• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 426
  • Last Modified:

One domain over a WAN? Or three?

Our company has three offices; one main office with an NT 4.0 PDC and 6 Win98 machines, and two branches each with NT 4.0 PDCs and three Win98 machines. We would like all three offices to be able to see each other over an ISDN WAN (I have plans to move to DSL by the end of the summer).  We occasionally share large files (6-8 MB), but mostly it will be used to share smaller files (typical MS Office stuff).

We've just installed NT servers in the two branch offices in the past month, and I set them up as PDCS with the same domain name.  A consultant in the most distant branch office wants me to set up DHCP and trust relationships between the three servers, and I'm assuming three different domains. We use Netopia ISDN routers to handle DHCP duties right now, so I'm not sure I understand why they can't continue to do that.

Among my many questions is this: Is this the best way to go about this?  When I installed the other two PDCs in the branch offices, I gave them the same domain name.  I'm taking one of the MCSE courses right now, and last night had a brainstorm that I could make our main office server the PDC, and the other branch offices BDCs. We don't add users or anything that often, so I could do the synchronization manually for a while until we get the faster DSL connection up.
The consultant hasn't been very good about returning phone calls (I know, a bad sign), so this is the next best place I can go to get some feedback on this. Many thanks.
  • 7
  • 5
  • 2
  • +2
1 Solution
I think it is easier for you to set up branch office server as BDCs and keep them in one domain. Since as you said there are not a lot of users and few smaller files need to share (not executable, right?). However, since you have set up the branch server as PDCs, you have to reinstall them as BDCs and set up WAN link before reinstallation. Select BDC while installing, and choose to join the domain created in main office. You will be able to see all user manager setting in main office's User Manager for Domain after duplication. You might need to recreate users for branch offices though. After this, you need to set permissions for local users to use local BDC resources and so on.

On the other hand, 3 domain model is not too bad in case of branch increase and more security issue involved among sites. However, you can not make them same domain name if you are going to set up 2 way trust among 3 domains. Domain name has to be changed by reinstall branch PDCs.

Hope this is clear, and help.
From the WAN side, in conjunction with Huben's recommendations, the ISDN network will support the scenerio described.  It won't be all that fast, but my guess is that if you are sharing an occasional multi-megabyte file, you know that it is already not that fast.

The other thing I'd like to add to the single domain network is fault tolerance.  Having only one domain with 3 domain controllers would be my recommended configuration, as if one server fails, you don't loose authentication nor the user objects.

The disadvantage of a single domain is the traffic between sites as the domain controllers syncronise.
The disadvantage of 3 domains is that you will need an extra NT server to act as BDC for some fault tolerance. (You could always give a user an NT server instead of an ordinary PC for this).
As for the 3 domains having the same name - because you named them in isolation the SID will be different for all three therefore they will not be the same domain when they are connected (although having the same name will cause confusion)
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

jonathanv_00Author Commented:
Thanks for your comments, folks.  Reinforces my idea that I should go with the single domain (and not give the consultant any more business if he doesn't have the courtesy to call me back to discuss questions such as these!).  I'm going to kill this question and put a question worth 50 points up for each of you.

Now if I can just get the WAN link to work . . .

I disagree with the idea of one domain spread over three remote sites..

each site should have a separate domain, and a separate PDC and BDC..  and the two way trust isn't a big deal either.. it's a good idea.. the consultant is on track with his idea..

if you allow one domain to span three sites, you're asking for trouble..

1)  you need to pass a bunch of traffic over the WAN to  synchronize the servers with each other in the one domain model..   if the link goes down, all users at that site lose access to logging onto the domain...

2)  your user database gets passed over the WAN when it's replicated from PDC to BDC.. and user passwords travel over the WAN in clear text format..  both are security risks if someone has a sniffer on the network/WAN..

in the 3 domain model with trust relationships, you maintain three separate user databases which never get trasferred over the WAN, and since the trust is in place, users in any domain can reach any domain....

consider something like


users in DOMAIN2 can access servers in either other domain as long as the trust in place directly.. if no trust, they'll need to address other servers and logon as part of the connection.. ie.   DOMAIN2\userid and password

at our sites, we've got numerous domains,  spread out over numerous sites.. it's really much cleaner and easier to administrate, and more secure too..  go with the consultants recommendations..

 good luck

I disagree with half of tfabian's point 1.  If you have a BDC on each site users will still be able to login if the link goes down.  That after all is the point of a BDC.  They won't be able to change passwords etc.
jonathanv_00Author Commented:
Oops. I meant to cancel this question and just offer fifty points each to the three folks who originally answered, but it looks like I skipped the first part . . .

