more Domain Planning Questions

[rogerpatel]

Hi all,

Wondering if I can get some advice on a little WAN I am about to setup.

Here’s a run down of the plan:
4 Branch Offices.

All sites to be connected together using Box to Box VPN, (each site will have a 1mb ADSL internet line, 1mb dl, 256k ul)

Each site will have its own Windows 2003 Domain Controller which will be used for file and print. The bosses have decided all 4 domains must be separate (meaning they do not want One Master Domain)

The head office will have a Exchange 2003 Mail Server installed, the other three offices will use Outlook 2003 in cached mode connecting to the headoffice over the VPN, as the pc’s are not part of the head office domain each user will have to enter the user name and password when opening Outlook, this is fine, if we find the links are too small all the remote users will be forced to use either pop mail or Outlook Web Access.

Trusts will be setup at the Head office to allow file access to certain folders for the 3 remote sites.

Head office will have 20 pc’s
The remote sites will have a max of 10 users each.

Head Office
Ip range 192.168.110.x
Server IP 192.168.110.2
Mask 255.255.255.0
Sonicwall f/w default g/w 192.168.110.1
Domain Name London.local
Netbios Domain Name London

Remote Site One
Ip range 192.168.210.x
Server IP 192.168.210.2
Mask 255.255.255.0
Sonicwall f/w default g/w 192.168.210.1
Domain Name Leeds.local
Netbions Domain Name Leeds

Remote Site Two
Ip range 192.168.310.x
Server IP 192.168.310.2
Mask 255.255.255.0
Sonicwall f/w default g/w 192.168.310.1
Domain Name Birmingham.local
Netbios Domain Name Birmigham

Remote Site Three
Ip range 192.168.410.x
Server IP 192.168.410.2
Mask 255.255.255.0
Sonicwall f/w default g/w 192.168.410.1
Domain Name stratford.local
Netbios Domain Name stratford

All the 2003 servers will have the following Service’s:
DC, GC, DNS, DHCP & Wins
The dhcp scope will be something like : (xxx depends upon the site)
Range 192.168.xxx.50 to 192.168.xxx.80
DG 192.168.xxx.1
DNS 192.168.xxx.2

All the pcs will logon to the domain in the office.

When a pc from any office opens My Network Places they must/should be able to see all 4 Domains and all PC’s.

I hope the above gives you an idea on what we are trying to do here.

I need some help on the IP Address side, I’ve setup many networks before however not any WAN type networks, using the above IP information can you foresee any problems that may pop up, or do you think I am doing this totally wrong and there is a better ip structure is should be using.

Other than the above ip question, do you think this network using trusts will have any problems\work/

Thanks and sorry for the long read.

Cheers

Roger

 

[adcfaq]

i don't see any reason for 4+1 domain , single domain is quite good enough, if ur boss wants to separate security completely, he/she should consider 4+1 forest, 'coz domain is not security boundary.

in ur case, 4+1 domain only add more admin effort.

------------------------------------
Directory Services/Exchange Consultant

 

[rogerpatel]

benlu,

Cheers mate, thanks for the advice, i did try to tell my boss this however the WAN must be seperate networks, i think its cause one day he will be selling them off one by one.

do you think the IP allocations will work fine along with this network useing trusts etc, the admin side is not a problem for any of the offices.

cheers

 

[zeveck]

It looks like it'll work, but I think you'll have headaches. You're going to have to have the DNS/WINS servers all be reliant on the ones in the main office for resolving one another.

 

[rogerpatel]

zeveck,

Each site will have its own DC,DNS and wins server, they will not point to any other server, except for itself, there will be no replication as there's only gonna be one dc at each site.

Can you please explain what you mean by " You're going to have to have the DNS/WINS servers all be reliant on the ones in the main office for resolving one another"

Or do you mean i will need to setup wins/dns replication to other domains, as i am not aware this can be done as they are all different domains.

Cheers

 

[adcfaq]

zeveck's points are DNS should be replicated to forest level, not domain level, even u have configured local DC DNS, u still need to repl forestDNS partition to the other domains.

ur IP schema is no promblem, u are only dealing with <100 users, er?

but, the key is 4+1 domain is not recommended, u have only one DC on each domain, which is single point of failure, say, that DC down, that branch users wonb't logon and authentiucated to the network resources.

if u set up single domain, even 1 root DC survive, all users should be able to logon, just slow.

