Virtual DC over VPN for file storage - config options

Posted on 2013-12-17
Medium Priority
Last Modified: 2013-12-23
I currently have a server that needs to be replaced.  It is an old 2003 SBS server.  I have some plans but don't know the exact correct way to carry them out.

I plan on setting up a new Server 2008 R2 server on our main VMware host environment to be used for the remote location as the Primary Domain Controller and DNS server and file server mostly.  There will be no Exchange or SQL on this server.

My questions have to do with networking over the VPN.  Currently we are on a network at the main network and network on the remote network.  Once I setup the server on the main network, how do I associate the workstation at the remote network with the server here?  Do I need to match the IP addressing at the remote site with the server at the main site?  I know one way is to setup the default DNS server at the remote to be the server at the main office and a secondary public DNS incase the VPN goes down.  I just don't know what is the most efficient way to do this.  

Most of the traffic back and forth will be simply file storage and then possibly a software package on RemoteApp or RDP.  That should be all that is run over the VPN.

Thanks for suggestions on this networking advancement situation.
Question by:alatham23
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Accepted Solution

tsaico earned 2000 total points
ID: 39724657
In this case, it is fairly straightforward.  This is also assuming you have not stability issues or VPN/WAN issues (slow, intermittent, everything is working fine as it is)

The router puts requests to for the other network resources.  Your description is generally what will be needed if you use any AD functions, user log in, security, etc.  You will need to resolve addresses for non-public resources.  I do recommend though having a DNS server with a separate DC/GC functions locally also, so if the WAN goes down, the local users can still log in.  This is assuming there are enough users to warrant this, it will also help keep infrastructure traffic off the VPN and keep it for day to day operations.

As for matching IPs, you do not need to, do that.  Under the DHCP settings for the remote site, you will just have to make sure the DNS server is the AD server and the suffix is the same. (otherwise you will always have to resolve using the FQDN style, servername != servername.domainname.local.)

Author Comment

ID: 39724694
There are actually only 2 users onsite.  This location has grown smaller as more users are remote and do not have a need to use a server anymore.

That is why managing a server from a remote office with 2 users is tough to accommodate when it could all be done over the VPN and we could manage it all locally instead.

The remote site has a 30/10 Internet pipe and the main site has an 80/10 Internet pipe so we should be good there.

I will make sure to setup the DHCP server locally with the correct DNS server IP and DNS suffix to make things go smoothly.

Expert Comment

ID: 39725229
If you have more remote people than actual office workers in this branch, it might also make sense to get a terminal server for them to use.  Then you would only care about printer traffic so the main campus can print to the other's printers, or you can just use the mapping of local resources for that and ditch the whole VPN thing entirely.

Everything else would be handled locally from the network perspective, since the terminal server is at the main office.  The workstations at that point will only need to have valid internet connection.  It doesn't even matter if old or new, mac or pc.  

This would cover all workers that are not at main location, and i found my break point on if it is worth it is usually around 5-8 offsite employees vs. extra admin costs for vpn management, good equipment for desktop experience, and keeping software licensed, AV, Office, etc.
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 39726492
Yes, we do actually have a Terminal Server at the main office that we use for a lot of users offsite.  We will be adding some more of these users into this server as we go forward.

We use the VPN for printing using IP addresses to network printers.  The VPN hasn't been much maintenance in the last year so it has been working well.

Thanks for the suggestions though.

Expert Comment

ID: 39727153
Cool.  Myself, I would just train my two users at the remote site to use the terminal server, and just have the SOP for @ main office then another for everyone else.  You can keep VPN for VOIP and network printers.  Local printing can be handled by the TS in case they have a printer at their desk instead of a true network printer.  If it is a true network printer, you can add that to the TS, so they don't need to set it up themselves.

If you have the time, it would be a good time to check out the new changes in 2012 for remote desktop.  I just set one up, and will say I am impressed, using local resources like USB drives, cameras, etc are fairly easy, and mostly transparent to the end user.

But as for your original post, I think you already have a working plan that will work in a pinch too that is really just adding the primary DNS and domain suffix to the remote site DHCP.
LVL 20

Expert Comment

ID: 39730778
In the past I have used TS / RDS server for small remote sites. It is much easier to manage.

On another note if you clients are all Windows 7 & 8 and you are running Window 2008 R2 or 2012 you could setup DirectAccess???

On another note, I have never heard of the FQDN style, servername != servername.domainname.local syntax

Author Comment

ID: 39731634
Thanks for the suggestions with Windows 7/8 using DirectAccess but we don't have enterprise versions of those operating systems.  We just have the Professional versions that came with the computers.

I will check into that down the road though.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question