[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Advice with setup...

Posted on 2006-03-24
19
Medium Priority
?
227 Views
Last Modified: 2010-04-18
I work for a retail company, with 1 domain that i setup using Windows 2003 Stand. Server.

We have 1 Head Office where the main server is. It's 2003 server/dns/exchange 2003 ( not setup yet). and i got another server for ftp.

We have 4 remote locations, and will be opening about 4-8 a year. I purchased some units from sonicwall, and will setup a secure site to site vpn tunnels.  I'm using business DSL from the local company in each location. So was i had no problems with the internet because we do our credit/debit card transactions through internet.

Each remote location will have 1 server  + 5-10 POS terminals (which are computers) and 1 or 2 office computers.

The software that we use for out pos gets updated 10+ times a month, so that means that ever single location + head office has to be updates, and if a laptop user comes to 1 location and using an newer version it can force an update on the store which i dont want, it will lock out everyone at that store.  so what i'm looking for is, if i update the head office it will force the stores to update. This way i only do it in 1 location, instaed of connecting to each location sepereatly and forcing the update.  

Now, the users which are in the remote locations do not need to log on to the domain in head office, so the replication is not nessesary, but I would love to setup the users in haed office for these remote location and they just transfer over. So my guess is when i setup up the OU i jus specify who goes where by placing the computers in the OU?

So what is the best way for me to go?

MAIN DOMAIN + CHILD DOMAIN FOR REMOTE LOCATIONS
MAIN DOMAIN + DOMAIN IN EACH REMOTE LOCATION

I was also reading about DNS structures wich got me a little confused and i rean into this thread
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21520063.html?query=main+and+remote+location+domain+setup&clearTAFilter=true

I believe it what i'm looking for, but still not sure, need some exprect opinion,

thanks you very much
0
Comment
Question by:intellie_ex
  • 9
  • 9
19 Comments
 
LVL 4

Expert Comment

by:omegamueller
ID: 16283063
MAIN DOMAIN + CHILD DOMAIN FOR REMOTE LOCATIONS
I have set up something very similar for a few retailers. I have tried it both ways. If you had to choose i would set up one main domain and child domains for each store.

The other way you can do this is just have one domain and set up a number of sites in that one domain. I have done this also and it has many advantages. The DNS setup is a bit of a trick but if you have a dc with dns in each location it should be a breeze.

check out
http://technet2.microsoft.com/WindowsServer/en/Library/25f16e65-fcb9-485d-9679-9fda1614f87c1033.mspx
0
 

Author Comment

by:intellie_ex
ID: 16283345
So with stoers as child domain, i can control the pos software updates from head office?

and setup all my GPO in head office for the child domain?
0
 
LVL 1

Expert Comment

by:benutne
ID: 16283453
Microsoft's answer using a Windows 2000+ network is to set it up under one big domain and separate each branch office under a site.  That way your domain controllers across branches dont get all chatty with each other and Windows can compress the replication data across the WAN.  You may think that setting it up as a separate subdomain for each branch office makes more sense, and if you have older NT 4.0 based servers, then you might want to do it this way.  Otherwise, use sites.  Thats what they're there for.  You can use OUs to separate out each branch from there for administrative and GPO purposes.  
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 1

Expert Comment

by:benutne
ID: 16283502
To answer your second question, yes you can do it that way as long as you are the domain admin for the root domain.  If there is someone you trust at each branch office to handle things (most likely not, but its worth keeping in mind) you can delegate control to them for their own subdomain.  Any GPO you apply at the root domain will propagate down to the children.  You still retain control over each subdomain as long as you havent delegated all your control away to someone else (that person I mentioned before.)
0
 

Author Comment

by:intellie_ex
ID: 16283841
hmm, k

So i add a site, now the site name can be anything, but then i add a server, and the server name is the name of ther site a server? and that server is running a domain or child domain....
i'm just trying to understand it, so please be patient


thank you very much
0
 
LVL 1

Expert Comment

by:benutne
ID: 16284002
K.  Forget the parent/child domain thing for now.  I think thats what is confusing you.  You have one huge domain set up.  Every computer and every user for your entire company is set up in that domain.  Including each branch office.  The easiest way to set this up is to look at ADUC (Active Directory Users and Computers) and you can see one huge domain.  The only domain you should have.  Under that, you have several OUs for each branch office.  On each of these OUs you can apply whatever GPOs are neccesary.  Its as if you were running one huge LAN.  Each branch office should have its own domain controller (DC) and those should be placed in their respective OU for each branch office along with all the users and other computers you have at that branch (you can and should have other OUs under that to separate these out.)  

Now open active directory sites and services. Create a site for each branch office and put the domain controllers for it there.   I can't really tell you how to create a site or move DCs around them, as that would take a while, but lets just say you do know how to manage them just to keep stuff simple.  What this does is tell Active Directory that these DCs are separated by more than just a switch or hub and it cant just go hog wild replicating AD info with them.  It will compress the data and put the scheduler that replicates between them on a diet, thus reducing your WAN link between the sites.  

As far as the domain controller in each site (branch office) it doesnt matter what you call it.  You shuold probably name it so it has some resemblance to its geographical location just so you dont go crazy.  The domain controller isnt running another domain at all.  Its just helping out with requests that would normally go to your first DC, now separated by a few miles.  

Does that help?  If not, I'm happy to decsribe in further detail.
0
 

Author Comment

by:intellie_ex
ID: 16284244
let me recap.

