Questions

Set up 2 domains on 1 network and support a remote office

+
0 Votes
Locked

Set up 2 domains on 1 network and support a remote office

blankstare75
After sifting through many posts here, I decided to post my own question, and would appreciate any input you might have.

In our office, we run a Windows 2003 domain.

One of our clients (small business that isn't so small anymore) now needs a real network and domain. The tricky piece here is that the clients offices are not climate controlled, and are no place for servers.

I have been tasked with setting up the client?s servers and domains in our office. The clients office desktops will need to connect to their servers sitting in our office for DHCP, files, and programs.

I'm curious about how to setup the IP scheme in our office, for our computers and servers, now that we will be adding their servers here.

I'm considering moving our office to an 11.11.0.0 scheme, while setting up the clients machines in a 12.12.0.0 scheme.

The forest/domain structure is still flexible, but I think it would be better to keep the forests separate, and setup trusts IF/when data needs to be shared. There should not be much of a need for my office computers to communicate with the clients servers. Except we will need access to their accounting data.

The connection between the offices will start as a VPN connection. Each office has a 3.5 Mbps link to the net. I have already posed the idea of a leased line, as I'm not sure if the current connections will be fast enough for the software to be used. The idea there is to see how well the current speeds work before upgrading.

I?ve setup a few DHCP servers in the past, but never anything quite this involved. I?m not sure how if I should be running two DHCP and DNS servers or some combination of the two. The fact that the client?s server, as well as our servers and desktops, need access to the internet means they will be connected to the same physical network. What problems will this pose, and suggestions for solutions are definitely appreciated here.

At the start, there will be between 10-15 users at the client office that will need to access accounting software data on one of the servers here. There may be a couple more people that will store files on the file server, but will not access them very much. We are still in the process of selecting an accounting suite, so I don't have any more detailed info on that yet.

Again, any thoughts would be appreciated.
  • +
    0 Votes
    -Q-240248

    I see a lot of problems here. THe VPN from the remote network will be hard pressed to get them to login after establishing a VPN.

    The 11.11.0.0 and 12.12.0.0 IP addresses, did you just pull those out of thin air? Well, there's really nothing too wrong with using any number you want, just be sure you are NAT'ing them before you hit the Internet. Most people will use the private IP address ranges, such as 10.0.0.0/8, so you could have 10.10.10.0 at the local and 10.10.11.0 at the remote, which gives you 254 usable IP addresses. You have to figure out how many hosts there are and subnet accordingly.

    On the forest issues, I agree with your assessment.

    You will need DHCP at both sites, not just the local DHCP server, you can set that up in the router in most cases at the remote site. ANd then once they VPN, thery will get a local IP from another DHCP scope via the VPN configuration.

    +
    0 Votes
    CG IT

    thats twice the admin effort. If one office were just a site with it's own DC and Global Catalog, you would have far less admin effort.

    Addressing, I'd just use a Class B. Plenty of network addreses and plenty of hosts addresses.

    +
    0 Votes
    -Q-240248

    Since these are still two separate businesses, two domains makes a better security model.

    +
    0 Votes
    blankstare75

    I thought of the two domains because we are dealing with 2 separate business entities.

    The net effect would be that my office will 'host' our clients server hardware. The clients office, office B, does not have air conditioning, and this is in Houston - in the summer, we would end up with fried servers.

    +
    0 Votes
    blankstare75

    I was thinking of setting up a site to site VPN between the routers at both locations. But you are on to the same questions I had, will client machines in Office B be able to contact the DHCP server in Office A.

    I had not considered using the router in Office B as a DHCP server, and have it point to the DNS server in Office A as the DNS server.

    The IP addresses will be NAT'ed. They were suggested by another member, and are not set.

    +
    0 Votes
    CG IT

    2 domains means a trust relationship between them is required even for DNS and DHCP services not to mention application access, file storage and the lot. I understand the security needs but to host DNS, DHCP application [terminal services], your going to have to grant users virtually all access anyways. Your DNS server will have 2 zones it's authoritative for, 2 sets of records for each domain. Each will have it's own security requirements. The burden on the DNS server with traffic over a WAN link will be probably larger than you think.


