SBS 2003 Active Directory over Cox Communications "Secure Private Network" (similar to MPLS)

Hi experts!  I'd really appreciate some advice/direction on best practices, if there are any, to deploying our SBS 2003 domain controller across a SPN network.  SPN is being piped in by our ISP, Cox Communications.  It is T1 via cable modem that connects to our main corporate office.  That cable modem is connected to a Cisco fast ethernet router.  That router is connected to identical routers at our two remote sites via cable modems on the 3mb synchronous loop called "SPN".  We currently have basic windows workgroups set up and are preparing to deploy our domain controller across all 3 sites.  My specific questions are:

1) SBS 2003 generally wants to be the DHCP server, but if I assigned static IPs to all of our clients, would I run in to trouble?  Reason being, once this is deployed, if the server were to go down, I need the clients to be able to communicate both inside and outside our network.  DHCP and routing is currently handled by the location-specific Cisco routers.

2)  Is there a better way to handle IP assignments across multiple sites?  Users at all locations can currently interact and share files and resources and this needs to continue.

3)  Exchange:  We have 40 users and I'd like to deploy exchange and outlook web as part of the SBS.  Are there any considerations or risks I need to weigh considering all of this is meant to run on a single box?  Again, the wizard-driven SBS 2003 likes to be the end-all be-all solution, but the absence of redundancy scares me to death.  We currently use 3rd party-hosted pop mail, so setting up a contingency plan in the event of SBS crash would be optimal.  I just have no idea where to start...

I've attached a screenshot of a whittled down topology to illustrate the SPN network.
SPN-Diagram.jpg
nikaotechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunnyc7Commented:
Please see network services section in the following doc.
http://technet.microsoft.com/en-us/library/cc672103(v=ws.10).aspx

and routing overview
http://technet.microsoft.com/en-us/library/620a4940-df13-4dfb-8d1b-85c744ee5e0a

To answer your qns:


1) SBS 2003 generally wants to be the DHCP server, but if I assigned static IPs to all of our clients, would I run in to trouble?  
>> I dont think so.
I have deployed SBS 2003, using the DHCP from the firewall (instead of Windows DHCP) and it works smoothly.

2)  Is there a better way to handle IP assignments across multiple sites?  Users at all locations can currently interact and share files and resources and this needs to continue.
>> For a 40 user network - why bother ?
I dont think there should be an issue, if the users IP is in a diff subnet than SBS 2003

3)  Exchange:  We have 40 users and I'd like to deploy exchange and outlook web as part of the SBS.  Are there any considerations or risks I need to weigh considering all of this is meant to run on a single box?  Again, the wizard-driven SBS 2003 likes to be the end-all be-all solution, but the absence of redundancy scares me to death.  We currently use 3rd party-hosted pop mail, so setting up a contingency plan in the event of SBS crash would be optimal.  I just have no idea where to start...

>> I'd rather go with SBS 2011, which is much much better than SBS 2003.
As a minimum - start with SBS 2007
main reason being RAM.
SBS 2003 can support max 4 GB RAM (32 bit)
SBS 2008/2011 can support 24/48/192 whatever
Ideally you'd like to load-up your server with more RAM - 24
http://www.microsoft.com/sbs/en/us/system-requirements.aspx

( I saw a sizing guide for SBS 2008 from a SBS MVP where it was recommended to use 12 GB or so for 30 user network - cant seem to find the link)

Ideal migration scenario:
> Export all mailboxes as PST from Ext. POP3 Host
> Setup SBS 2008/2011
> Import all mailboxes back from PST to Mailbox.
> Use a backup MX service like www.mxsave.com
Costs $10/month - if SBS goes down, all your mails are cached on the web and no mails are lost.
After you restart SBS - all mails will be relayed back to SBS from the backup MX

I think you will be able to wrap this up real quickly. If you buy OEM versions from Dell, SBS will come pre-installed on the box.
Major time block = Export/Import PST data.
Rest everything shouldnt take much time.

Let me know if you have any questions.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nikaotechAuthor Commented:
Thanks a ton sunny!  I'm going to read through these articles right now.  I'll keep you posted on progress.  Thanks again.
0
pwindellCommented:
Your diagram is detailed but does not clearly show the topology.  

The topology only needs to include L3 Routers, L2 Switches, NAT Devices, and links between them.  An L3 Switch should be represented by two or more devices (1 Router and a Switch off of each Logical Interface) Only show one Switch per subnet because it will be representativce of all switches in the the same subnet. It is OK to show WAPs or Wireless Bridges but keep it simple.

The Addressing should be accuartely represented.

Things that are irrelevant so don't include them:
1. Protocols (like VoIP)
2. Link types (SPN, Frame Relay, CableTv, DSL,)
3. Medium (copper, fiber, radio-waves)
4. Brand Names & Model Numbers

So with this cleared up figuring out the routing issue should be pretty easy.


0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

pwindellCommented:
One problem I do see is that your trying to run your Private WAN off the Untrusted External side of the ASA.  Since this operates like an MPLS (I believe you said it operates like an MPLS) I suppose you have Internet and Private traffic running over the Cox Service Link.  This setup demands that Cox is the one who actually truely controls (firewalls) your Internet connection,...your ASA becomes just a "token guesture" because you do not have direct access to the Internet,...you are going through someone elses Private System (Cox's Service) to get to the Internet,...meaning that the Internet is at the edge of Cox's system and not yours,...therefore the Edge Firewall protecting you belongs to Cox and is beyond your control.

What you are probably going to have to do is disable NAT on the ASA which basically turns it into a LAN Router (all Interfaces = Trusted) and it will have to have the ACLs opened up pretty wide and must also allow traffic in both directions equally.
0
nikaotechAuthor Commented:
Thanks pwindell.  I tried to strip the detailed network visio down to be relevant to my question, but I know it's overkill in some aspects and vague in others.  Basically, the workstations at all 3 sites can see each other and share files/printers/etc...But I wanted to be sure that they'd still see each other once they're joined to the sbs.  They're on separate subnets, but the routes are handled by the routers at each site, all tied together on the spn.  I guess a better way of wording the routing question is this, considering everything works in a workgroup environment already: will active directory or sbs have any inherent problems allowing data to pass from a client on the 10.10.16.0 network to a client on the 10.10.17.0 network?  Again, the routes are all in place and working now...I'm just trying to think of any sbs-specific issues before deploying to a small test group.  Thanks again.
0
pwindellCommented:
If they are communicating,...then they are communicating.
Whether they joing a Windows Domain, and SBS Domain, or a Linux Samba Domain is pretty much irrelevate.  Those things are all at the Application Level and really don't have anything to do with the Network's ability to communicate.

You will  have to make sure that the Machines all use the SBS for DNS and never (ever, ever) anything else.  The SBS then should have the DNS Forwarder listing in the DNS Service's Config and be able to reach the Forwarder.  The other Sites can not be using any other DNS local to their site, which they might be currently doing,...so,..if true,...that has to change, ...so they will use the SBS for DNS.  There is really no compromise on this issue.

Also keep in mind that SBS is limited to 75 machines if I remember corectly.
0
nikaotechAuthor Commented:
Thanks guys.  Sunny's info on research to do helped a lot.  Also, pwindell, many thanks on the DNS rule, that will be crucial and I may have overlooked that.  Thanks again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.