HEAD OFFICE
MAIN DOMAIN WITH SITES

STORES

1 DOMAIN WITH IN MY FOREST
 - main domain will replicate the ADUC to it?

if so, then my dns will be also local or they will point to my main DC. and if they do, and my vpn goes down then ?
0
 
LVL 1

Expert Comment

by:benutne
ID: 16284432
Yup.  I think you're getting it.  One big domain using OUs and sites to separate the branch offices (stores).  You'll set up a server in each office to handle the login requests (among other things) from users and PCs locally.  Those servers will all talk to each other to make sure that changes on one domain controller (Sally needs her password reset, or needs access to a share) get replicated to all the others.  Sites just tell each domain controller where each other one lives so they dont eat up WAN bandwidth replicating.  

Each DC in each store will also be a DNS server and will replicate (although not in the exact same way as AD does) to your other DNS servers in your domain.  Change one record, and all of them will sooner or later get wind of that change and update their records.  If your VPN goes down, the store will be alright for a little while.  The local DNS/DC will handle all the requests it needs to.  Just dont expect a change made at the head office to take effect at the store with the broken VPN till its back up again.  
0
 

Author Comment

by:intellie_ex
ID: 16284489
the dark cloud in my head is evaporating..... just few things i need to clear up re: dns in stores

I will install the domain in the existing forest, and then install dns. but will the dns auto configure to its self?
0
 
LVL 1

Expert Comment

by:benutne
ID: 16284630
Yes.  Each DC in each of the stores will also be a DNS server.  DNS doesn't "auto configure" itself, and DNS is one of the biggest headaches for a newbie Windows Net Admin.  A very thorough understanding of DNS is a must.  AD _WILL NOT WORK_ without DNS.  And an incorrectly configured DNS network will make you want to hurt small furry woodland creatures.  

But after that nightmare inspiring paragraph, once DNS is set up, it pretty much takes care of itself.  I would recommend picking up a book on Windows 2003.   I like Mark Minasi's book, but just about any of the good ones cover DNS well enough.  
0
 

Author Comment

by:intellie_ex
ID: 16284673
so basically, the only thing in this case which will have to be cofigured is the DNS once I setup the DC at a remote site.

And is this the book you're talking about?
http://www.amazon.com/gp/product/0782141307/qid=1143237432/sr=1-1/ref=sr_1_1/102-4174799-7830507?s=books&v=glance&n=283155
0
 

Author Comment

by:intellie_ex
ID: 16284826
tell me if this senario will work..

lets say my vpn goes down. the domain can't replicate for that time.  If i do not install a dns server at a remote site, but i uses my firewall ip as the secondary server so people can have access to the interenet. Wil that work.. i guess it will, but they just wont be able to resolve name->ip. is that the case?
0
 
LVL 1

Expert Comment

by:benutne
ID: 16285724
Yes, that is the book, and yes that is the case.  DNS tells AD where everything is.  Including services like LDAP, SIP, and Kerberos.  Without a local DNS server at each branch, you're just asking for trouble.  They dont have to be supercomputers.  A P3 700 with 256MB of RAM will do just fine.  And you've got it backwards.  Get DNS up and running, then set up the DC at the stores.  
0
 

Author Comment

by:intellie_ex
ID: 16285843
So dns first, and that i will have to do Manually i assume. So for me to do this, i have to go through that book?
0
 
LVL 1

Expert Comment

by:benutne
ID: 16286263
You dont HAVE to use that book, but its got a very clear and complete chapter on setting up DNS for Windows 2003.  You shoud know that if you did just run DCPROMO on a member server at one of your stores, it will try and set up DNS for you.  NEVER MAKE THAT MISTAKE.  DNS isn't a terribly difficult topic once you get the basics down.  Set up DNS on the member server.  Once you're sure the new DNS server is set up properly (using NSLOOKUP and checking some A Records to see if they got updated from the home office) then you can run DCPROMO.  If DCPROMO still bitches that DNS isn't set up right, stop right there and get it working before you go any further.  I'm not trying to sound negative, but DNS is a big thing to wrap your head around and if you don't have a good grip on it, you're in for a world of hurt.  

Trust me when I say this.  If you were to try and set up subdomains instead of using OUs and Sites ,not knowing DNS would be even more of a hinderance and you'd be even more screwed.  

I'd be happy to help you set up DNS, but thats another topic entirely.  
0
 
LVL 1

Accepted Solution

by:
benutne earned 2000 total points
ID: 16286276
Also, I just reread your first post.  Please for the love of everything holy, do not set up your Exchange server on the same machine as your DC.  Microsoft STRONGLY recommends against it.  Your DC doesn't need to be all that fast.  Hand-me-down hardware is completely acceptable for a DC role.  
0
 

Author Comment

by:intellie_ex
ID: 16291415
k got u, thanks for the tip with the exchange. i'll post something for that another time.  and the dns: i will get the book, and take a look, but if i have any questions will post them and maybe u can help me with them.

Thanks
0
 
LVL 1

Expert Comment

by:benutne
ID: 16291602
Cool man.  Again, let me know if you need help with DNS.  I realize you spent all your points getting this answer.  If you need any DNS help beyond this, you're more than welcome to send something to my junk account at benutne at yahoo dot com.   Just put ExEx in the subject line.  
0
 

Author Comment

by:intellie_ex
ID: 16292370
hmmm, all my points? i though i had unlimited... that's interenting.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question