Discussion:
Need doc on ad setup over wan?
(too old to reply)
David Lewis
2005-01-04 16:27:34 UTC
Permalink
Looking for a simple doc for setting up AD between 2 offices connected via WAN.
very simple networks. Got 2 2003 DC's.
Phillip Renouf
2005-01-04 20:17:04 UTC
Permalink
The doc you are probably looking for is the Active Directory Branch Office
Planning Guide.

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/branchoffice/default.asp

Take a read through that and feel free to post any questions etc.

Phil
Post by David Lewis
Looking for a simple doc for setting up AD between 2 offices connected via WAN.
very simple networks. Got 2 2003 DC's.
Matt Wagner [MSFT]
2005-01-04 20:26:06 UTC
Permalink
David:

I'm not aware of a scenario specific document like that. Your best bet
is probaby the Windows Server 2003 Deployment Kit. It sounds like you
have a pretty simple scenario, so this should be enough to get you going.

Windows Server 2003 Deployment Kit:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp

Matt Wagner
Enterprise Engineering Center
Microsoft Corporation

Legal Disclaimer:
This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm Please do not
send e-mail directly to this alias. This alias is for newsgroup purposes
only.
Post by David Lewis
Looking for a simple doc for setting up AD between 2 offices connected via WAN.
very simple networks. Got 2 2003 DC's.
David Lewis
2005-01-05 01:35:28 UTC
Permalink
thankx, but again, wow, overkill
Its such a simple thing. 2 offices connected.
Do I do seperate domains and a trust like NT4 or are both offices DC's
and both office's users log into the same domain name. Or does each
office has its own domain name?
I just want one place to administer all my users for both offices.

"Matt Wagner [MSFT]" <***@online.microsoft.com>
|>David:
|>
|>I'm not aware of a scenario specific document like that. Your best bet
|>is probaby the Windows Server 2003 Deployment Kit. It sounds like you
|>have a pretty simple scenario, so this should be enough to get you going.
|>
|>Windows Server 2003 Deployment Kit:
|>http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp
|>
|>Matt Wagner
|>Enterprise Engineering Center
|>Microsoft Corporation
|>
|>Legal Disclaimer:
|>This posting is provided "AS IS" with no warranties, and confers no
|>rights. Use of included script samples are subject to the terms
|>specified at http://www.microsoft.com/info/cpyright.htm Please do not
|>send e-mail directly to this alias. This alias is for newsgroup purposes
|>only.
|>
|>
|>David Lewis wrote:
|>> Looking for a simple doc for setting up AD between 2 offices connected via WAN.
|>> very simple networks. Got 2 2003 DC's.
Matt Wagner [MSFT]
2005-01-05 02:00:53 UTC
Permalink
David:

Phillip provided a document that seems pretty good for what you are
looking for. However, to answer you question briefly, depending on the
speed of the WAN link the two offices can be in the same domain. You
would just need to set them up as two different sites with a site link
to control replication.

Matt Wagner
Enterprise Engineering Center
Microsoft Corporation

Legal Disclaimer:
This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm Please do not
send e-mail directly to this alias. This alias is for newsgroup purposes
only.
Post by David Lewis
thankx, but again, wow, overkill
Its such a simple thing. 2 offices connected.
Do I do seperate domains and a trust like NT4 or are both offices DC's
and both office's users log into the same domain name. Or does each
office has its own domain name?
I just want one place to administer all my users for both offices.
|>
|>I'm not aware of a scenario specific document like that. Your best bet
|>is probaby the Windows Server 2003 Deployment Kit. It sounds like you
|>have a pretty simple scenario, so this should be enough to get you going.
|>
|>http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp
|>
|>Matt Wagner
|>Enterprise Engineering Center
|>Microsoft Corporation
|>
|>This posting is provided "AS IS" with no warranties, and confers no
|>rights. Use of included script samples are subject to the terms
|>specified at http://www.microsoft.com/info/cpyright.htm Please do not
|>send e-mail directly to this alias. This alias is for newsgroup purposes
|>only.
|>
|>
|>> Looking for a simple doc for setting up AD between 2 offices connected via WAN.
|>> very simple networks. Got 2 2003 DC's.
David Lewis
2005-01-06 00:12:42 UTC
Permalink
T1 in main office and 1.5 ADSL in 2nd office.
So then do both offices log into the same domain name?
Like I have my main office as company.com with a netbios name of company
One of my offices is office1.company.com / netbios of office1

What is a site link to control replication?

My 3nd office that I am setting up, would it use office3.company.com or company.com as its domain name?


