Connect two physically separate locations (different co-location centers) to share Active Directory (replication) and file sharing

Hi all-

Ive got a windows 2003 active directory domain with 3 servers set up in a collocation server rack for a non-profit (charity) that I volunteer for.  Im definitely not (as will become obvious from this post) a networking expert, but I know my way around Windows 2003.  

All of the machines have two NICs.

NIC #1 has a public IP address, firewalled to only allow access to services like web, smtp, and dns using the built in Routing and Remote access.

NIC #2 in each server is connected to a physically separate switch that allows non-firewalled access from server to server, using a private ip in the 10.1.1.x subnet.

One of the servers is acting as a VPN server, and hands out IPs in the same 10.1.1.x subnet
Were now interested in setting up a second collocation location (several states over) to give us more redundancy.  Im looking for suggestions on how to best accomplish this, in terms of connectivity and AD replication.

Remember that this is for a charity, and the budget is TIGHT.  If I can get away without purchasing VPN routers, that would be great.  I would be interested in the right way to do this if budget was unlimited (as long as connectivity between the 2 locations still goes over the Internet and doesnt use a dedicated line) and also any alternative way that wouldnt involve any additional expenditure.

There will be 4 servers in the remote collocation rack.  I was thinking of having one of these run AD and replicate the information over the WAN (via a VPN).  How to accomplish that is one of the big questions I have.

I figured that the 4 servers would also be set with nic #1 on a public IP (different provider from the primary location, different subnet altogether) and having nic #2 on a private network, say 10.2.1.x.

Whats the best way to have all 4 servers in the second location also have access to the 10.1.1.x subnet at the first location?  I assume if we can accomplish this, then the first location will be able to talk to the servers at the second location too.

Your ideas are appreciated!  
LVL 15
Berkson WeinTech FreelancerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can have two locations with dedicated server-to-server VPN.  Actually I think 2003 R2 has some kind of a wizard for this...but it's not that difficult.  How do people connect to the Net now on the first site?  Basically they'd do the same only with a different subnet.  Your dhcp servers can set routes between sites with the classless static routes AD Sites/Services you set up another site and give it a subnet, put the second server in that site.  You can do all this while they are physically close by just having two diff addresses on the external NICs of the two servers.  Get it all working before you move the server. :)
You set up a persistent VPN in RRAS on both servers, set up a user account for both to use, they always "dial" each other when connection drops.
For machines with static IP addresses that don't use DHCP (fi, servers) you can use
route -p add (I assume you put the 2 in the wrong place) mask 10.1.1.x (address of VPN server)...this has to be done on both ends, IOW you say always route packets from this subnet to the other subnet through the VPN connection you establish between servers.
Is any of this making sense? :)
Tell me more about how you have the first site set up?  Which machine(s) do(es) DNS/DHCP and where's the gateway to the Net?
Berkson WeinTech FreelancerAuthor Commented:
Thanks for the reply!
There are 4 servers in each location, so you're suggesting that each have a connection to a vpn server at the other location?
It's all current static ip addresses, no DHCP for the servers.  The vpn connection that I use to remote in does hand out a dhcp address, though I could set this to be static on the servers.
Let's say that location one has public ip address 65.x.x.x.  Location two will be on 70.y.y.y.  The vpn servers will be 65.x.x.100 and 70.y.y.100.  The gateway to the net is the public address .1 at each location (65.x.x.1).
I didn't follow your routing example.  If there's a vpn connection already established, why bother with the route?  Wouldn't that be added automatically when the vpn connection is set?  
You didn't mention AD, but I assume that'll just plain old work once the two private lans are connected.
I think better to have a hub location and each location connects to the hub.  

The routing is to make sure your servers can communicate with the other site for AD replication, accessing shares/exchange/whatnot on another site etc.  Gateway to the net is for workstations to connect out, and is in the private address range.  The only place where you have to worry about public ips is for the vpn connections.  Unless I'm missing something--and on rereading your post, I see I am. :)

Where are the workstations??  I was erroneously thinking you had more than one physical location.  IMO if your colocation setup is a good one there's no need to complicate it with more of them.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Berkson WeinTech FreelancerAuthor Commented:
Thanks again for posting.  I'll try to clarify a bit...
There happen not to be any workstations - these are just servers being used in a hosting setup for this charity.  (Web, smtp, dns, etc).
There is currently only 1 phyical location.  Soon to be two, which is where the questions come from.
Each of the 4 existing servers at location 1 have a public ip address in the 65.x.x.x range.  They use 65.x.x.1 as a gatway to the net.  The second nic in each server is on 10.1.1.x and is connected via a separate switch for non-firewalled connectivity between servers.  2 servers here are running active directory.  One server is a vpn server.
The second location (1200 miles away) will be another 4 servers.  Same setup except on a 70.x.x.x network, with  70.x.x.1 as the gateway, and 10.1.2.x as the private ip on nic 2.  Another server or two will run active directory here.  There will be another vpn server here.
I don't know what you mean by a "hub."
I want to:
  1. Have active directory stay in sync
  2. Have location 2 be able to talk to location 1, and visa versa, over the private ip range (so a VPN)
For the ad sync, I think that'll just happen automatically when the connectivity works, but there's surely some setup needed.
For the 2 location connectivity, I could setup a VPN from each server to the other location's vpn server.  That would give the machine an additional ip in the range of the other location.
I'm just looking for ideas on how else to accomplish this, things to look out for, etc.
I'm happy to set a permanent route, I just don't know what that would do for me as the route would be set when the vpn connection is established, wouldn't it?
Is there a way to have only 1 server in each location set up a vpn connection and then somehow route all of the other servevrs through that server when trying to access the other location?  Is that what you were trying to explain with your route example?
Why do you even need AD?

