?
Solved

Active Directory + replication + exchange 2003 + site-to-site VPN Tunnel Scenario

Posted on 2007-10-16
5
Medium Priority
?
271 Views
Last Modified: 2008-05-31
Hi Experts,

I need some advise to properly configure the proposed Active Directory Site:

CA Office (existing):
Currently:
1x Windows 2003 Server as Domain Controller & DNS Server for fictiousCA.com domain
1x Windows 2003 Server with Exchange 2003 Server, Member Server
1x Windows 2003 Server with Citrix, Member Server
network = 20 users
Firewall = Cisco ASA 5505


Houston Office (Proposed):
4 users from CA moving to TX to expand operations
CA and TX offices will be connected via site-to-site VPN Connection
full access between both sites is preferred.

1x Windows 2003 server, Domain Controller & DNS server, part of fictiousCA.com domain
1x Windows 2003 server, Exchange 2003 Server
Both servers are installed on VMware ESX server as VMs.
1x Cisco PIX 501

my purpose:
i want to extend the existing fictiousCA.com domain to houston instead of creating another domain for houston and administer everything based on OUs.

also, i wanted the 4 users who are local to houston to also have their mailboxes reside on the same Exchange server in houston to limit traffic passing through the vpn tunnel.  Therefore i'll have 1 Exchange server in CA that hosts 16 mailboxes and 1 exchange server in Houston that hosts 4 mailboxes.

* Now my question/concerns, is there a better way to configure this scenario?

*Regarding active directory, what is the preffered method to add/configure the additional DC for fictiousCA.com domain?
 
*Will the time difference from CA and TX effect replication or any other Active Directory functions between the 2 DCs?

*Lastly, what is the preffered method for AD replication, i.e. RPC, IP, SMTP>


Thanks for the help in advance!
0
Comment
Question by:jetli87
  • 3
  • 2
5 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 2000 total points
ID: 20090147
1. You will need t VPN link between the PIX and the ASA...this is the first point
2. Additional DC is easy as, you have no problems doing this. Basically, as long as you have name resolution across the VPN (server points to central DNS servers) when you run dcpromo, you will have the option to make an additional DC, easy as - just follow the wizards
you will also need to configure sites and services to control replication and authentication, not hard, but essential
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx
You will also need to make sure that the new DC in the TX site is a Global Catalog
Once configured and AD is replicated, make the clients in TX look at the TX server for DNS....AD replicated zones will be stored on all DC's
3. The time difference will be fine, basically, with the situation you have proposed, you will barely need to touch replication schedules as AD traffic is tiny and time is all controlled via server
4. RPC/IP is the preffered method, SMTP is for when you dont have a static pipe between the two, not very often is it used these days, leave as defaults
5. Personally, for the sake of 4 mailboxes, i really dont see the need for an extra exchange box, i would just let the mail pass straight through the VPN to your end users, big cost difference

let me know if you need clarification on anything
0
 
LVL 1

Author Comment

by:jetli87
ID: 20090203
thanks for the quick response Jay_Jay...

yeah i actually didn't think it was too difficult...i actually already configured the additional DC and Exchange box locally so that when i fly out next week to Houston, i just need to ensure the vpn tunnel is up and that DNS entries are correct then everything should work.  As for GC and DNS pointing to TX server, got that checked as well.  As for the additional Exchange box, we had an Extra Exchange server License to use.

I just wanted validtion from an expert...thanks again!

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20090210
wow, you have everything covered already :) nice work!

your best friend when installing this will be dcdiag as it will play a huge part in confirming repication etc

good luck and let me know if you need any help

James
0
 
LVL 1

Author Comment

by:jetli87
ID: 20090360
thanks again!

yeah the only issue i'm having right now is the new DC is having issues with sysvol replication per dcdiag...trying to troubleshoot...if i can't figure it out within the hour, i'll post a new question...
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20090365
no problems ill keep an eye out
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question