Connecting Branch offices in other parts of the world connected to head office - vpn ?

Hi all
Our company has 10 branches located in other parts of the world
Each site has internet access, at least 256 Kb DSL connection.
We want all users to be connected to our head office, so that we can manage
security, Group policies, for all employees.
I am guessing that each site will need to have a child domain controller and that
each site should be connected to head office via a vpn ? Users are not expected
to connect to head office, only the local domain controller for that site will replicate
active directory accross the WAN vpn link.

Does my proposed solution make sense ? Is the 256 kb connection at remote sites in other
parts of the world suffucient ?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Approx How many workstations at each branch office ?
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The 256kb should be sufficient if you have a domain controller at each branch. But you won't need subdomains, a replication scenario would be ok.
If the only traffic is AD replication and the other supporting traffic (dns, wins, etc...) then its fine IMHO.   The real problem with remote connections like this isn't really the bandwidth to the site, but the latency in the traffic.    I would wager that a connection on the other side of the world would have very noticeable latency in communications.     If user data traffic was being sent across the lines, then it would be unacceptable.   But if its only replications traffic, then does it really matter if the servers take 10 minutes, an hour, or 12 hours to fully replicate?  

If you have the equipment handy, give it a test and see what kind of connection you end up with and what the performance looks like.  


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

256kb should be fine for domain replication if that is the ONLY thing you need going over those lines. If you're moving any sort of file data I would say 256 would not cut it. However since we're talking about overseas like it sounds, you may run into some issues even if we're just talking replicated Active Directory stuff.

You wouldn't necessarily have to use child domains but these could be helpful for management.

With your current connectivity, site-to-site VPN would probably be your only solution as far as the network connectivity. There are a number of router devices that support site-to-site VPN and many are relatively inexpensive (sonicwall, for example.)

However, the best solution would be to use something like an MPLS or Frame Relay connection between the sites. This will be far more reliable and you can scale your MPLS pipes according to your needs. These will be more expensive than a DSL line, however. I've never priced out overseas MPLS, however.
anarineAuthor Commented:
I forgot to mention that we may need to run remote desktop (RDP) to resolve user issues.   We may even create exchange mailboxes at head office to host user's email. Will that cause too much traffic ?

We plan to use Cisco PIX / ASA devices in each site for implementing the site to site vpn.

The purpose of the child domains is that I can assign a domain admin at each site, so that they
only have rights over their child domain. Does that make sense ?
RDP might be a stretch over 256k lines overseas with VPN overhead but you could do it.. Exchange would be pretty painful over a 256k line especially considering the corporate culture of sending around huge attachments...

If you're planning on having local domain admins at each site then yes by all means a child domain for each site would work great and probably be the best solution.

Is some other connectivity an option? How many of the offices are on 256k and how many are on other connections? Are the 256k locations limited because that's all they can get, or could you upgrade these sites to a faster DSL line or other local internet connectivity options?

For the exchange mailboxes consider using OWA as the email client.
anarineAuthor Commented:
If I use the Cisco ASA for site to site vpn, does NAT also need to be configured on the ASA ?
The ASA will be behind a DSL modem that has a static public ip and also running NAT.
I've heard that double Natting can cause problems ?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.