    A child domain would have an inherent 2 way trust so setting up trust relationships and ACLs would be less of an administrative burden than 2 seperate domains.

    As you mentioned, WAN performance will be an issue. Especially in the morning when all users log on therefore send requests over the WAN link for authentication [that is if you have local DHCP at their office].

    +
    0 Votes
    sam9030

    if the envioronment is ok for workstations install a server that will work. I have several that are no hassle servers

    +
    0 Votes
    thomas.bowman

    Hi there, it looks like you want the same kind of setup i have, I have 2 office's and each office has at least 1 DC, 1 office DC holds the global catalogue and a trust is set between the other DC, you would have each server running its own DNS and DHCP scope, this way you can manage Active Directory on 1 server and will be replicated to the other whenever you set replication to occur, I also have a site to site vpn link connecting both networks, this is very simple to setup. however if you are planning to run applications through the vpn then be prepared for slow connections especially through DSL.
    Hope this helps
    Tom

  • +
    0 Votes
    -Q-240248

    I see a lot of problems here. THe VPN from the remote network will be hard pressed to get them to login after establishing a VPN.

    The 11.11.0.0 and 12.12.0.0 IP addresses, did you just pull those out of thin air? Well, there's really nothing too wrong with using any number you want, just be sure you are NAT'ing them before you hit the Internet. Most people will use the private IP address ranges, such as 10.0.0.0/8, so you could have 10.10.10.0 at the local and 10.10.11.0 at the remote, which gives you 254 usable IP addresses. You have to figure out how many hosts there are and subnet accordingly.

    On the forest issues, I agree with your assessment.

    You will need DHCP at both sites, not just the local DHCP server, you can set that up in the router in most cases at the remote site. ANd then once they VPN, thery will get a local IP from another DHCP scope via the VPN configuration.

    +
    0 Votes
    CG IT

    thats twice the admin effort. If one office were just a site with it's own DC and Global Catalog, you would have far less admin effort.

    Addressing, I'd just use a Class B. Plenty of network addreses and plenty of hosts addresses.

    +
    0 Votes
    -Q-240248

    Since these are still two separate businesses, two domains makes a better security model.

    +
    0 Votes
    blankstare75

    I thought of the two domains because we are dealing with 2 separate business entities.

    The net effect would be that my office will 'host' our clients server hardware. The clients office, office B, does not have air conditioning, and this is in Houston - in the summer, we would end up with fried servers.

    +
    0 Votes
    blankstare75

    I was thinking of setting up a site to site VPN between the routers at both locations. But you are on to the same questions I had, will client machines in Office B be able to contact the DHCP server in Office A.

    I had not considered using the router in Office B as a DHCP server, and have it point to the DNS server in Office A as the DNS server.

    The IP addresses will be NAT'ed. They were suggested by another member, and are not set.

    +
    0 Votes
    CG IT

    2 domains means a trust relationship between them is required even for DNS and DHCP services not to mention application access, file storage and the lot. I understand the security needs but to host DNS, DHCP application [terminal services], your going to have to grant users virtually all access anyways. Your DNS server will have 2 zones it's authoritative for, 2 sets of records for each domain. Each will have it's own security requirements. The burden on the DNS server with traffic over a WAN link will be probably larger than you think.


    A child domain would have an inherent 2 way trust so setting up trust relationships and ACLs would be less of an administrative burden than 2 seperate domains.

    As you mentioned, WAN performance will be an issue. Especially in the morning when all users log on therefore send requests over the WAN link for authentication [that is if you have local DHCP at their office].

    +
    0 Votes
    sam9030

    if the envioronment is ok for workstations install a server that will work. I have several that are no hassle servers

    +
    0 Votes
    thomas.bowman

    Hi there, it looks like you want the same kind of setup i have, I have 2 office's and each office has at least 1 DC, 1 office DC holds the global catalogue and a trust is set between the other DC, you would have each server running its own DNS and DHCP scope, this way you can manage Active Directory on 1 server and will be replicated to the other whenever you set replication to occur, I also have a site to site vpn link connecting both networks, this is very simple to setup. however if you are planning to run applications through the vpn then be prepared for slow connections especially through DSL.
    Hope this helps
    Tom