The route is for a server on one network that is not the server with VPN to communicate with the other private network.  If there is only one server on the site, no routing necessary on that site beyond having the VPN work.  Personally I don't expose any domain controllers to the Net, I prefer to have a member server do VPN and keep the DC's on private networks.

Hub=1 location to which all others connect.

I think on any site where you have more than one server you will want to set routes on each server not connected to VPN to route to each other private subnet through the VPN connection.
Oops sorry if you have more than two locations I guess you do need to set up routing on the VPN-connected machine to go to any subnet it's not VPN-connected to. :)  But I'm hoping this will only be two locations anyway?  In that case hub concept is not relevant.  If you start connecting more than 2 sites it does get a lot more complicated...
Berkson WeinTech FreelancerAuthor Commented:
There will only be 2 sites for the forseeable future.
AD is needed for exchange (using RPC over https) and some other services.  The AD servers are without public IP's, but I didn't want to complicate the question.
Talk more about the routing please.  Are you suggesting that I only need 1 server to have a vpn connection to the other location and then I could use routing on every other server to route packets for the other network through the server that has the vpn connection?
Location 1:
server connects to 70.x.x.x vpn server and gets a ip address.
all other servers, route all 10.1.2.x traffic to
Location 2:
no need for vpn connection, since another exists FROM location 1.
all servers route all 10.1.1.x traffic to (the ip of the machine at location 1 that has the vpn line open)????
I think we're getting there.
No at location 2 they'd route thru the local address of machine that has the VPN connection.  VPN servers should have Custom config with VPN Server and Lan Routing.  

Normally you set up a persistent VPN on both ends to connect to the other I think.  Will work with one-way but I think there's an issue with setting up to use the same IP on each end unless it's a persistent connection on both ends--I forget atm and don't have one I setup I can refer to right now.  The more static the IPs are the better DNS/WINS works as I recall, sorry kind of under the weather today and not feeling very sharp. :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Berkson WeinTech FreelancerAuthor Commented:
Hope you start feeling better soon.  
What do you mean by "persistent vpn?"  Do you mean with vpn hardware, or through the basic ms networking?
Sorry missed this for some reason...
Persistent VPN connection in RRAS.  Right-click on Network Interfaces, use the demand-dial interface wizard. might help?
Berkson WeinTech FreelancerAuthor Commented:
I'm out until Monday, but will give this a shot ASAP.  Happy 4th.
Happy weekend!  Oh man, what's a WEEKEND heh, my kids are coming in tonight tho so *I must learn to take a break.*
Adam RayCommented:
I wrestled with a similar situation a while back.  I had two sites at different ends of the country with one server at each site.  (It's a fairly low budget project so I had to make do with the domain controller being exposed to the Internet--though behind a firewall obviously.)

Anyway, I used IP Security Policies (configurable through a MMC snap-in) to create an encryption policy between the two servers.  So basically I'm using IPsec rather than a VPN to encrypt my traffic.

I'm not saying this would make more sense in your situation than a persistent VPN, since you already have multiple servers and private networks and such set up.  But it may be worth considering--if it'll even work in your situation.  (Disclaimer: I'm by no means an expert at multi-site setups--any others I've done in the past have had hardware (router) VPNs--so maybe this idea just needs to be thrown away.)

Perhaps Datedman can comment on this, from reading the posts he seems more proficient in this area than I.
Haven't done it that way wcllc.  I would think a VPN is more versatile and it's basically the way MS recommends for branch offices but I'm sure there's more than one way to skin a cat.
Berkson WeinTech FreelancerAuthor Commented:

I googled a bit more based on the information that you provided and found this:
only to discover that it's the same link that you provided.  It's great.
Thank you for all of your help.
I was able to very simply create a persistent VPN connection in RRAS on the new server from a temporary location and join it to the domain at the primary location.  Great stuff.
I haven't figured out how to get the other machines on the network to even be able to ping machines at the primary location, but I'll open another question on that.  Keep your eyes open please.
Much appreciated.
Berkson WeinTech FreelancerAuthor Commented:
Thank you both for your help.  I'm going to give it a go with what I've learned. I'll post back here if I open other related questions.  Take care and thanks for the time and input!
Use the DHCP option Classless Static Routes to route one network to the other.  And from the other back.

If a machine has a static IP and isn't using DHCP, you can use route -p:

route -p add 192.168.x.0 mask 192.168.y.z

Where x is the remote (to this machine) subnet, y is this subnet, z is the machine with the VPN connect.

Make both VPN servers LAN routers too.

And at a MINIMUM, use RRAS's incoming packet filter to firewall out all but the ports you need.  Which will include GRE (protocol 47) both ways, TCP port 1723 both ways, and any other ports needed if you are also using these machines to get to the Net?  (Like established TCP, and ports for DNS, and maybe NTP?)
Berkson WeinTech FreelancerAuthor Commented:
Thanks for the followup even after I awarded the points and closed the question.
We're using static IP's.  I had already tried adding the permanent route, exactly how you suggested, but it didn't work.  
Traceroute shows the machine going to the machine with the vpn connection, but then stalling out.  We'll chat in a new thread when i have more time to test and document what I've done.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.