Advice with setup...
I work for a retail company, with 1 domain that i setup using Windows 2003 Stand. Server.
We have 1 Head Office where the main server is. It's 2003 server/dns/exchange 2003 ( not setup yet). and i got another server for ftp.
We have 4 remote locations, and will be opening about 4-8 a year. I purchased some units from sonicwall, and will setup a secure site to site vpn tunnels. I'm using business DSL from the local company in each location. So was i had no problems with the internet because we do our credit/debit card transactions through internet.
Each remote location will have 1 server + 5-10 POS terminals (which are computers) and 1 or 2 office computers.
The software that we use for out pos gets updated 10+ times a month, so that means that ever single location + head office has to be updates, and if a laptop user comes to 1 location and using an newer version it can force an update on the store which i dont want, it will lock out everyone at that store. so what i'm looking for is, if i update the head office it will force the stores to update. This way i only do it in 1 location, instaed of connecting to each location sepereatly and forcing the update.
Now, the users which are in the remote locations do not need to log on to the domain in head office, so the replication is not nessesary, but I would love to setup the users in haed office for these remote location and they just transfer over. So my guess is when i setup up the OU i jus specify who goes where by placing the computers in the OU?
So what is the best way for me to go?
MAIN DOMAIN + CHILD DOMAIN FOR REMOTE LOCATIONS
MAIN DOMAIN + DOMAIN IN EACH REMOTE LOCATION
I was also reading about DNS structures wich got me a little confused and i rean into this thread
https://www.experts-exchange.com/questions/21520063/PROBLEMS-WITH-SERVER-2003-SETUP-WITH-MULTIPLE-SERVER-LOCATIONS.html?query=main+and+remote+location+domain+setup&clearTAFilter=true
I believe it what i'm looking for, but still not sure, need some exprect opinion,
thanks you very much
We have 1 Head Office where the main server is. It's 2003 server/dns/exchange 2003 ( not setup yet). and i got another server for ftp.
We have 4 remote locations, and will be opening about 4-8 a year. I purchased some units from sonicwall, and will setup a secure site to site vpn tunnels. I'm using business DSL from the local company in each location. So was i had no problems with the internet because we do our credit/debit card transactions through internet.
Each remote location will have 1 server + 5-10 POS terminals (which are computers) and 1 or 2 office computers.
The software that we use for out pos gets updated 10+ times a month, so that means that ever single location + head office has to be updates, and if a laptop user comes to 1 location and using an newer version it can force an update on the store which i dont want, it will lock out everyone at that store. so what i'm looking for is, if i update the head office it will force the stores to update. This way i only do it in 1 location, instaed of connecting to each location sepereatly and forcing the update.
Now, the users which are in the remote locations do not need to log on to the domain in head office, so the replication is not nessesary, but I would love to setup the users in haed office for these remote location and they just transfer over. So my guess is when i setup up the OU i jus specify who goes where by placing the computers in the OU?
So what is the best way for me to go?
MAIN DOMAIN + CHILD DOMAIN FOR REMOTE LOCATIONS
MAIN DOMAIN + DOMAIN IN EACH REMOTE LOCATION
I was also reading about DNS structures wich got me a little confused and i rean into this thread
https://www.experts-exchange.com/questions/21520063/PROBLEMS-WITH-SERVER-2003-SETUP-WITH-MULTIPLE-SERVER-LOCATIONS.html?query=main+and+remote+location+domain+setup&clearTAFilter=true
I believe it what i'm looking for, but still not sure, need some exprect opinion,
thanks you very much
ASKER
So with stoers as child domain, i can control the pos software updates from head office?
and setup all my GPO in head office for the child domain?
and setup all my GPO in head office for the child domain?
Microsoft's answer using a Windows 2000+ network is to set it up under one big domain and separate each branch office under a site. That way your domain controllers across branches dont get all chatty with each other and Windows can compress the replication data across the WAN. You may think that setting it up as a separate subdomain for each branch office makes more sense, and if you have older NT 4.0 based servers, then you might want to do it this way. Otherwise, use sites. Thats what they're there for. You can use OUs to separate out each branch from there for administrative and GPO purposes.
To answer your second question, yes you can do it that way as long as you are the domain admin for the root domain. If there is someone you trust at each branch office to handle things (most likely not, but its worth keeping in mind) you can delegate control to them for their own subdomain. Any GPO you apply at the root domain will propagate down to the children. You still retain control over each subdomain as long as you havent delegated all your control away to someone else (that person I mentioned before.)
