Reply With QuoteI don't have any experience in this, but have run into various discussion on the same topic of multi-subnet vpn active directory deployments. Do some searches and I'm sure you'll find TONS to read. Good luck!
Help - Changing from work group to Domain environment
Hi all,
I'm looking for a bit of advice on changing a network from a workgroup setup to a domain environment.
We're a small and growing business with a total of four office locations ( one main office, and three satellite offices).
All satellite offices are connected into the main office via VPN tunnel using Sonicwall TZ appliances.
Network info
Main office
Network : 192.168.1.1
Location : NYC
# of users : 16
Satellite Offices
Location #1
Subnet : 192.168.2.1
Philadelphia
# of users : 6
Location #2
Subnet : 192.168.3.1
New York
# of users : 6
Location #3
Subnet : 192.168.4.1
Connecticut
# of users : 5
Problem:
In order to address some security concerns, and ultimately expansion in the near future, I would like to setup active directory to better manage the environment.
My concern is how do I properly deploy / provide active directory access across all locations, when obviously the satellite office are too small to set up a read only DC , as well as the issue of cost?
I know user authentication over WAN (through the tunnel) is possible.
The nodes on the main office work will obviously receive IP address from the DC / DHCP server locally.
However, I am not sure if the satellite locations should be set up to receive DHCP over VPN, and therefore I would have to disable disabling DHCP on the remote routers and allow ip address distribution from the main office. Does my assumption make sense ? If not , what is the proper way to handles this ? Forgive me if this sounds like nonsense.
Thanks
TB
I don't have any experience in this, but have run into various discussion on the same topic of multi-subnet vpn active directory deployments. Do some searches and I'm sure you'll find TONS to read. Good luck!
Main office has your DC....say the DC has an IP address of 192.168.0.10
Satellite offices run their own DHCP (from the router is fine)...have the router hand out 192.168.0.10 as the primary DNS server.
This way workstations at the satellite offices are properly logging into active directory. Yeah...if the bandwidth is "light"...their logins can be a little slow as GPOs and scripts are processed...but..that's the way it is.
Some people add a secondary DNS server to hand out (in case the VPN tunnel goes down...so they can still surf the web), such as the ISPs or the router itself (which just does DNS forwarding to its WAN interface which is the ISP anyways)....BUT..you'll find that this responds quickly, the primary DNS server may take too long..so workstations will tend to turn to the secondary DNS...thus failing to log into the DC...thus breaking DNS too often.
It's better to leave the primary DNS as the DC..and that's it....until you get budget getting a local DC at each satellite office.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Posting Permissions
Bookmarks