+ 0 Votes answers: CG IT 3 years ago 1) no you don't have to 2) most likely notes: a DC at the site requires that DC to talk to the HQ DC for replication. So you have to make sure they talk to each other. No DC means a site link and you have to associate a subnet to the site link. Best to have a persistent link [site link] to HQ to make this work right. Users which can not contact a DC to authenticate with, typically will use cached credentials to log in. No GP or any other settings will take place until the workstations contact the DC. So the VPN connection each user uses is simply a remote connection [remote access] not a link [site link] to the domain. + 0 Votes Site link to the domain Wheezey 3 years ago Pardon my ignorance, but I'm not familiar with "site linking". I think I may have mis-represented the vpn situation, we're operating the VPN from the remote site's SonicWALL VPN to our main facility's SonicWALL VPN. Is this what you were referring to a "persistent link"? Off Topic: As for GP, I'm looking to have GP set up similar to the Domain's GP on local machine to an extent. I'm still learning about AD. + 0 Votes Active Directory Sites and Services CG IT 3 years ago is where you create a site in Active Directory. you also associate a subnet to the site. The subnet to the site is a persistant link, meaning "always on" or "dedicated link". [goes back to the days where locations were connected with dedicated lines into a HQ, but those locations didn't really warrant having servers [not enough workstations to warrant the admin effort]. workstations use this link to contact DCs and DNS servers with their queries. On you DC, open Active Directory sites and services to take a gander at what's there. Then read up on sites/site links and how to implement them on MS Technet. Remote VPN uses authenticate with the Remote Access applicance ie your Sonicwall, and obtain an local network address [dhcp relay agent].VPN users don't authenticate with Active Directory for login[ as you mentioned their part of a workgroup and could never authenticate with AD] but with the VPN applicance. Once authenticated and obtain a local network address, they simply access the resources[ granted access by the resource, in this case Terminal Services, not Active Directory]. You can setup RRASS on a Windows Box, that is an AD member server and have authentication for VPN via Active Directory as remote access users rights on user account in Active Directory. With W2008, you have all sorts of options for securing remote access clients that weren't available on W2003 such as policy enforcement and quaranteen until they meet policy, etc.