Link to home
Start Free TrialLog in
Avatar of cbtech
cbtech

asked on

Windows 2003 Site to Site VPN using VPN hardware

I currently have a Win2k3 domain with a number of clients and 2 servers, both are domain controllers. I am looking to link a branch office in to my domain. In the past I have used ISA server to do site-to-site connections, but it is a real pain and I am going to move to hardware based VPN solutions. When I open a vpn tunnel to the branch office and put another domain contoller at the branch to service the clients there, will the network at the branch look just like an extension of the LAN? Will the clients look at the local DC at the branch for AD services? Will the DHCP leases come down over the tunnel? Or should I make another IP network at the branch, with another DHCP and DNS server, so it will use a different IP address space, but the same active directory space? Do I just do zone transfers between the DNS server at HQ and the branch so each side of the network knows whats going on?

Thanks!
Avatar of Mazaraat
Mazaraat
Flag of United States of America image

To minimize network traffic I would setup the remote office with its own DHCP/DNS since you are already putting a DC there.  The DC can be in the same domain and have a different subnet, you would simply specify the subnets in the MMC Sites and Services.  
Avatar of cbtech
cbtech

ASKER

As I was thinking, the max clients I will ever have in that office is 10. Maybe I should skip the DC, and just have that office use the VPN/Firewall appliances DHCP server, and use the headquarters DNS, with the branch office ISP DNS ip's for failover? Over the wire there will just be basic authentication requests and some file transfers, since there will be no DC at the branch office replications traffic can be reduced. Both appliances will sit on good T-1 access so they wont go down too much at all. Good idea?
>Do I just do zone transfers between the DNS server at HQ and the branch so each side of the >network knows whats going on?

Yes, create a secondary zone that is updated from the other DNS server on the each side of the VPN connection.
That is also a good idea, and less expensive that a full DC at the remote office.  Do you plan on having file storage at remote site that needs to be accessed from your main site?  Though if you have a full t-1 I think you will be ok with just a VPN router on the other side, spend a little $$ and get a good cisco model that has also has a wic slot to also terminate your T-1 and can do VPN, like the 1720 or 2611 models....
ASKER CERTIFIED SOLUTION
Avatar of snerkel
snerkel

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial