• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 456
  • Last Modified:

Site-to-Site VPN, Subnet question

We want to set up a site-to-site VPN between routers in our two branch offices and our corporate headquarters.  We have a T1 at our headquarters and ADSL at the branches.  We are running Windows Small Business Server at the main office.  Ideally, workstations in the branches would login directly to our SBS server to the same domain that workstations in the main office do.

Do I need to have all offices on one big subnet, or should I separate them into three separate subnets?  I guess I am confused about how the domain is resolved when logging in on a Windows Network.  If it uses DNS to resolve it then I suppose its fine on seprate subnets, but I'm not sure how that works.

We are a small company of about 20 employees.
0
fisc
Asked:
fisc
  • 2
  • 2
  • 2
2 Solutions
 
Chris DentPowerShell DeveloperCommented:

Seperate Subnets for each office to keep IP Routing nice and simple.

For example:

Main Site: 10.0.1.x
Branch Site 1: 10.0.2.x
Branch Site 2: 10.0.3.x

etc

Provided the Firewall portion of your VPN Server / Router / Firewall allows the traffic through then there will be no problem with getting the users logged on.

These subnets will also have no problem registering entries in your central DNS Server (running on SBS) as that should accept updates from authenticated users.

One thing that might come up though, how are you assigning IP Addresses? DHCP or Statically?
0
 
JammyPakCommented:
it won't be all one subnet - you'll have to have separate internal address spaces (ie. separate IP network addresses) in each site, and then you'll have to set up routing between the sites.

As for domain resolution, you'll just need to have internal DNS servers that are accessible to all sites. You could have 3 DNS servers, and make them all replicate to one another (make it AD-integrated DNS zone). Or, you could have some users querying DNS across the VPN link. In AD, you should also configure 'sites' - you can have one AD 'site' per physical location. Users will always try to login to a DC in the same site as they are, but if there's a location with no DC, then it will still find it in DNS and log the user in.
0
 
fiscAuthor Commented:
At the main office we are running DHCP on the SBS sever.  Since it sounds like I should for sure use separate subnets (and I like that better) then we will run DHCP on the routers at the branches.  The resolution of the domain name to the DC is the main thing I was concerned with... wasn't sure if the routers in the branches would pass the request through to resolve.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
JammyPakCommented:
domain resolution won't be a problem - as long as DNS is available to all sites...you could just have one DNS server, and have all clients use that even (this *could* be a bottleneck, but not necessarily...)
0
 
Chris DentPowerShell DeveloperCommented:

Given the number of users you shouldn't really encounter any problems with DNS resolution.
0
 
fiscAuthor Commented:
Thanks.  I got the site-to-site VPN and logging into the central DC working this afternoon in our test lab.  Next step is to head to the branches and set them up!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now