nikaotech
asked on
SBS 2003 Active Directory over Cox Communications "Secure Private Network" (similar to MPLS)
Hi experts! I'd really appreciate some advice/direction on best practices, if there are any, to deploying our SBS 2003 domain controller across a SPN network. SPN is being piped in by our ISP, Cox Communications. It is T1 via cable modem that connects to our main corporate office. That cable modem is connected to a Cisco fast ethernet router. That router is connected to identical routers at our two remote sites via cable modems on the 3mb synchronous loop called "SPN". We currently have basic windows workgroups set up and are preparing to deploy our domain controller across all 3 sites. My specific questions are:
1) SBS 2003 generally wants to be the DHCP server, but if I assigned static IPs to all of our clients, would I run in to trouble? Reason being, once this is deployed, if the server were to go down, I need the clients to be able to communicate both inside and outside our network. DHCP and routing is currently handled by the location-specific Cisco routers.
2) Is there a better way to handle IP assignments across multiple sites? Users at all locations can currently interact and share files and resources and this needs to continue.
3) Exchange: We have 40 users and I'd like to deploy exchange and outlook web as part of the SBS. Are there any considerations or risks I need to weigh considering all of this is meant to run on a single box? Again, the wizard-driven SBS 2003 likes to be the end-all be-all solution, but the absence of redundancy scares me to death. We currently use 3rd party-hosted pop mail, so setting up a contingency plan in the event of SBS crash would be optimal. I just have no idea where to start...
I've attached a screenshot of a whittled down topology to illustrate the SPN network.
SPN-Diagram.jpg
1) SBS 2003 generally wants to be the DHCP server, but if I assigned static IPs to all of our clients, would I run in to trouble? Reason being, once this is deployed, if the server were to go down, I need the clients to be able to communicate both inside and outside our network. DHCP and routing is currently handled by the location-specific Cisco routers.
2) Is there a better way to handle IP assignments across multiple sites? Users at all locations can currently interact and share files and resources and this needs to continue.
3) Exchange: We have 40 users and I'd like to deploy exchange and outlook web as part of the SBS. Are there any considerations or risks I need to weigh considering all of this is meant to run on a single box? Again, the wizard-driven SBS 2003 likes to be the end-all be-all solution, but the absence of redundancy scares me to death. We currently use 3rd party-hosted pop mail, so setting up a contingency plan in the event of SBS crash would be optimal. I just have no idea where to start...
I've attached a screenshot of a whittled down topology to illustrate the SPN network.
SPN-Diagram.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One problem I do see is that your trying to run your Private WAN off the Untrusted External side of the ASA. Since this operates like an MPLS (I believe you said it operates like an MPLS) I suppose you have Internet and Private traffic running over the Cox Service Link. This setup demands that Cox is the one who actually truely controls (firewalls) your Internet connection,...your ASA becomes just a "token guesture" because you do not have direct access to the Internet,...you are going through someone elses Private System (Cox's Service) to get to the Internet,...meaning that the Internet is at the edge of Cox's system and not yours,...therefore the Edge Firewall protecting you belongs to Cox and is beyond your control.
What you are probably going to have to do is disable NAT on the ASA which basically turns it into a LAN Router (all Interfaces = Trusted) and it will have to have the ACLs opened up pretty wide and must also allow traffic in both directions equally.
What you are probably going to have to do is disable NAT on the ASA which basically turns it into a LAN Router (all Interfaces = Trusted) and it will have to have the ACLs opened up pretty wide and must also allow traffic in both directions equally.
ASKER
Thanks pwindell. I tried to strip the detailed network visio down to be relevant to my question, but I know it's overkill in some aspects and vague in others. Basically, the workstations at all 3 sites can see each other and share files/printers/etc...But I wanted to be sure that they'd still see each other once they're joined to the sbs. They're on separate subnets, but the routes are handled by the routers at each site, all tied together on the spn. I guess a better way of wording the routing question is this, considering everything works in a workgroup environment already: will active directory or sbs have any inherent problems allowing data to pass from a client on the 10.10.16.0 network to a client on the 10.10.17.0 network? Again, the routes are all in place and working now...I'm just trying to think of any sbs-specific issues before deploying to a small test group. Thanks again.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. Sunny's info on research to do helped a lot. Also, pwindell, many thanks on the DNS rule, that will be crucial and I may have overlooked that. Thanks again!
The topology only needs to include L3 Routers, L2 Switches, NAT Devices, and links between them. An L3 Switch should be represented by two or more devices (1 Router and a Switch off of each Logical Interface) Only show one Switch per subnet because it will be representativce of all switches in the the same subnet. It is OK to show WAPs or Wireless Bridges but keep it simple.
The Addressing should be accuartely represented.
Things that are irrelevant so don't include them:
1. Protocols (like VoIP)
2. Link types (SPN, Frame Relay, CableTv, DSL,)
3. Medium (copper, fiber, radio-waves)
4. Brand Names & Model Numbers
So with this cleared up figuring out the routing issue should be pretty easy.