"Matt Wagner [MSFT]" <***@online.microsoft.com>
|>David:
|>
|>Phillip provided a document that seems pretty good for what you are
|>looking for. However, to answer you question briefly, depending on the
|>speed of the WAN link the two offices can be in the same domain. You
|>would just need to set them up as two different sites with a site link
|>to control replication.
|>
|>Matt Wagner
|>Enterprise Engineering Center
|>Microsoft Corporation
|>
|>Legal Disclaimer:
|>This posting is provided "AS IS" with no warranties, and confers no
|>rights. Use of included script samples are subject to the terms
|>specified at http://www.microsoft.com/info/cpyright.htm Please do not
|>send e-mail directly to this alias. This alias is for newsgroup purposes
|>only.
|>
|>
|>David Lewis wrote:
|>> thankx, but again, wow, overkill
|>> Its such a simple thing. 2 offices connected.
|>> Do I do seperate domains and a trust like NT4 or are both offices DC's
|>> and both office's users log into the same domain name. Or does each
|>> office has its own domain name?
|>> I just want one place to administer all my users for both offices.
|>>
|>> "Matt Wagner [MSFT]" <***@online.microsoft.com>
|>> |>David:
|>> |>
|>> |>I'm not aware of a scenario specific document like that. Your best bet
|>> |>is probaby the Windows Server 2003 Deployment Kit. It sounds like you
|>> |>have a pretty simple scenario, so this should be enough to get you going.
|>> |>
|>> |>Windows Server 2003 Deployment Kit:
|>> |>http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp
|>> |>
|>> |>Matt Wagner
|>> |>Enterprise Engineering Center
|>> |>Microsoft Corporation
|>> |>
|>> |>Legal Disclaimer:
|>> |>This posting is provided "AS IS" with no warranties, and confers no
|>> |>rights. Use of included script samples are subject to the terms
|>> |>specified at http://www.microsoft.com/info/cpyright.htm Please do not
|>> |>send e-mail directly to this alias. This alias is for newsgroup purposes
|>> |>only.
|>> |>
|>> |>
|>> |>David Lewis wrote:
|>> |>> Looking for a simple doc for setting up AD between 2 offices connected via WAN.
|>> |>> very simple networks. Got 2 2003 DC's.
|>>
Phillip Renouf
2005-01-06 15:57:03 UTC
Permalink
If they are all in the same domain then you could have company.com for all 3
of them. You would need to define the subnets from each location into
seperate Sites to enable you to control the replication. If you want one
place to control the administration for all the offices then going with a
Single Forest/Single Domain is probably the best bet.

If those links are internet links and not private links then you should have
a site-to-site VPN setup between the different offices prior to setting up
your AD environment.

Go through the two documents that were linked here as it is pretty important
to understand the different options and the pros/cons to each of them before
you make a decision.

Phil
Post by David Lewis
T1 in main office and 1.5 ADSL in 2nd office.
So then do both offices log into the same domain name?
Like I have my main office as company.com with a netbios name of company
One of my offices is office1.company.com / netbios of office1
What is a site link to control replication?
My 3nd office that I am setting up, would it use office3.company.com or company.com as its domain name?
|>
|>Phillip provided a document that seems pretty good for what you are
|>looking for. However, to answer you question briefly, depending on the
|>speed of the WAN link the two offices can be in the same domain. You
|>would just need to set them up as two different sites with a site link
|>to control replication.
|>
|>Matt Wagner
|>Enterprise Engineering Center
|>Microsoft Corporation
|>
|>This posting is provided "AS IS" with no warranties, and confers no
|>rights. Use of included script samples are subject to the terms
|>specified at http://www.microsoft.com/info/cpyright.htm Please do not
|>send e-mail directly to this alias. This alias is for newsgroup purposes
|>only.
|>
|>
|>> thankx, but again, wow, overkill
|>> Its such a simple thing. 2 offices connected.
|>> Do I do seperate domains and a trust like NT4 or are both offices DC's
|>> and both office's users log into the same domain name. Or does each
|>> office has its own domain name?
|>> I just want one place to administer all my users for both offices.
|>>
|>> |>
|>> |>I'm not aware of a scenario specific document like that. Your best bet
|>> |>is probaby the Windows Server 2003 Deployment Kit. It sounds like you
|>> |>have a pretty simple scenario, so this should be enough to get you going.
|>> |>
|>> |>http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDSS_overview.asp
|>> |>
|>> |>Matt Wagner
|>> |>Enterprise Engineering Center
|>> |>Microsoft Corporation
|>> |>
|>> |>This posting is provided "AS IS" with no warranties, and confers no
|>> |>rights. Use of included script samples are subject to the terms
|>> |>specified at http://www.microsoft.com/info/cpyright.htm Please do not
|>> |>send e-mail directly to this alias. This alias is for newsgroup purposes
|>> |>only.
|>> |>
|>> |>
|>> |>> Looking for a simple doc for setting up AD between 2 offices connected via WAN.
|>> |>> very simple networks. Got 2 2003 DC's.
|>>
David Lewis
2005-01-07 04:50:04 UTC
Permalink
Thankx. There was alot of information in those doc's and so my eyes were glazing over from the thought of reading it
all. Thats why I was hoping to narrow down what I need to read up on. I will have a site-to-site vpn through my
sonicwall firewalls. Each site is on its own subnet IE 192.168.0.x and 192.168.1.x

Two things I don't understand is how do I set up my MS DNS settings? Does each site's DC have its own DNS server
running and how do I get the sites working together.