ASKER
hmm, k
So i add a site, now the site name can be anything, but then i add a server, and the server name is the name of ther site a server? and that server is running a domain or child domain....
i'm just trying to understand it, so please be patient
thank you very much
So i add a site, now the site name can be anything, but then i add a server, and the server name is the name of ther site a server? and that server is running a domain or child domain....
i'm just trying to understand it, so please be patient
thank you very much
K. Forget the parent/child domain thing for now. I think thats what is confusing you. You have one huge domain set up. Every computer and every user for your entire company is set up in that domain. Including each branch office. The easiest way to set this up is to look at ADUC (Active Directory Users and Computers) and you can see one huge domain. The only domain you should have. Under that, you have several OUs for each branch office. On each of these OUs you can apply whatever GPOs are neccesary. Its as if you were running one huge LAN. Each branch office should have its own domain controller (DC) and those should be placed in their respective OU for each branch office along with all the users and other computers you have at that branch (you can and should have other OUs under that to separate these out.)
Now open active directory sites and services. Create a site for each branch office and put the domain controllers for it there. I can't really tell you how to create a site or move DCs around them, as that would take a while, but lets just say you do know how to manage them just to keep stuff simple. What this does is tell Active Directory that these DCs are separated by more than just a switch or hub and it cant just go hog wild replicating AD info with them. It will compress the data and put the scheduler that replicates between them on a diet, thus reducing your WAN link between the sites.
As far as the domain controller in each site (branch office) it doesnt matter what you call it. You shuold probably name it so it has some resemblance to its geographical location just so you dont go crazy. The domain controller isnt running another domain at all. Its just helping out with requests that would normally go to your first DC, now separated by a few miles.
Does that help? If not, I'm happy to decsribe in further detail.
Now open active directory sites and services. Create a site for each branch office and put the domain controllers for it there. I can't really tell you how to create a site or move DCs around them, as that would take a while, but lets just say you do know how to manage them just to keep stuff simple. What this does is tell Active Directory that these DCs are separated by more than just a switch or hub and it cant just go hog wild replicating AD info with them. It will compress the data and put the scheduler that replicates between them on a diet, thus reducing your WAN link between the sites.
As far as the domain controller in each site (branch office) it doesnt matter what you call it. You shuold probably name it so it has some resemblance to its geographical location just so you dont go crazy. The domain controller isnt running another domain at all. Its just helping out with requests that would normally go to your first DC, now separated by a few miles.
Does that help? If not, I'm happy to decsribe in further detail.
ASKER
let me recap.
HEAD OFFICE
MAIN DOMAIN WITH SITES
STORES
1 DOMAIN WITH IN MY FOREST
- main domain will replicate the ADUC to it?
if so, then my dns will be also local or they will point to my main DC. and if they do, and my vpn goes down then ?
HEAD OFFICE
MAIN DOMAIN WITH SITES
STORES
1 DOMAIN WITH IN MY FOREST
- main domain will replicate the ADUC to it?
if so, then my dns will be also local or they will point to my main DC. and if they do, and my vpn goes down then ?
Yup. I think you're getting it. One big domain using OUs and sites to separate the branch offices (stores). You'll set up a server in each office to handle the login requests (among other things) from users and PCs locally. Those servers will all talk to each other to make sure that changes on one domain controller (Sally needs her password reset, or needs access to a share) get replicated to all the others. Sites just tell each domain controller where each other one lives so they dont eat up WAN bandwidth replicating.
Each DC in each store will also be a DNS server and will replicate (although not in the exact same way as AD does) to your other DNS servers in your domain. Change one record, and all of them will sooner or later get wind of that change and update their records. If your VPN goes down, the store will be alright for a little while. The local DNS/DC will handle all the requests it needs to. Just dont expect a change made at the head office to take effect at the store with the broken VPN till its back up again.
Each DC in each store will also be a DNS server and will replicate (although not in the exact same way as AD does) to your other DNS servers in your domain. Change one record, and all of them will sooner or later get wind of that change and update their records. If your VPN goes down, the store will be alright for a little while. The local DNS/DC will handle all the requests it needs to. Just dont expect a change made at the head office to take effect at the store with the broken VPN till its back up again.
ASKER
the dark cloud in my head is evaporating..... just few things i need to clear up re: dns in stores
I will install the domain in the existing forest, and then install dns. but will the dns auto configure to its self?
