Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Windows 2003 AD - Adding branch office w/ Win2K Server

Posted on 2006-11-06
Medium Priority
Last Modified: 2010-08-05
Main office has Windows Server 2003 R2 PDC.  It is the only DC, so it's filling all the roles right now.  The domain functional level is Server 2003.  The Forest functional level is Windows 2000.

We are adding a branch office which will connect to the main office using a hardware VPN solution (Cisco IPSec tunnel).  Main office has a T1 and the branch office has a 512K/128K DSL connection.  So bandwidth will not be huge, but it should be sufficient.

The only server I have available to install in the branch office has a Windows 2000 Server license.  I cannot purchase any new licenses in this scenario.

Exchange 2003 is running in the main office, and we want to allow the branch office to access exchange mailboxes with their primary login, if possible.

What is the best solution to configure Active Directory in this setting?

Since the domain functional level is already set to Server 2003, I don't believe I can add the Windows 2000 server as a DC in that domain.  Correct me if I'm wrong, please.
Should I create a child domain and make the branch office Win2K server the DC of that domain?  I'm just not sure what the best practice in this scenario would be.

I appreciate your assistance in advance.
Question by:ThePerfectK
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2

Expert Comment

ID: 17887687
Once you have raised the forest & domasin fuctional level to Windows 2003, there is no way you can make windows 2000 domain. You need to plan for windows 2003 migration.

Expert Comment

ID: 17887724
How many users are availble in branch office? If the count is less, why not you make use of outlook 2003 cached mode. Have this windows 2000 as file & print, DHCP, DNS server.

Expert Comment

ID: 17888160

Depending on the number of users in the branch office, I would not advise to put a DC in there. DC means replication, and would also mean Global Catalog for bandwidth optimization purposes. Replication over slow links does work, but imho it's not worth the effort. In any case, no way you can add a 2K DC when you have domain fuctional level set to 2K3.

So that would mean creating another domain, with would imply more administration...

cjtraman ' s suggestions look good to me. 2K3 cached mode proves to be quite efficient, and adding your 2K server to the domain as a member server, and making it DHCP / DNS / Print / File server would be imho the best compromise.

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.


Author Comment

ID: 17891452
Branch office has about 10 users.  I planned on using Outlook cached mode either way, yes.

My thought was that it would be better to deal with replication issues rather than having workstations authenticate to a DC across a WAN link.
Just to be sure I am clear, you feel that it would be better to let the workstations authenticate across the WAN link and only have the single DC in the main office?

Let me clarify further - currently in the branch office, there is no security or user administration in place at all.  That makes it desirable to implement something to handle user and file security - I actually believe that adding a new domain would be worthwhile, as long as I can create a trust between the two domains to allow for user authentication to the exchange server.  Perhaps that's not possible.

So either I put a DC in the branch office, or I join the workstations to the domain in the main office, I think.  Let me know if that changes anything for anyone.

Accepted Solution

vsg375 earned 1000 total points
ID: 17900671
OK, I should me a little more accurate in my comments, mea maxima culpa :)

There will be good and bad points in each scenario...

1.You create a new domain @ the branch office :

No authentication over WAN links problems, so it gives more bandwidth for Exchange access. As regards to trusts, your domain will be part of the same forest, which means trusts are established automatically and are transitive (well, actually, in your case, trusts would be commutative, since transitivity with only two elements hasn't been invented yet... ;)) On the other hand, it also means more administrative overhead, and I'll never insist enough on that one... Active Directory is a great invention, it might work flawlessly (matter'o'fact, it even sometimes DOES ;o))  but it surely doesn't work by itself... What's more, working in mixed mode works fine, but also means some preliminary work.

If you want your DC configuration to be optimal @ the branch office, you have to make it a global catalog. Just a reminder : even with sites properly configured, a client always seeks the nearest GLOBAL CATALOG, not the nearest DC... The direct consequence of that is AD replication over WAN links, and considering your link speed, I wouldn't really rely on RPC... Which would mean more configuration, hence more administrative overhead...

2. You add your clients to the existing domain, and make your 2K server a file / print / DHCP / DNS server

No administrative overhead, and you have the same security possibilities (GPO, OU's etc...). Should the WAN link fail, they would of course be in trouble, but on the other hand, even if you choose to setup a new domain, they wouldn't be able to access Exchange either...

So, to sum up :

  - New domain : more independence for the branch office, but also more administration
  - No new domain : less work, and most likely more bandwidth for Exchange (cached mode would be a good idea anyway).

I trust my fellow experts on the fact that they will indeed correct me if I'm wrong and / or if I forgot anything.


Author Comment

ID: 17901992
Excellent commentary - I appreciate your 'specificity and verbosity,' indeed.  I would still appreciate any commentary from other folks, in case anyone has anything useful to throw in, of course.

Assisted Solution

cjtraman earned 1000 total points
ID: 17904191
I do not recommend seperate domain for mere 10 users and even if it grows to 30 to 40 users. There wont be any dc related replication traffic. No domain administration overhead. Even if the link fails, you will be able to login to your desktop using cached profile. Even you will have access to your exchange server folders as they are locally cached. the only downside is you cannot send/receive mails till the link is up.


Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Learn about cloud computing and its benefits for small business owners.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question