VPN 5 sites together, AD questions

The company I work for has 5 sites running a mixture of ISDN and fractional T1 lines. We have created the site to site VPN tunnels between all of these places. We are running a mixture of PRO 230's, TZ170's, and PRO 2040's. This is our first attempt at this so keep that in mind : )

All 5 of these sites have their own domain controller. The domain controllers at these 5 sites all individually have unique I.P. address ranges, and each DC handles all 5 FSMO roles for just the site they are at. Nothing too complicated just the basic setup. DNS is also AD integrated at each site.

I need a user sitting behind site1 to be able to connect to a server at sites 2-5 using his or her user authentication from site1 DC.

I am now trying to create trusts between all 5 Domain Controllers. I am not sure if this is the best way to do things? In order to create trusts 2 ways between sites I needed to add each sites DNS zones into all the other sites Domain Controllers DNS. Then I must enable netbios to pass through the VPN tunnel. Then and only then can I add the trusts in AD in both directions. From what I understand this might take up a lot of bandwidth. Am I going about this the right way? Is their a better way of going about this? Does anyone have any advise as far as do's and don’ts?

Thanks,
DMS
LVL 1
DMS-XAsked:
Who is Participating?
 
blakogreConnect With a Mentor Commented:
1) Instead of the DNS solution you're considering, if IPs stay fairly static, you may want to consider modifying the hosts file on each server to point to the other ones as necessary.  This would minimize WAN traffic.

2) Yes, you need trusts: set this up in Active Directory Domains and Trusts.  I am not 100%, but I would try it first without netbios that you're referring to.

3)  Trusts will allow users to log into the other domains, or allow you to assign their accounts in one domain access to resources in another domain.  It sounds like you want 2-way trusts so users can access each other's domains.  As long as you are careful in granting permission, this doesn't necessarily open a domain up wide to another domain.

If this is for admin purposes, you can add the domain admins from one domain into the domain admins group for the other domains....

Good luck

0
 
lifetechCommented:
Is the domain name the same among all 5 DC's?
0
 
DMS-XAuthor Commented:
No!!
0
All Courses

From novice to tech pro — start learning today.