I will install the domain in the existing forest, and then install dns. but will the dns auto configure to its self?
Yes. Each DC in each of the stores will also be a DNS server. DNS doesn't "auto configure" itself, and DNS is one of the biggest headaches for a newbie Windows Net Admin. A very thorough understanding of DNS is a must. AD _WILL NOT WORK_ without DNS. And an incorrectly configured DNS network will make you want to hurt small furry woodland creatures.
But after that nightmare inspiring paragraph, once DNS is set up, it pretty much takes care of itself. I would recommend picking up a book on Windows 2003. I like Mark Minasi's book, but just about any of the good ones cover DNS well enough.
But after that nightmare inspiring paragraph, once DNS is set up, it pretty much takes care of itself. I would recommend picking up a book on Windows 2003. I like Mark Minasi's book, but just about any of the good ones cover DNS well enough.
ASKER
so basically, the only thing in this case which will have to be cofigured is the DNS once I setup the DC at a remote site.
And is this the book you're talking about?
http://www.amazon.com/gp/product/0782141307/qid=1143237432/sr=1-1/ref=sr_1_1/102-4174799-7830507?s=books&v=glance&n=283155
And is this the book you're talking about?
http://www.amazon.com/gp/product/0782141307/qid=1143237432/sr=1-1/ref=sr_1_1/102-4174799-7830507?s=books&v=glance&n=283155
ASKER
tell me if this senario will work..
lets say my vpn goes down. the domain can't replicate for that time. If i do not install a dns server at a remote site, but i uses my firewall ip as the secondary server so people can have access to the interenet. Wil that work.. i guess it will, but they just wont be able to resolve name->ip. is that the case?
lets say my vpn goes down. the domain can't replicate for that time. If i do not install a dns server at a remote site, but i uses my firewall ip as the secondary server so people can have access to the interenet. Wil that work.. i guess it will, but they just wont be able to resolve name->ip. is that the case?
Yes, that is the book, and yes that is the case. DNS tells AD where everything is. Including services like LDAP, SIP, and Kerberos. Without a local DNS server at each branch, you're just asking for trouble. They dont have to be supercomputers. A P3 700 with 256MB of RAM will do just fine. And you've got it backwards. Get DNS up and running, then set up the DC at the stores.
ASKER
So dns first, and that i will have to do Manually i assume. So for me to do this, i have to go through that book?
You dont HAVE to use that book, but its got a very clear and complete chapter on setting up DNS for Windows 2003. You shoud know that if you did just run DCPROMO on a member server at one of your stores, it will try and set up DNS for you. NEVER MAKE THAT MISTAKE. DNS isn't a terribly difficult topic once you get the basics down. Set up DNS on the member server. Once you're sure the new DNS server is set up properly (using NSLOOKUP and checking some A Records to see if they got updated from the home office) then you can run DCPROMO. If DCPROMO still bitches that DNS isn't set up right, stop right there and get it working before you go any further. I'm not trying to sound negative, but DNS is a big thing to wrap your head around and if you don't have a good grip on it, you're in for a world of hurt.
Trust me when I say this. If you were to try and set up subdomains instead of using OUs and Sites ,not knowing DNS would be even more of a hinderance and you'd be even more screwed.
I'd be happy to help you set up DNS, but thats another topic entirely.
Trust me when I say this. If you were to try and set up subdomains instead of using OUs and Sites ,not knowing DNS would be even more of a hinderance and you'd be even more screwed.
I'd be happy to help you set up DNS, but thats another topic entirely.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
k got u, thanks for the tip with the exchange. i'll post something for that another time. and the dns: i will get the book, and take a look, but if i have any questions will post them and maybe u can help me with them.
Thanks
Thanks
Cool man. Again, let me know if you need help with DNS. I realize you spent all your points getting this answer. If you need any DNS help beyond this, you're more than welcome to send something to my junk account at benutne at yahoo dot com. Just put ExEx in the subject line.
ASKER
hmmm, all my points? i though i had unlimited... that's interenting.
I have set up something very similar for a few retailers. I have tried it both ways. If you had to choose i would set up one main domain and child domains for each store.
The other way you can do this is just have one domain and set up a number of sites in that one domain. I have done this also and it has many advantages. The DNS setup is a bit of a trick but if you have a dc with dns in each location it should be a breeze.
check out
http://technet2.microsoft.com/WindowsServer/en/Library/25f16e65-fcb9-485d-9679-9fda1614f87c1033.mspx