andre_st
asked on
Need advice on many aspects of implementation of AD and other network aspects
(Okey, I realize that this question involves MANY questions, and perhaps should be asked in many different posts. But I felt that it would be easier for you guys to give a qualified answer with a good overview of the situation. So I would be VERY grateful if you could take the time and help me out!)
My company is about to completely reorganize its network environment and I am hoping to get some expert opinions about how a good setup would look like. At the moment these two offices are not connected in any way, except that the main office hosts both public websites. We are about to join these two offices in a integrated Active Directory environment.
As I work in the "smaller" office I actually have very little knowledge at
the present moment about their setup - so my concern is mostly about how the
setup will be at the small office.
I am still a newbie at servers and networking, but my idea of the setup is something like this:
Both offices in a single "forest" (sharing a global catalog)
Question 1 = As the two offices are not especially dependant on each other, is it perhaps better to have two different forests, and set up a cross-forest trust? I dont know how this works, but wont that lower the need for replication traffic between the two?
Two different "sites".
Question 2 = Would we benefit in just having one site for the two domains?
Question 3 = Do we gain something by having a central emailmanagement (using exchange server) only at the main office. Except for perhaps a little less administration work at the small office? By that I mean, that perhaps it is better to try to keep the numbers of "roles" to a minimum on the only server at the small office - because we are only ten people working there.
Question 4 = The followup question then becomes, is it adviceble to configure the small office server as a domain controller, fileserver, mailserver, DNS, DHCP? Or should we invest in more servers to lower the burdain.
As the small office is in the need for extending storage capability, we are considering to either buy a simple NAS, or perhaps to use some of the storage in the upcoming SAN, which supposedly will happen in the near future.
Question 5 = As the network connection at the smaller office is only about 1.7 Mbit/s (up) and 9 Mbit/s (down) - is it a bad option for us to use the SAN at the main office for our day to day storage needs?
Question 6 = Lets say we decide upon a single forest, with two sites. What is the best way of accessing shared assets between the two offices? Is it advicable that we set up a VPN-connection? Or is it perhaps enough just to authenticate via AD's Kerberos? We do not have any extremely top secret industrial information that we send across...
Question 7 = At the moment, the small office has a dedicated windows 2000 server, acting as the network firewall. Isn't it more adviceable to use dedicated hardware firewalls, for example from Cisco?
Some specifications for the present situation:
Main office:
Located in Denmark
AD domain: company1.dk
70 People
Webserver for both offices, public websites
Dedicated Exchange mailserver
Fileservers
(Are thinking about investing in a SAN)
Small office:
Located in Sweden
AD domain: company2.se
10 People
One Small Business server 2003 which has the following roles:
Active Directory : domain controller
Fileserver (almost no space left)
Microsoft Exchange 2003 (only for local emailtraffic)
DHCP-server
DNS-server
A dedicated Windows server 2000, acting solely as the network firewall
ISP-Speed of internet connection = Up (1.7 Mbit/s), down (9 Mbit/s)
My company is about to completely reorganize its network environment and I am hoping to get some expert opinions about how a good setup would look like. At the moment these two offices are not connected in any way, except that the main office hosts both public websites. We are about to join these two offices in a integrated Active Directory environment.
As I work in the "smaller" office I actually have very little knowledge at
the present moment about their setup - so my concern is mostly about how the
setup will be at the small office.
I am still a newbie at servers and networking, but my idea of the setup is something like this:
Both offices in a single "forest" (sharing a global catalog)
Question 1 = As the two offices are not especially dependant on each other, is it perhaps better to have two different forests, and set up a cross-forest trust? I dont know how this works, but wont that lower the need for replication traffic between the two?
Two different "sites".
Question 2 = Would we benefit in just having one site for the two domains?
Question 3 = Do we gain something by having a central emailmanagement (using exchange server) only at the main office. Except for perhaps a little less administration work at the small office? By that I mean, that perhaps it is better to try to keep the numbers of "roles" to a minimum on the only server at the small office - because we are only ten people working there.
Question 4 = The followup question then becomes, is it adviceble to configure the small office server as a domain controller, fileserver, mailserver, DNS, DHCP? Or should we invest in more servers to lower the burdain.
As the small office is in the need for extending storage capability, we are considering to either buy a simple NAS, or perhaps to use some of the storage in the upcoming SAN, which supposedly will happen in the near future.
Question 5 = As the network connection at the smaller office is only about 1.7 Mbit/s (up) and 9 Mbit/s (down) - is it a bad option for us to use the SAN at the main office for our day to day storage needs?
Question 6 = Lets say we decide upon a single forest, with two sites. What is the best way of accessing shared assets between the two offices? Is it advicable that we set up a VPN-connection? Or is it perhaps enough just to authenticate via AD's Kerberos? We do not have any extremely top secret industrial information that we send across...
Question 7 = At the moment, the small office has a dedicated windows 2000 server, acting as the network firewall. Isn't it more adviceable to use dedicated hardware firewalls, for example from Cisco?
Some specifications for the present situation:
Main office:
Located in Denmark
AD domain: company1.dk
70 People
Webserver for both offices, public websites
Dedicated Exchange mailserver
Fileservers
(Are thinking about investing in a SAN)
Small office:
Located in Sweden
AD domain: company2.se
10 People
One Small Business server 2003 which has the following roles:
Active Directory : domain controller
Fileserver (almost no space left)
Microsoft Exchange 2003 (only for local emailtraffic)
DHCP-server
DNS-server
A dedicated Windows server 2000, acting solely as the network firewall
ISP-Speed of internet connection = Up (1.7 Mbit/s), down (9 Mbit/s)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Centralized mailserver
Using a hardware firewall
Using DFS
Using VPN (or a dedicated line)
DFS seems like a good idea. What I dont understand is how the replication takes place without the risk of some data beeing lost. If for example the replication is set out to occur during the night - and lets say that an employe in the small office edits an existing file in a shared folder in the DFS, and later on an employe in the main office edits the same file, located in the same folder on the DFS (but which hasn't been syncronized yet with the small office). What will happen in this scenario? When the syncronisation takes place during the night, wont the changes that the employe at the small office be deleted as the newest version found will be syncronized?
"Americom" = I thought you had an interesting idea of just using one domain for both locations. Both offices used to be independent companies, but some years ago they got merged into one company group. That is the reason why both offices have different domains and DC's. In the near future we will migrate to a totally new companyname for both offices. But as the AD domain name has nothing to do with the two different public webbpages we have at the moment, perhaps it would be simplest for the small office to be included in the domain of the main office. And when we finally agree upon a new name for the company "group"...I guess its simple to just rename the AD domain?
Regarding VPN in general, I have almost no experience with that so bear with me. But can the VPN-connection be setup so that the employees (in the small office) wont notice that they are actually connected through VPN? Or do they have to log in locally to theire computers, and then open up a vpn-connection to be able to log in to the domain (if no DC at the small office)? And lets say that we setup a DFS with fileservers on both locations for redundacy - and the fileservers at the mainoffice go down, will the employees of the main office have to manually open up a VPN-connection to be able to access the fileservers at the small office location? Simply speaking, can VPN-connections be set to run automatically, parallelled with the regular internet connection?