Also since the site-to-site vpn is relatively slow how do I handle AD replication between the site DC's. Is there
something special I need to do to cut down on the traffice between the offices DC's?

Just to make sure I understand what you have said, what did you mean about understanding the different options? To me
the only way to go is one Single Forest for the entire company. Especially since I have one exchange server in the
corporate office. I want uniformity of username/password company wide. Trusts in the NT4 days sucks :)

Oh ya, how does the netbios name figure into all of this. In the branch offices does the users log into the branch name
or the company name? In another words on the ctrl-alt-del screen does every office have the same log into domain name?

"Phillip Renouf" <***@discussions.microsoft.com>
|>If they are all in the same domain then you could have company.com for all 3
|>of them. You would need to define the subnets from each location into
|>seperate Sites to enable you to control the replication. If you want one
|>place to control the administration for all the offices then going with a
|>Single Forest/Single Domain is probably the best bet.
|>
|>If those links are internet links and not private links then you should have
|>a site-to-site VPN setup between the different offices prior to setting up
|>your AD environment.
|>
|>Go through the two documents that were linked here as it is pretty important
|>to understand the different options and the pros/cons to each of them before
|>you make a decision.
Phillip Renouf
2005-01-11 18:35:01 UTC
Permalink
A lot of questions there ;)

When I said you should look at the options I just meant that there is no one
way to design an Active Directory forest and every company has different
needs. I just didn't want to suggest something here and have you go do it
only to find out that you have some special requirements etc. that I wasn't
aware of. It's also a good idea to look at all the options individually and
look at the pros/cons for each one. That will help you to justify your choice
and make you confidant that you are going in the right direction. That
analysis could be as simple as a few hours and a whiteboard or as complicated
as months of investigation, testing and documentation (which you do is
largely based on the size/scale of the organization and the politics
involved).

In your case I would say that a single forest single domain is the way to go
(it's usually the best choice unless there is a reason not to). You should
setup an Active Directory Site for each location, define what subnets are at
each location and place the local DCs in their respective sites (you do this
in Active Directory Sites and Services). Place the DCs in seperate sites will
help you to control replication since you can then control the frequency of
the updates etc. It is worthwhile to do a bit of reading on AD Sites and
Replication to make sure that you get a good grasp of this.

I would setup DNS on each DC and use DHCP to point clients to their local DC
for DNS. Make both DNS servers AD integrated.

If you have a single forest/single domain then the users would all log into
the same domain name. If the clients are 2000/XP then they will use DNS to
find a DC and login and NetBIOS won't come into play.

Phil
Post by David Lewis
Thankx. There was alot of information in those doc's and so my eyes were glazing over from the thought of reading it
all. Thats why I was hoping to narrow down what I need to read up on. I will have a site-to-site vpn through my
sonicwall firewalls. Each site is on its own subnet IE 192.168.0.x and 192.168.1.x
Two things I don't understand is how do I set up my MS DNS settings? Does each site's DC have its own DNS server
running and how do I get the sites working together.
Also since the site-to-site vpn is relatively slow how do I handle AD replication between the site DC's. Is there
something special I need to do to cut down on the traffice between the offices DC's?
Just to make sure I understand what you have said, what did you mean about understanding the different options? To me
the only way to go is one Single Forest for the entire company. Especially since I have one exchange server in the
corporate office. I want uniformity of username/password company wide. Trusts in the NT4 days sucks :)
Oh ya, how does the netbios name figure into all of this. In the branch offices does the users log into the branch name
or the company name? In another words on the ctrl-alt-del screen does every office have the same log into domain name?
|>If they are all in the same domain then you could have company.com for all 3
|>of them. You would need to define the subnets from each location into
|>seperate Sites to enable you to control the replication. If you want one
|>place to control the administration for all the offices then going with a
|>Single Forest/Single Domain is probably the best bet.
|>
|>If those links are internet links and not private links then you should have
|>a site-to-site VPN setup between the different offices prior to setting up
|>your AD environment.
|>
|>Go through the two documents that were linked here as it is pretty important
|>to understand the different options and the pros/cons to each of them before
|>you make a decision.
David Lewis
2005-01-11 20:07:06 UTC
Permalink
thats what I was looking for, thankx.

"Phillip Renouf" <***@discussions.microsoft.com>
|>In your case I would say that a single forest single domain is the way to go
|>(it's usually the best choice unless there is a reason not to). You should
|>setup an Active Directory Site for each location, define what subnets are at
|>each location and place the local DCs in their respective sites (you do this
|>in Active Directory Sites and Services). Place the DCs in seperate sites will
|>help you to control replication since you can then control the frequency of
|>the updates etc. It is worthwhile to do a bit of reading on AD Sites and
|>Replication to make sure that you get a good grasp of this.
|>
|>I would setup DNS on each DC and use DHCP to point clients to their local DC
|>for DNS. Make both DNS servers AD integrated.
|>
|>If you have a single forest/single domain then the users would all log into
|>the same domain name. If the clients are 2000/XP then they will use DNS to
|>find a DC and login and NetBIOS won't come into play.

Continue reading on narkive:
Loading...