Single domain AD with many separated offices

sf= · May 8, 2009

Dear all,

In my company we have several branch offices.
Currently we have AD installed, with single domain configuration.
There is an office (let's call A) with 128 Kbps Fiber optic
bandwidth.
Office A has more or less 90 user and have access to email server in
head office.

I want to setup domain controler in office A.
My questions are:
1. If we use single domain structure, is it enough to have 256 Kbps to
do replication to head office domain controller?
2. Should the branch office install global catalog server on the
domain controller?

Another question, what is the definition of "site" . If we have single
domain xx.yyy.com and I want to install AD in branch office, can I say
that the branch is another site?
What is the best practice for link that is used to connect the head
office and branch office in AD? using VPN ? or there are other method
for connection?

Thanks in advance.
Your help will be very appreciated.

Best Regards
sf

Meinolf Weber [MVP-DS] · May 8, 2009

Hello sf=,

See inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Dear all,

In my company we have several branch offices.
Currently we have AD installed, with single domain configuration.
There is an office (let's call A) with 128 Kbps Fiber optic
bandwidth.
Office A has more or less 90 user and have access to email server in
head office.
I want to setup domain controler in office A.
My questions are:
1. If we use single domain structure, is it enough to have 256 Kbps to
do replication to head office domain controller?

No, at least choose 500kb, all below is defined as slow link in AD for group
policy processing. If you still decide to choose a slow link, prepare the
DC at main office, so that initial replication of AD database and GC is done
and then m ove it to the site.

2. Should the branch office install global catalog server on the
domain controller?

In a single forest domain, make all DC's Global catalog server and DNS server.
Especially in the branch office you should have a DNS server, if you use
the DNS server in the main office and the link goes down, nobody can logon
to the domain, even a DC is in the office.

Another question, what is the definition of "site" . If we have single
domain xx.yyy.com and I want to install AD in branch office, can I say
that the branch is another site?

A site is a remote office for example, that uses a different subnet. So if
main office uses 192.168.1.0 and the remote office uses 192.168.2.0 you have
to configure AD sites and services with a new site and add the subnet to
that site.
http://technet.microsoft.com/en-us/library/cc755768.aspx

What is the best practice for link that is used to connect the head
office and branch office in AD? using VPN ? or there are other method
for connection?

VPN is a good option to connect it. Or if you able to use own leased lines
you can create your own routed network.

sf= · May 8, 2009

Hello sf=,

See inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

No, at least choose 500kb, all below is defined as slow link in AD for group
policy processing. If you still decide to choose a slow link, prepare the
DC at main office, so that initial replication of AD database and GC is done
and then m ove it to the site.

In a single forest domain, make all DC's Global catalog server and DNS server.
Especially in the branch office you should have a DNS server, if you use
the DNS server in the main office and the link goes down, nobody can logon
to the domain, even a DC is in the office.

A site is a remote office for example, that uses a different subnet. So if
main office uses 192.168.1.0 and the remote office uses 192.168.2.0 you have
to configure AD sites and services with a new site and add the subnet to
that site.http://technet.microsoft.com/en-us/library/cc755768.aspx

VPN is a good option to connect it. Or if you able to use own leased lines
you can create your own routed network.

- Show quoted text -

Dear Meinolf,
Much appreciated, Thanks a lot for your prompt reply.
Anyway, there are also several questions;

VPN is a good option to connect it. Or if you able to use own leased lines
you can create your own routed network.

1 . Our own routed network, so the connection does not cross internet
or public network? only dedicated to us?
2. Is it possible, if branch office/site has VPN to our HO, then we re
route http traffic port 80 to use different gateway/ local gateway
directly to internet from site/branch office? so http request does not
go to HO using VPN, and using packet filtering to directly using local
gateway to internet?

Thanks in advance.
Best Regards

sf

Meinolf Weber [MVP-DS] · May 8, 2009

Hello sf=,

Again inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Dear Meinolf,
Much appreciated, Thanks a lot for your prompt reply.
Anyway, there are also several questions;
1 . Our own routed network, so the connection does not cross internet
or public network? only dedicated to us?

If you have your own leased lines you can setup your own routed network.
But this will not be the cheapest option. VPN via Internet is ofcourse the
cheaper way.

