Link to home
Start Free TrialLog in
Avatar of Berkson Wein
Berkson WeinFlag for United States of America

asked on

Connect two physically separate locations (different co-location centers) to share Active Directory (replication) and file sharing

Hi all-

Ive got a windows 2003 active directory domain with 3 servers set up in a collocation server rack for a non-profit (charity) that I volunteer for.  Im definitely not (as will become obvious from this post) a networking expert, but I know my way around Windows 2003.  

All of the machines have two NICs.

NIC #1 has a public IP address, firewalled to only allow access to services like web, smtp, and dns using the built in Routing and Remote access.

NIC #2 in each server is connected to a physically separate switch that allows non-firewalled access from server to server, using a private ip in the 10.1.1.x subnet.

One of the servers is acting as a VPN server, and hands out IPs in the same 10.1.1.x subnet
Were now interested in setting up a second collocation location (several states over) to give us more redundancy.  Im looking for suggestions on how to best accomplish this, in terms of connectivity and AD replication.

Remember that this is for a charity, and the budget is TIGHT.  If I can get away without purchasing VPN routers, that would be great.  I would be interested in the right way to do this if budget was unlimited (as long as connectivity between the 2 locations still goes over the Internet and doesnt use a dedicated line) and also any alternative way that wouldnt involve any additional expenditure.

There will be 4 servers in the remote collocation rack.  I was thinking of having one of these run AD and replicate the information over the WAN (via a VPN).  How to accomplish that is one of the big questions I have.

I figured that the 4 servers would also be set with nic #1 on a public IP (different provider from the primary location, different subnet altogether) and having nic #2 on a private network, say 10.2.1.x.

Whats the best way to have all 4 servers in the second location also have access to the 10.1.1.x subnet at the first location?  I assume if we can accomplish this, then the first location will be able to talk to the servers at the second location too.

Your ideas are appreciated!  
Thanks
SOLUTION
Avatar of Datedman
Datedman
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Berkson Wein
Berkson Wein
Flag of United States of America image

ASKER

Thanks for the reply!
There are 4 servers in each location, so you're suggesting that each have a connection to a vpn server at the other location?
It's all current static ip addresses, no DHCP for the servers.  The vpn connection that I use to remote in does hand out a dhcp address, though I could set this to be static on the servers.
Let's say that location one has public ip address 65.x.x.x.  Location two will be on 70.y.y.y.  The vpn servers will be 65.x.x.100 and 70.y.y.100.  The gateway to the net is the public address .1 at each location (65.x.x.1).
I didn't follow your routing example.  If there's a vpn connection already established, why bother with the route?  Wouldn't that be added automatically when the vpn connection is set?  
You didn't mention AD, but I assume that'll just plain old work once the two private lans are connected.
Avatar of Datedman
Datedman
I think better to have a hub location and each location connects to the hub.  

The routing is to make sure your servers can communicate with the other site for AD replication, accessing shares/exchange/whatnot on another site etc.  Gateway to the net is for workstations to connect out, and is in the private address range.  The only place where you have to worry about public ips is for the vpn connections.  Unless I'm missing something--and on rereading your post, I see I am. :)

Where are the workstations??  I was erroneously thinking you had more than one physical location.  IMO if your colocation setup is a good one there's no need to complicate it with more of them.
Avatar of Berkson Wein
Berkson Wein
Flag of United States of America image

ASKER

Thanks again for posting.  I'll try to clarify a bit...
There happen not to be any workstations - these are just servers being used in a hosting setup for this charity.  (Web, smtp, dns, etc).
There is currently only 1 phyical location.  Soon to be two, which is where the questions come from.
Each of the 4 existing servers at location 1 have a public ip address in the 65.x.x.x range.  They use 65.x.x.1 as a gatway to the net.  The second nic in each server is on 10.1.1.x and is connected via a separate switch for non-firewalled connectivity between servers.  2 servers here are running active directory.  One server is a vpn server.
The second location (1200 miles away) will be another 4 servers.  Same setup except on a 70.x.x.x network, with  70.x.x.1 as the gateway, and 10.1.2.x as the private ip on nic 2.  Another server or two will run active directory here.  There will be another vpn server here.
I don't know what you mean by a "hub."
I want to:
  1. Have active directory stay in sync
  2. Have location 2 be able to talk to location 1, and visa versa, over the private ip range (so a VPN)
For the ad sync, I think that'll just happen automatically when the connectivity works, but there's surely some setup needed.
For the 2 location connectivity, I could setup a VPN from each server to the other location's vpn server.  That would give the machine an additional ip in the range of the other location.
I'm just looking for ideas on how else to accomplish this, things to look out for, etc.
I'm happy to set a permanent route, I just don't know what that would do for me as the route would be set when the vpn connection is established, wouldn't it?
Is there a way to have only 1 server in each location set up a vpn connection and then somehow route all of the other servevrs through that server when trying to access the other location?  Is that what you were trying to explain with your route example?
 
