Active Directory - VPN - Sites 2

[kokakola]

In trying to give a simple example to help me narrow in on my question

Im going to use a simple example of a water company to try to convey the question that i have.

The company has a total of 100 employees. The employees are seperated into 5 different groups for simplification assume 20 people are in each group
1)bookeeping(BK)
2)sales(SA)
3)administration(AM)
4)developers(DV)
5)finance(FN)

The water company has four physical locations. Five employees from each department work at each location
1)eastriver, TX - 25 employees total(5BK,5SA,5AM,5DV,5FN)
2)westbank, TX - 25 employees total(5BK,5SA,5AM,5DV,5FN)
3)southpark, TX - 25 employees total(5BK,5SA,5AM,5DV,5FN)
4)northville, TX - 25 employees total(5BK,5SA,5AM,5DV,5FN)

Assume you have the following domain set up with AD
water.org

Assume that management has decided to put all the servers located at the eastriver for the whole company.

The remaining 4 locations, westbank, southpark, and northville will be connected with a static IP by cable modem and linksys router that uses VPN to connect to the servers in east river.

Assumptions:

Each employee has their own wrkstation at the location they work at.

Each group ( BK, SA, AM, DV, FN) has there own application program. i.e. Bookeeping group uses a bookeeping program, etc.
All programs are stored on the same server in eastriver

Each group stores files on their own groups networked drive that is located on the same sever in eastriver.


IF YOUR STILL WITH ME AT THIS POINT> THANK YOU

What would your recomendation be for setting up ADS

Would you do it like bk.water.org * sa.water.org .....fn.water.org
OR
Would you set it up like eastriver.water.org * southpark.water.org

How would you configure the DNS, Subnets, DCs when u have multiple sites like this?

Thank you very much for taking your time to read this thread, If you have any comments or suggestions they would be greatly appreciated

 

[AlexIT]

Make one AD domain water.local. Server farm at East River. Have all client accounts in one place, on the ADC at East River.

Use hardware-based site-to-site VPN (you said this already static IP cable modem and Linksys/Netgear/SMC/DLink etc routers, I'm just confirming...USE ONLY ONE BRAND AT ALL LOCATIONS, MAKE SURE ONE BRAND HAS SAME SOFTWARE REV AT ALL LOCATIONS.)Check that brand allows multiple simutaneous VPN connections, since East River will have four at once!

You should have a DHCP server at each location, so use the VPN device as DHCP server. Give each site a different subnet, you can decide if you want East River router to host DHCP, or if you want AD server to run DHCP...I suggest keep same setup so make the routers all run DHCP. Limit range of DHCP to number of clients plus one in all cases, put servers outside this range in same subnet at East River.

Set up AD DNS like normal, set "Register this connection in DNS" option for all workstations. When each person logs into AD, their workstation will pass its addess to DNS automatically.

Do not use roaming profiles, home directory, etc. as this will cause too much traffic. Have login script map users to correct directories in case changes at East River are needed.

Traffic will look like this:

WS powers up - traffic to router for IP address, no server access yet
User logs in - traffic to AD server (routed automatically via VPN)
User access to shares (to run software) - traffic to server farm via VPN

There is a performance hit running software over the VPN, you may need to put software on local PC and just access datafiles via VPN if this is too slow. Else you can make terminal server and run software for each group this way.

Alex

 

[kokakola]

Alex-

I thank you ten-fold for your insight to this sample company issue. On one of the satelite offices, the static IP address going to the router is 88.33.55.22 (made up IP).



When you talk about subnets, are you referring to the groups within each site?
1)eastriver, TX - WAN STATIC IP IS 24.64.91.56
2)westbank, TX - WAN STATIC IP IS 24.64.20.133
3)southpark, TX - WAN STATIC IP IS 24.64.111.76
4)northville, TX - WAN STATIC IP IS 24.64.13.27

1) Im going to go with the assumption that each satelite office has DHCP and NAT enabled.

When i do that, take soutpark, TX location for example, the following objects have the following internal IP
Southpark Router 192.168.2.1
Southpark Client1 192.168.2.12
Southpark Client1 192.168.2.18
Southpark Client1 192.168.2.24 etc.

the range of dhcp is 192.168.2.2 - 192.168.2.60


When you say set up a subnet, are you suggesting that i do the following for the different locations


1)eastriver,TX - LAN SUBNET RANGE 192.168.2.2 ->192.168.2.22
2)westbank,TX - LAN SUBNET RANGE 192.168.2.23->192.168.2.42
3)southpark,TX - LAN SUBNET RANGE 192.168.2.43->192.168.2.62
4)northvilleTX - LAN SUBNET RANGE 192.168.2.63->192.168.2.83

?

Thanks

 

[AlexIT]

You usually have no ability to control the WAN-side IP interface, that is the ISP's area and you may have different ISP for each location (I have a Germany, France, Taiwan, and couple USA locations interconnected.) So I expect that each site WAN is going to be completely different:

1)eastriver, TX - WAN STATIC IP IS 204.12.91.56
2)westbank, TX - WAN STATIC IP IS 162.15.20.133
3)southpark, TX - WAN STATIC IP IS 99.66.111.76
4)northville, TX - WAN STATIC IP IS 87.31.13.27

You need a DHCP host at each location, so have the router supplying DHCP and performing NAT...note, the VPN tunnel will automatically route from subnet to subnet! So if I am connected via VPN to 192.168.100.1 from my internal 192.168.1.10 the router knows to send return traffic to .1.10 via the VPN tunnel. Because of this you must have different IP subnet at each location, which you can do by splitting a single subnet (as you posted), or by using completly different ranges...which is what I do.

So the locations will have the following internal IP:
Eastriver Router 192.168.1.1
Eastriver LAN DHCP SUBNET RANGE 192.168.1.10 - 192.168.1.16
Eastriver Clients 192.168.1.10-192.168.2.15
Server Farm is static IP in range 192.168.1.100-192.168.1.110

Southpark Router 192.168.2.1
Southpark LAN DHCP SUBNET RANGE 192.168.2.10 - 192.168.2.16
Southpark Clients 192.168.2.10-192.168.2.15

Westbank Router 192.168.3.1
Westbank LAN DHCP SUBNET RANGE 192.168.3.10 - 192.168.3.16
Westbank Clients 192.168.3.10-192.168.2.15

Northville Router 192.168.4.1
Northville LAN DHCP SUBNET RANGE 192.168.4.10 - 192.168.4.16
Northville Clients 192.168.4.10-192.168.2.15

Note that I only range the router DHCP to number of clients plus one. If you have network printers give them static IP outside the DHCP range (like I show with the servers.) This is done for security, there should not be a large block of free IP addresses via DHCP (if you ping the six and get a response from all of them, you know there is something going on!) Servers and printers should have static IP to reduce traffic, since all these routers have switches instead of hubs by now there will be no broadcast packets wasting time on the LAN.

Good luck,

Alex