General discussion


child domain in a different state

By chris ·
a quick question about creating a child domain.

having a single dc in chicago, is it possible to create a child domain in a different state without the use of vpn?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to child domain in a differe ...

you could but the child domain and the main site would never obtain replication information between the two. Therefore user names, passwords, associated ACLs schema changes, distribution lists, security groups, blah blah would never be updated between the two. Therefore is someone from the remote site were to visit the main site their credentials, account wouldn't be recognized.

If you can't do a WAN link [even dial up] best to make it it's own domain in the forest rather than a child of the root.

Collapse -

by CG IT In reply to

well no what your asking isn't impossible. Actually its a pretty easy thing to accomplish IF you have a WAN link and if your willing to have a DC with the GC role at the remote location which just happens to be a child domain. Replication between DCs can be scheduled at off hour times when bandwidth utilization isn't such a problem.

Collapse -

by chris In reply to child domain in a differe ...

the remote site currently has no domain structure. we've been using cisco routers to provide the vpn link, which is working fine. however, the downside is speed. each site is on a dedicated t1. the chicago site has 300+ users, with the north carolina office only having about 20. the traffic moving across the vpn is consuming quite a bit of bandwidth. we're just trying to find a way to improve performance and still be able to get to shared drives in chicago.

Collapse -

by chris In reply to

the current setup is as follows.

remote location has a cisco 1700 providing the vpn link. the only other authentication other than what the vpn provides, is when they open outlook. my reasoning behind this, is being able to get in, service the customer and then get out. the time consumption comes with setting up one particular application they use, and setting up outlook for use with the chicago exchange servers. there are 5 exchange boxes and when i go to set up a new user, i have to guess which box they're on. seems like what i'm asking is nearly impossible.

Collapse -

by ShaunJanzen In reply to child domain in a differe ...

I think it is important to point out that the child OU will be on the root server (Root of the Forest) that contains the FSMO roles. If you create a child domain it will be on your single DC in Chicago, not in another state. The users at your remote office will be authenticating to the DC in Chicago and therefore you will have to have some kind of WAN connection. This causes potential problems. If your WAN link or VPN goes down, remote users will not authenticate to the domain.

If you want to plan for redundancy you should have a DC in the remote office as well and then you could just have one domain and use OU's to organize your AD structure instead of creating a child domain. Of course, due to the replication traffic betweeen DC's, this would be most effective if you had half a T1 or better WAN connection. A cheaper solution, if you have ADSL at both locations, is to purchase 2 Cisco Pix 501 and create VPN tunnel. This is seemless to users and gives you a high bandwidth connection at a much lower cost than T1.

Hope this helps.

Collapse -

by ShaunJanzen In reply to

I would like to add that putting a DC in the remote office would help lower your bandwidth usage as well. From what you have said, all users in the remote office are authenticating in Chicago. With a local DC all authentication traffic would remain local.

Collapse -

by CG IT In reply to child domain in a differe ...

see our comment above.

If you have Exchange in the main site and users at the remote site get their mail via the WAN link, might consider another Exchange or move one to the other office as well as having a DC with the GC role there. That probably would substantially cut down on WAN traffic by users checking their email every 5 minutes thus having to use the WAN link. Active Directory is a logical structure and not a physical structure. You can have a child domain in bumtule which is a also in the physical structure a site.

Related Discussions

Related Forums