are service
by wireless. Originally we had the PDC at a branch site but the wireless was
two slow for other offices (2 wireless hops). We relocated the server to the
ISP. The server runs our web site and mail. The mail is now available from
the branch offices much faster in addition to being better for those
traveling.
We already have a firewall in front of the server. The same ISP provides our
wireless so it is easy to only open up ports to the branch offices. Only
HTTP/HTTPS is open to the public plus a handful of others that will probably
be shutdown, including ping.

We have a number of email accounts in the domain and don't want to recreate
at each office. Some of us move between offices to work when required. I
thought about the branch office DC being BDCs but again the private IPs
would be replicated to the other DNS servers in AD and could cause problems.
I therefore thought that having each branch office be a subdomain would
solve the problem. For one, the accounts would be seen and another the DNS
settings could remain in AD at each branch as regular option choice. In
addition, local accounts could be created if necessary without effecting the
"main" AD or other offices.

Thanks,

Rick


Originally the main DC was at onc site
 
Firstly, whatever you do you will have to have a seperate subnet in
each site, purely for routing. Say the main site is 10.1.1.0/24
(equivalently 10.1.1.0 netmask 255.255.255.0). Then the subnets for
the Branch Offices could be 10.2.1.0/24, 10.3.1.0/24, etc. Then the
network knows exactly where to send packets.

Secondly, I'm not sure what you mean when you say that the BO's are
served by wireless. Do they connect to the Internet at all? Or do they
connect through the firewall at the ISP? Sounds like it.

I'm unsure of the setup you have at the ISP, and consequently I
suggest you talk to them about it. It sounds on the face of it as if
the ISP has firewalled you off from the Internet, so they appear to
know what they are doing. It also sounds as if the best way, if the BO
are near enough to the ISP to be served by wireless from the ISP that
they would also be behind the firewall.

Without knowing the details, my advice would still be to use a single
domain multiple site setup, if possible. Each site would have its own
subnet as above. If the traffic between BO's and HO has to go over the
Internet, use a VPN. I don't know what you mean about private IPs
being replicated to the other DNS servers and causing problems. It
shouldn't.

But the main piece of advice is to talk to the ISP who appear to have
set you up pretty well. Or get other local expertise. We could spend
months discussing this on the Internet, and I couldn't warrant my
suggestions. They or some local source of expertise probably could.

I hope I've given you plenty to go on. I hope at the end of the day
what we have discssed helps.

Cheers.

Cliff
 
Back
Top