So, tfabian, since you've been kind enough to answer, and before I accept or reject the answer, let me ask you a couple of more things.  The problem with PDCs and BDCs is mainly that each office is very small -- 6 people in one, three or four in the others.  Having a BDC in each seems (expensive) overkill; maybe having the servers set up as PDCs is overkill in the first place?  (I'm becoming really good at installing and reinstalling NT . . .)  They're really just file and print servers, except for the fact that we'd like to be able to access each server from the other offices for occasional file transfers.  Right now, I don't have them set up to log on to the NT network and authenticate, so I don't know that the possibility of link failure and authentication is a big issue.  Or am I missing something here?  Security's not my forte (yet), but I was under the impression that our router-to-router ISDN connections would be pretty secure.  I know that would change when/if we switch to DSL later this summer, right?

As far as our plans go, the company might grow to 20-30 employees over the next year, if things go well, and maybe another office or two.  Eventually we're aiming for 50 employees or so within say five years, so I'm trying to do things that anticipate that kind of growth.  I don't know if that's relevant, but there you go.  As I say, too, I'm planning on moving us to DSL by the end of the summer.  

So, in a nutshell -- am I better off just reinstallin the servers as stand-alones and finding another solution to how to exchange files on the rare occasions we need to do so?  Many thanks for you help.
I believe that if you currently have the need to transfer files between sites, that need will grow exponentially in the future..

advantages of having the offices interconnectted include

 1) email between offices

 2) file sharing / collaborative efforts between employees

 3) remote printing

 4) centralized data backup capability

as you add more employees, these needs will increase.. and yes, as you move to DSLs between offices, your security risks increase, and your networking issues could also increase/change, depending on how it's setup initially..

with a leased line that doesn't connect to the live internet, your security issues are almost a non-issue.. but you do need to consider them as you grow..

having a PDC at each office now may seem like overkill, but as each office grows, you'll be glad you set it up when the office is small rather than when it's larger.. changing 5 machines now is a lot easier than changing 25 later..  

as an example, 12 years ago,  the group I worked in setup our first server domain (underr Lanman).. we picked a nice nine character descriptive name for the domain that fit our group.. we propagated that name, and that configuration to over 300 machines over the years at one location..and eventually migrated the servers to NT 3.51, and finally to NT 4.0.. but to this day, even with newer domains at the site (probably 30 or 40 in total) the original 9 character name still exists even though the organization that used it doesn't..  the reason, there are still too many machines out there with the name coded into it.. and too many users still logging onto the domain.. the people that took over the servers can't change it.. the work load would be too great for the staff which is too small..

when the whole site decided to implement a server based solution, it took over a year to load 3000 machines and get them connectted to the servers..  and since my group wanted autonomy from the main group, we kept our servers in the original domain, but built the trusts between domains..

moral of the story is that you need to think carefully about your design issues now, before they get too big..

so having a PDC at each site  now isn't overkill, it's good planning for the future..  same thing with the BDCs.. if money is a concern, you can probably setup on of the user machines as the BDC...

good luck

jonathanv_00Author Commented:
Thanks for the good advice. But I'm still wondering about my last question -- would it be easier to go back to stand-alone servers and figure out some other means of exchanging files?  I just tried to set up a trust relationship, and since I named the domains the same in both (actually all three) offices, it won't let me do it. . .  Am I missing something? So, it looks like I'll have to reinstall anyway -- either to make the branches a BDC or PDC with unique domain names.

We use Windows 98 for our clients, rather than NT.  Did you have in mind setting one machine up as a dual-boot to be a BDC?  Or would it have to be up and running as an NT machine all the time? I suspect it would.

(I will give you the points for the question, but I'd like to keep it open a bit longer to get some more feedback from you or anyone else. Again, many thanks.)
Hi, Jonathanv_00, I thought this Q has been closed, and suddenly found so many things happened.

I myself agree with Pwoolford regarding the current answer. Even if link gose down in single domain mode, users will still be able to login in each site, the most it will end up is BDC promote itself to be PDC of local site. But if the link comes back, it will still operate well. Only drawback is user settings like password can not be changed during link down.

As what I said, 2 modes of domain will all work well in this case, the reason I prefer single domain mode is not alot of users and few file transfer. Regarding email, I won't say 3 domain can bring you any benefits than single mode. One single domain will work well when you have less than 100 machines and user account.

One the other hand, multi domain mode is not bad idea based on your requirement. However, that means more administrative tasks for admin to setup domain trust and group permissions among 3 domains. I can understand using multiple domain mode in a 3000 workstations network, not not sure with less than 50 in 5 years.

Hope this help.
But I'm still wondering about my last question
     -- would it be easier to go back to stand-alone servers and figure out some
     other means of exchanging files?

stand alone servers would provide you with very little benefit.. and you'ld end up having to maintain separate user ideas on each machine, each standalone server, and to access any resource, a user would have to enter two passwords.. one for the wokrstation, and one for the server.. and those could potentially be different for ever workstation / server pairing..

standalone servers are good for single application hosting.. something like a database with a bunch of reads and writes.. or for a web server... not for a general file sharing system..

yes, the BDC would have to be up in NT all the time.. not dual booted with Win98

jonathanv_00Author Commented:
Thanks again to both of you for the comments. I think we originally had stand-alones here so that the consultant didn't have to hold our hand. . .