THANKS
 
Avatar of Datedman
Datedman
Why do you even need AD?

The route is for a server on one network that is not the server with VPN to communicate with the other private network.  If there is only one server on the site, no routing necessary on that site beyond having the VPN work.  Personally I don't expose any domain controllers to the Net, I prefer to have a member server do VPN and keep the DC's on private networks.

Hub=1 location to which all others connect.

I think on any site where you have more than one server you will want to set routes on each server not connected to VPN to route to each other private subnet through the VPN connection.
Avatar of Datedman
Datedman
Oops sorry if you have more than two locations I guess you do need to set up routing on the VPN-connected machine to go to any subnet it's not VPN-connected to. :)  But I'm hoping this will only be two locations anyway?  In that case hub concept is not relevant.  If you start connecting more than 2 sites it does get a lot more complicated...
Avatar of Berkson Wein
Berkson Wein
Flag of United States of America image

ASKER

There will only be 2 sites for the forseeable future.
AD is needed for exchange (using RPC over https) and some other services.  The AD servers are without public IP's, but I didn't want to complicate the question.
Talk more about the routing please.  Are you suggesting that I only need 1 server to have a vpn connection to the other location and then I could use routing on every other server to route packets for the other network through the server that has the vpn connection?
Location 1:
server 10.1.1.50 connects to 70.x.x.x vpn server and gets a 10.1.2.50 ip address.
all other servers, route all 10.1.2.x traffic to 10.1.1.50???
Location 2:
no need for vpn connection, since another exists FROM location 1.
all servers route all 10.1.1.x traffic to 10.1.2.50 (the ip of the machine at location 1 that has the vpn line open)????
I think we're getting there.
ASKER CERTIFIED SOLUTION
Avatar of Datedman
Datedman
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Berkson Wein
Berkson Wein
Flag of United States of America image

ASKER

Hope you start feeling better soon.  
What do you mean by "persistent vpn?"  Do you mean with vpn hardware, or through the basic ms networking?
 
SOLUTION
Avatar of Datedman
Datedman
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Berkson Wein
Berkson Wein
Flag of United States of America image

ASKER

I'm out until Monday, but will give this a shot ASAP.  Happy 4th.
Avatar of Datedman
Datedman
Happy weekend!  Oh man, what's a WEEKEND heh, my kids are coming in tonight tho so *I must learn to take a break.*
SOLUTION
Avatar of Adam Ray
Adam Ray
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Datedman
Datedman
Haven't done it that way wcllc.  I would think a VPN is more versatile and it's basically the way MS recommends for branch offices but I'm sure there's more than one way to skin a cat.
Avatar of Berkson Wein
Berkson Wein
Flag of United States of America image

ASKER


I googled a bit more based on the information that you provided and found this:
http://technet.microsoft.com/en-us/library/dd835605(WS.10).aspx
only to discover that it's the same link that you provided.  It's great.
Thank you for all of your help.
I was able to very simply create a persistent VPN connection in RRAS on the new server from a temporary location and join it to the domain at the primary location.  Great stuff.
I haven't figured out how to get the other machines on the network to even be able to ping machines at the primary location, but I'll open another question on that.  Keep your eyes open please.
Much appreciated.
 
Avatar of Berkson Wein
Berkson Wein
Flag of United States of America image

ASKER

Thank you both for your help.  I'm going to give it a go with what I've learned. I'll post back here if I open other related questions.  Take care and thanks for the time and input!
Avatar of Datedman
Datedman
Use the DHCP option Classless Static Routes to route one network to the other.  And from the other back.

If a machine has a static IP and isn't using DHCP, you can use route -p:

route -p add 192.168.x.0 mask 255.255.255.0 192.168.y.z

Where x is the remote (to this machine) subnet, y is this subnet, z is the machine with the VPN connect.

Make both VPN servers LAN routers too.

And at a MINIMUM, use RRAS's incoming packet filter to firewall out all but the ports you need.  Which will include GRE (protocol 47) both ways, TCP port 1723 both ways, and any other ports needed if you are also using these machines to get to the Net?  (Like established TCP, and ports for DNS, and maybe NTP?)
Avatar of Berkson Wein
Berkson Wein
Flag of United States of America image

ASKER

Datedman-
Thanks for the followup even after I awarded the points and closed the question.
We're using static IP's.  I had already tried adding the permanent route, exactly how you suggested, but it didn't work.  
Traceroute shows the machine going to the machine with the vpn connection, but then stalling out.  We'll chat in a new thread when i have more time to test and document what I've done.