Solved

Windows 2003 AD - Adding branch office w/ Win2K Server

Posted on 2006-11-06
7
461 Views
Last Modified: 2010-08-05
Main office has Windows Server 2003 R2 PDC.  It is the only DC, so it's filling all the roles right now.  The domain functional level is Server 2003.  The Forest functional level is Windows 2000.

We are adding a branch office which will connect to the main office using a hardware VPN solution (Cisco IPSec tunnel).  Main office has a T1 and the branch office has a 512K/128K DSL connection.  So bandwidth will not be huge, but it should be sufficient.

The only server I have available to install in the branch office has a Windows 2000 Server license.  I cannot purchase any new licenses in this scenario.

Exchange 2003 is running in the main office, and we want to allow the branch office to access exchange mailboxes with their primary login, if possible.

What is the best solution to configure Active Directory in this setting?

Since the domain functional level is already set to Server 2003, I don't believe I can add the Windows 2000 server as a DC in that domain.  Correct me if I'm wrong, please.
Should I create a child domain and make the branch office Win2K server the DC of that domain?  I'm just not sure what the best practice in this scenario would be.

I appreciate your assistance in advance.
0
Comment
Question by:ThePerfectK
  • 3
  • 2
  • 2
7 Comments
 
LVL 5

Expert Comment

by:cjtraman
Comment Utility
Once you have raised the forest & domasin fuctional level to Windows 2003, there is no way you can make windows 2000 domain. You need to plan for windows 2003 migration.
0
 
LVL 5

Expert Comment

by:cjtraman
Comment Utility
How many users are availble in branch office? If the count is less, why not you make use of outlook 2003 cached mode. Have this windows 2000 as file & print, DHCP, DNS server.
0
 
LVL 9

Expert Comment

by:vsg375
Comment Utility
Hi

Depending on the number of users in the branch office, I would not advise to put a DC in there. DC means replication, and would also mean Global Catalog for bandwidth optimization purposes. Replication over slow links does work, but imho it's not worth the effort. In any case, no way you can add a 2K DC when you have domain fuctional level set to 2K3.

So that would mean creating another domain, with would imply more administration...

cjtraman ' s suggestions look good to me. 2K3 cached mode proves to be quite efficient, and adding your 2K server to the domain as a member server, and making it DHCP / DNS / Print / File server would be imho the best compromise.

HTH
Cheers
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 2

Author Comment

by:ThePerfectK
Comment Utility
Branch office has about 10 users.  I planned on using Outlook cached mode either way, yes.

My thought was that it would be better to deal with replication issues rather than having workstations authenticate to a DC across a WAN link.
Just to be sure I am clear, you feel that it would be better to let the workstations authenticate across the WAN link and only have the single DC in the main office?

Let me clarify further - currently in the branch office, there is no security or user administration in place at all.  That makes it desirable to implement something to handle user and file security - I actually believe that adding a new domain would be worthwhile, as long as I can create a trust between the two domains to allow for user authentication to the exchange server.  Perhaps that's not possible.

So either I put a DC in the branch office, or I join the workstations to the domain in the main office, I think.  Let me know if that changes anything for anyone.
0
 
LVL 9

Accepted Solution

by:
vsg375 earned 250 total points
Comment Utility
OK, I should me a little more accurate in my comments, mea maxima culpa :)

There will be good and bad points in each scenario...

1.You create a new domain @ the branch office :

No authentication over WAN links problems, so it gives more bandwidth for Exchange access. As regards to trusts, your domain will be part of the same forest, which means trusts are established automatically and are transitive (well, actually, in your case, trusts would be commutative, since transitivity with only two elements hasn't been invented yet... ;)) On the other hand, it also means more administrative overhead, and I'll never insist enough on that one... Active Directory is a great invention, it might work flawlessly (matter'o'fact, it even sometimes DOES ;o))  but it surely doesn't work by itself... What's more, working in mixed mode works fine, but also means some preliminary work.

If you want your DC configuration to be optimal @ the branch office, you have to make it a global catalog. Just a reminder : even with sites properly configured, a client always seeks the nearest GLOBAL CATALOG, not the nearest DC... The direct consequence of that is AD replication over WAN links, and considering your link speed, I wouldn't really rely on RPC... Which would mean more configuration, hence more administrative overhead...

2. You add your clients to the existing domain, and make your 2K server a file / print / DHCP / DNS server

No administrative overhead, and you have the same security possibilities (GPO, OU's etc...). Should the WAN link fail, they would of course be in trouble, but on the other hand, even if you choose to setup a new domain, they wouldn't be able to access Exchange either...


So, to sum up :

  - New domain : more independence for the branch office, but also more administration
  - No new domain : less work, and most likely more bandwidth for Exchange (cached mode would be a good idea anyway).

I trust my fellow experts on the fact that they will indeed correct me if I'm wrong and / or if I forgot anything.

HTH
Cheers
0
 
LVL 2

Author Comment

by:ThePerfectK
Comment Utility
Excellent commentary - I appreciate your 'specificity and verbosity,' indeed.  I would still appreciate any commentary from other folks, in case anyone has anything useful to throw in, of course.
0
 
LVL 5

Assisted Solution

by:cjtraman
cjtraman earned 250 total points
Comment Utility
I do not recommend seperate domain for mere 10 users and even if it grows to 30 to 40 users. There wont be any dc related replication traffic. No domain administration overhead. Even if the link fails, you will be able to login to your desktop using cached profile. Even you will have access to your exchange server folders as they are locally cached. the only downside is you cannot send/receive mails till the link is up.



0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now