I'm still leaning to the single-domain model, for the following reasons (and please tell me if I'm testing your patience by continuing the discussion!):

Since we don't add users more than once every three months, couldn't I just do replication manually once a week or so?  Or is there something I'm not understanding about that process?  Would a sniffer be able to get usernames off of an ISDN line?  (The way I understand the way we have the WAN set up now is that it's strictly a connection between routers, and for anyone to break in, they'd need to know our phone numbers, etc.)  I would like to move to DSl with a firewall later in the summer.  We won't be doing our own e-mail in-house for a while (if ever), either.

Any comments on huben's comments?  Again, many thanks.  I'm planning on travelling to the branch offices next Wednesday and the week after, so I have to make some momentous decisions by then, and your comments have been very helpful!

>Since we don't add users more than once every three months, couldn't I just do
>replication manually once a week or so?

yes, but if you do do that, I would suggest automating the replication so you don't forget to do it.. and as long as you have the network connection, do it daily..  

>Or is there something I'm not understanding about that process?

no.. replication is simple to automate.. you have a source directory on the PDC and target directories on the BDCs.. as you put ifles into the source, they get shipped to the targets automatically..

>Would a sniffer be able to get usernames off of an ISDN line?  (The way I
> understand the way we have the WAN set up now is that it's strictly a connection
> between routers, and for anyone to break in, they'd need to know our phone
> numbers, etc.)

that depends on alot of things.. in the strictest sense, it's probably possible that your line could be tapped, and that someone could grab your data.. in a practical sense, it probably won't happen..

but remember, any telephone call could be tapped.. and thus, it could happen that someone does compromise your network.. social engineering techniques are the biggest security problem.. one of your people might inadvertantly give out the phone numbers..

good luck

jonathanv_00Author Commented:
Thanks again, tfabian. Funny that I'm going to give you the points, but probably not take your advice. . .  It's been a very helpful discussion, if nothing else.  As I say I have to re-install NT anyway, since it won't let me establish a trust with a domain of the same name.  So between today and tomorrow I have to decide how to go about this.

Here's my own cost benefit analysis (largely thinking out loud):

ONE DOMAIN, with a PDC and two BDCs:
PRO: less administration; less expensive (no need for three BDCs); less complicated setup;
CON: possibility of link and/or PDC going down; WAN traffic for replication of user database; somewhat less secure;

THREE DOMAINS, with trust relationships, DHCP, WINS:
PRO: more reliable; more secure; better setup for (greater-than-anticipated) expansion;
CON: more administration required;

I'm sure I'm missing some stuff here, but that's how I see it right now.  I don't think I can force an NT box on someone in the other offices without a bit of preparation, and users are beginning to clamor for a connection between the offices.  As far as someone giving out the ISDN phone numbers, that's a remote possibility, as most don't understand the technical side of how our internet connection works.  (Then again, you could probably say that about me, too!)

So, thanks again for your comments and for listening.  I'll list my throw-away e-mail account, if anyone would like to contact me with more comments, etc.:  jonathanv_00@excite.com
thanks for the followup and the points too.. :)

I'll send you mail if you have further questions..

jonathanv_00Author Commented:
Boy, gotta be fast around here.  These comments appeared while I was watching ... Many thanks for your quick responses.  Believe me, I _wanted_ to do a single domain (see Q.10175260), and still might when we switch to DSL. When I tried to install the branches as BDCs, however, I couldn't find the MO PDC, despite the fact that the connection through the routers was up.  It turned out to be a problem of authentication; somehow the connection profiles in the routers were not allowing the potential BDCs to see the PDC.  

Anyway, Nenadic and Bartt, here's the additional info (I think) you're looking for:  Everybody accesses the Internet through router gateways (192.168.x.1).  I haven't disabled LMHOSTS lookup; actually, I imported static mappings for the branches into the Main Office WINS manager (Mappings/Static Mappings/Import Mappings).  The MO ( has both branche servers ( and as push-pull replication partners.  B2 has just the main office server as replication partner. For trust relationships: The MO has B1 and B2 as trusted and trusting domains; B2 has the main office and B1 as trusting domains, and the MO as trusted.  Can't get to see B1's setup right now, unfortunately.  Also, Nenadic, I should just have user accounts in each domain for users in that office?

I distinguished each domain by IP address: 192.168.0.x is the MO, B1 and B2 are 192.168.1.x and 192.168.2.x, where the router is .1, the server is .2.  So, each client uses the corresponding WINS server.  

And yes, I'd rather avoid DNS as well.

Thanks for listening!

jonathanv_00Author Commented:
Argh. That wasn't supposed to go _here_.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 7
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now