2. Is it possible, if branch office/site has VPN to our HO, then we re
route http traffic port 80 to use different gateway/ local gateway
directly to internet from site/branch office?
so http request does not
go to HO using VPN, and using packet filtering to directly using local
gateway to internet?

To achive this i you have to use a firewall/router solution which is also
able to create VPN. Or use ISA server from MS.

Also see this article's:
http://support.microsoft.com/kb/323441

http://technet.microsoft.com/en-us/library/cc759171.aspx

http://support.microsoft.com/kb/837453

http://technet.microsoft.com/en-us/library/bb742569.aspx

http://support.microsoft.com/kb/888711

http://www.isaserver.org/tutorials/...6-Firewalls-Main-Branch-Office-Part1html.html

http://www.isaserver.org/tutorials/...-2006-Firewalls-Main-Branch-Office-Part2.html

sf= · May 11, 2009

Hello sf=,

Again inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

If you have your own leased lines you can setup your own routed network.
But this will not be the cheapest option. VPN via Internet is ofcourse the
cheaper way.

To achive this i you have to use a firewall/router solution which is also
able to create VPN. Or use ISA server from MS.

Also see this article's:http://support.microsoft.com/kb/323441

http://technet.microsoft.com/en-us/library/cc759171.aspx

http://support.microsoft.com/kb/837453

http://technet.microsoft.com/en-us/library/bb742569.aspx

http://support.microsoft.com/kb/888711

http://www.isaserver.org/tutorials/Creating-VPN-ISA-Server-2006-Firew...

http://www.isaserver.org/tutorials/Creating-Site-Site-VPN-ISA-Server-...

- Perlihatkan teks kutipan -

Dear Meinolf,
Many thanks again.
Anyway, according to your experience, how many bandwidth required for
single domain structure that is needed to replicate AD database? so AD
will work smoothly?

Best Regards
sf=

sf= · May 11, 2009

Hello sf=,

Again inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

If you have your own leased lines you can setup your own routed network.
But this will not be the cheapest option. VPN via Internet is ofcourse the
cheaper way.

To achive this i you have to use a firewall/router solution which is also
able to create VPN. Or use ISA server from MS.

Also see this article's:http://support.microsoft.com/kb/323441

http://technet.microsoft.com/en-us/library/cc759171.aspx

http://support.microsoft.com/kb/837453

http://technet.microsoft.com/en-us/library/bb742569.aspx

http://support.microsoft.com/kb/888711

http://www.isaserver.org/tutorials/Creating-VPN-ISA-Server-2006-Firew...

http://www.isaserver.org/tutorials/Creating-Site-Site-VPN-ISA-Server-...

- Perlihatkan teks kutipan -

Dear Meinolf,
Many thanks again.
Anyway, according to your experience, how many bandwidth required for
single domain structure that is needed to replicate AD database? so AD
will work smoothly?

Best Regards
sf=

Meinolf Weber [MVP-DS] · May 11, 2009

Hello sf=,

I would choose a T1 (1.5Mbit) or at least a 1Mbit connection between the
offices.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Meinolf Weber [MVP-DS] · May 11, 2009

Hello sf=,

I would choose a T1 (1.5Mbit) or at least a 1Mbit connection between the
offices.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Ace Fekay [Microsoft Certified Trainer] · May 11, 2009

Meinolf Weber said:
Hello sf=,

I would choose a T1 (1.5Mbit) or at least a 1Mbit connection between the
offices.

I agree with the 90 users in the remore office, that a T1 would be the
minimal.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(e-mail address removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Ace Fekay [Microsoft Certified Trainer] · May 11, 2009

Meinolf Weber said:
Hello sf=,

I would choose a T1 (1.5Mbit) or at least a 1Mbit connection between the
offices.

I agree with the 90 users in the remore office, that a T1 would be the
minimal.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(e-mail address removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Single domain AD with many separated offices

sf=

Meinolf Weber [MVP-DS]

sf=

Meinolf Weber [MVP-DS]

sf=

sf=

Meinolf Weber [MVP-DS]

Meinolf Weber [MVP-DS]

Ace Fekay [Microsoft Certified Trainer]

Ace Fekay [Microsoft Certified Trainer]