RE: Domain Servers spread over 2 locations - HELP!
- From: "Joe Pochedley" <joepochedley@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 9 Nov 2004 10:00:51 -0500
(Second opinion, FWIW)
I agree 100% with John... It's a very bad idea to only have only one DC
in the first place... Set up your VPN and install a second DC at the
remote site... You'll simplify the login process for your users (no
more establishing VPN tunnels when logging in) and login processing will
proceed much faster. You'll also CYA if your main DC fails for whatever
reason.
While you're at it, set up DNS and DHCP on the new DC as well...
Joe Pochedley
A computer terminal is not some clunky old television
with a typewriter in front of it. It is an interface
where the mind and body can connect with the universe
and move bits of it about. -Douglas Adams
-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Monday, November 08, 2004 7:45 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Domain Servers spread over 2 locations - HELP!
http://www.ISAserver.org
The best recommendation I can give is YOU MUST HAVE 2 Domain
controllers.
Having said that, having a second domain controller at the second site
gives you 2 benefits: 1. Users at that site authenticate to that DC. 2.
You now have 2 DCs for your AD domain.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -----Original Message-----
> From: Mike Anderson [mailto:mike@xxxxxxxxxxxx]
> Sent: Monday, November 08, 2004 4:25 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Domain Servers spread over 2 locations - HELP!
>
> http://www.ISAserver.org
>
> Hello Everyone,
>
> I need your advice desperately, as to how to accomplish this.
>
> We presently have a primary location, with an established domain
> called ANDERSON. We have a 2nd location across town, and we have all
> the PC's located there, using the Microsoft VPN client, to connect
> through our ISA Server in order to attain connectivity, to our
> ANDERSON Domain (using Routing and Remote Access of course).
>
> What I want to do, is use ISA Server 2004 on each side of the
> connection, to establish a permanent VPN Tunnel - so each side can
> talk to the other side seamlessly. When the PC's across town,
> authenticate, presently they are able to establish their VPN
> Connection FIRST during the login process, before logging into the
> Domain (which is obviously across town, over the Internet link).
>
> I think this method is terribly inefficient - with each PC having to
> establish it's own VPN Connection, when ISA Server 2004 is perfectly
> capable of establishing a permanent tunnel - and have ALL the PC's
> share that singular tunnel - having their traffic routed to the other
side.
>
> Now the question is this: What happens, if the Internet connection
> goes down? If the Primary Domain Controller, located on the other
> side of the link, is unreachable, it will cause all kinds of problems.
> How can I address this problem?
>
> Option 1: Should I create a secondary Domain Environment (with a
> different name altogether), so then each side of the connection, will
> have it's own dedicated Primary Domain Controller - and then, will be
> able to authenticate 100% of the time, no matter the condition of the
> Internet connection? Of course, in order to access network resources
> on each respective side, we would have to establish a Trust
Relationship.
> Or Option 2: Should I build a Secondary Domain Controller (at the
> Primary Domains location), then physically move that server across
> town, and then have it communicate with the Primary Domain Controller
> using the tunnel established by the ISA 2004 Servers?
>
> It looks like I have TWO distinct options, and I would LOVE to hear
> all of your opinions regarding them. In fact, if I have a 3rd or 4th
> option, I would like to hear anything you have to say on that too.
>
> Thanks in advance for your advice,
>
> Mike
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
