Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 470
  • Last Modified:

Windows 2003 AD - Adding branch office w/ Win2K Server

Main office has Windows Server 2003 R2 PDC.  It is the only DC, so it's filling all the roles right now.  The domain functional level is Server 2003.  The Forest functional level is Windows 2000.

We are adding a branch office which will connect to the main office using a hardware VPN solution (Cisco IPSec tunnel).  Main office has a T1 and the branch office has a 512K/128K DSL connection.  So bandwidth will not be huge, but it should be sufficient.

The only server I have available to install in the branch office has a Windows 2000 Server license.  I cannot purchase any new licenses in this scenario.

Exchange 2003 is running in the main office, and we want to allow the branch office to access exchange mailboxes with their primary login, if possible.

What is the best solution to configure Active Directory in this setting?

Since the domain functional level is already set to Server 2003, I don't believe I can add the Windows 2000 server as a DC in that domain.  Correct me if I'm wrong, please.
Should I create a child domain and make the branch office Win2K server the DC of that domain?  I'm just not sure what the best practice in this scenario would be.

I appreciate your assistance in advance.
0
ThePerfectK
Asked:
ThePerfectK
  • 3
  • 2
  • 2
2 Solutions
 
cjtramanCommented:
Once you have raised the forest & domasin fuctional level to Windows 2003, there is no way you can make windows 2000 domain. You need to plan for windows 2003 migration.
0
 
cjtramanCommented:
How many users are availble in branch office? If the count is less, why not you make use of outlook 2003 cached mode. Have this windows 2000 as file & print, DHCP, DNS server.
0
 
vsg375Commented:
Hi

Depending on the number of users in the branch office, I would not advise to put a DC in there. DC means replication, and would also mean Global Catalog for bandwidth optimization purposes. Replication over slow links does work, but imho it's not worth the effort. In any case, no way you can add a 2K DC when you have domain fuctional level set to 2K3.

So that would mean creating another domain, with would imply more administration...

cjtraman ' s suggestions look good to me. 2K3 cached mode proves to be quite efficient, and adding your 2K server to the domain as a member server, and making it DHCP / DNS / Print / File server would be imho the best compromise.

HTH
Cheers
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
ThePerfectKAuthor Commented:
Branch office has about 10 users.  I planned on using Outlook cached mode either way, yes.

My thought was that it would be better to deal with replication issues rather than having workstations authenticate to a DC across a WAN link.
Just to be sure I am clear, you feel that it would be better to let the workstations authenticate across the WAN link and only have the single DC in the main office?

Let me clarify further - currently in the branch office, there is no security or user administration in place at all.  That makes it desirable to implement something to handle user and file security - I actually believe that adding a new domain would be worthwhile, as long as I can create a trust between the two domains to allow for user authentication to the exchange server.  Perhaps that's not possible.

So either I put a DC in the branch office, or I join the workstations to the domain in the main office, I think.  Let me know if that changes anything for anyone.
0
 
vsg375Commented:
OK, I should me a little more accurate in my comments, mea maxima culpa :)

There will be good and bad points in each scenario...

1.You create a new domain @ the branch office :

No authentication over WAN links problems, so it gives more bandwidth for Exchange access. As regards to trusts, your domain will be part of the same forest, which means trusts are established automatically and are transitive (well, actually, in your case, trusts would be commutative, since transitivity with only two elements hasn't been invented yet... ;)) On the other hand, it also means more administrative overhead, and I'll never insist enough on that one... Active Directory is a great invention, it might work flawlessly (matter'o'fact, it even sometimes DOES ;o))  but it surely doesn't work by itself... What's more, working in mixed mode works fine, but also means some preliminary work.

If you want your DC configuration to be optimal @ the branch office, you have to make it a global catalog. Just a reminder : even with sites properly configured, a client always seeks the nearest GLOBAL CATALOG, not the nearest DC... The direct consequence of that is AD replication over WAN links, and considering your link speed, I wouldn't really rely on RPC... Which would mean more configuration, hence more administrative overhead...

2. You add your clients to the existing domain, and make your 2K server a file / print / DHCP / DNS server

No administrative overhead, and you have the same security possibilities (GPO, OU's etc...). Should the WAN link fail, they would of course be in trouble, but on the other hand, even if you choose to setup a new domain, they wouldn't be able to access Exchange either...


So, to sum up :

  - New domain : more independence for the branch office, but also more administration
  - No new domain : less work, and most likely more bandwidth for Exchange (cached mode would be a good idea anyway).

I trust my fellow experts on the fact that they will indeed correct me if I'm wrong and / or if I forgot anything.

HTH
Cheers
0
 
ThePerfectKAuthor Commented:
Excellent commentary - I appreciate your 'specificity and verbosity,' indeed.  I would still appreciate any commentary from other folks, in case anyone has anything useful to throw in, of course.
0
 
cjtramanCommented:
I do not recommend seperate domain for mere 10 users and even if it grows to 30 to 40 users. There wont be any dc related replication traffic. No domain administration overhead. Even if the link fails, you will be able to login to your desktop using cached profile. Even you will have access to your exchange server folders as they are locally cached. the only downside is you cannot send/receive mails till the link is up.



0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now