Site-to-Site VPN, Subnet question

Posted on 2004-11-02
Last Modified: 2010-04-10
We want to set up a site-to-site VPN between routers in our two branch offices and our corporate headquarters.  We have a T1 at our headquarters and ADSL at the branches.  We are running Windows Small Business Server at the main office.  Ideally, workstations in the branches would login directly to our SBS server to the same domain that workstations in the main office do.

Do I need to have all offices on one big subnet, or should I separate them into three separate subnets?  I guess I am confused about how the domain is resolved when logging in on a Windows Network.  If it uses DNS to resolve it then I suppose its fine on seprate subnets, but I'm not sure how that works.

We are a small company of about 20 employees.
Question by:fisc
    LVL 70

    Assisted Solution

    by:Chris Dent

    Seperate Subnets for each office to keep IP Routing nice and simple.

    For example:

    Main Site: 10.0.1.x
    Branch Site 1: 10.0.2.x
    Branch Site 2: 10.0.3.x


    Provided the Firewall portion of your VPN Server / Router / Firewall allows the traffic through then there will be no problem with getting the users logged on.

    These subnets will also have no problem registering entries in your central DNS Server (running on SBS) as that should accept updates from authenticated users.

    One thing that might come up though, how are you assigning IP Addresses? DHCP or Statically?
    LVL 16

    Accepted Solution

    it won't be all one subnet - you'll have to have separate internal address spaces (ie. separate IP network addresses) in each site, and then you'll have to set up routing between the sites.

    As for domain resolution, you'll just need to have internal DNS servers that are accessible to all sites. You could have 3 DNS servers, and make them all replicate to one another (make it AD-integrated DNS zone). Or, you could have some users querying DNS across the VPN link. In AD, you should also configure 'sites' - you can have one AD 'site' per physical location. Users will always try to login to a DC in the same site as they are, but if there's a location with no DC, then it will still find it in DNS and log the user in.

    Author Comment

    At the main office we are running DHCP on the SBS sever.  Since it sounds like I should for sure use separate subnets (and I like that better) then we will run DHCP on the routers at the branches.  The resolution of the domain name to the DC is the main thing I was concerned with... wasn't sure if the routers in the branches would pass the request through to resolve.
    LVL 16

    Expert Comment

    domain resolution won't be a problem - as long as DNS is available to all could just have one DNS server, and have all clients use that even (this *could* be a bottleneck, but not necessarily...)
    LVL 70

    Expert Comment

    by:Chris Dent

    Given the number of users you shouldn't really encounter any problems with DNS resolution.

    Author Comment

    Thanks.  I got the site-to-site VPN and logging into the central DC working this afternoon in our test lab.  Next step is to head to the branches and set them up!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

     Java Android Coding Bundle

    Whether you're an Apple user or Android addict, learning to code for the Android platform is an extremely valuable, in-demand skill. It all starts with Java, the language behind the apps and games that make Android the top platform it is today.

    Suggested Solutions

    I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    857 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now