------------------------------------
Directory Services/Exchange Consultant

 

[rogerpatel]

Ok guys, i get the message and understand that having 5 seperate domains is not good way to go. I have now explained the position to the boss, he has now given me full permission to setup the domain in the way i want to do it.

I have no idea on the process for creating this domain, out of the 5 servers for all the sites i currently have two in my office ready to be built.

Can you guys please give me some pointers on the methods to create this network now i have decided to go the route you suggest, also if poss some good web sites explaing "creating branch networks"

Thanks again for the support here.

 

[adcfaq]

lol. now you are easier, just go ahead set up 4 AD site for those branch office, it's no brainer, google ad sites for how-to.

------------------------------------
Directory Services/Exchange Consultant

 

[rogerpatel]

cheers mate, will start searchin now.

thanks again for all the help.

 

[rogerpatel]

Hi all,

Back again for more assistance.

I have now been over ruled once again and bee TOLD/ORDERED to install 5 totally seperate networks, meaning one simple DC and each office (head office having a Mail Server too).

This mean's i'm back to plan A, (top of thread)

Using the info at the top of the post, can you please tell me if this WAN will cause any major problems, there will be no replication over the wan, all the Domains will be trusted to the head office only.

Admin works is not an issue here, i do understand by making so many seperate domains will cause more administration.

My main goal here is to be able to view all the networks in Network Places from any of the offices, bearing in mind all the domains are tottally differnet networks.
The only connection between the domains will be a simple two way trust from each site to the head office)

The trust will be setup so users from the head office will be able to access a few shares on the remote sites, and users from the remote sites will be able to access a single share on the head office server.

I think there are a number of reasons why the bosses need to make sure they are seperate neworks, i dont know what they all are but i have been told that once of them is because one day they will tell me to dissconect all connections to once of the offices, if its a trust we will simple remove the VPN connection from the FW and then delete the trust setting for that site.

Sorry for the changeabout once again, but i have to do as i'm told here.

 

[adcfaq]

bear in mind, AD domain design is separate to network design, say, u still can use single domain, but network topology will cross WANs(AD sites), why u still want to 4+1 domain?

ur IP schedma is no problem as mentioned before, only couple of users.

------------------------------------
Directory Services/Exchange Consultant

 

[zeveck]

What I was saying above regarding WINS was partially that with completely separate domains you will not be able to see all of the computers in Network Places.

Network Places uses NetBIOS naming. NetBIOS works either using broadcast or WINS. Broadcast won't work for you because they are distinct networks with distinct IP ranges. Four independent WINS servers won't work because each computer will only register itself with its local WINS server and the local WINS server will only know about those computers.

You need a central WINS server if you want all computers to be able to see all other computers. Or, you might be able to have each WINS server fetch data from the other WINS servers, but either way the networks all have to know about one another.

The same basic problem applies with DNS. If each independent network has its own DNS and the computers in that network only update that DNS and the DNSes don't know about each other then there is no way to push that information where you want it.

I could be wrong on some of this...but I think these are some problems you are going to run into.

 

[ntinlin]

If he does ever want to sell off each office then you really need to have separate forests with single domains in each.

Moving a domain to another forest after the event is doable with W2003 I think but still a major headache.

 

[Tightpants]

I may be out of my depth here but why not start with one domain with a .local suffix. Then if the branch offices break away they can continue to use the same domain name albeit with no connections between the sites. Does it really matter if there are different offices using the same internal domain name?

 

[rogerpatel]

You mention that using completey seperate domains with there own wins and dns servers i wont be able to see other domains in network places.

We currently have another WAN with 3 domains (these are Windows 2000), each linked by the same firewall setup (Sonicwall box to box vpn passing NETBIOS) and trusts for all sites.

From anysite we can see the complete lists of all domains and everything contained withing them, we can then also ping a computer by name at the other office and access shares etc. Each Domain has its own wins server and dns server, no servers have any replications/entries at all for any dns or wins for any other sites.

none on the pcs / servers have any host file entries.

This networks works like a dream.

Is it the Firewalls / VPN thats letting us VIEW all the devices in network places (The firewall has the option ENABLED for "Enable Windows networking (NetBIOS) broadcasts)

I know the correct way to setup a domain like this is by using a single domain method, but i need to set this network up with SEPERATE domains then use TRUSTS.

Thnaks once again.

 

[zeveck]

Hmmm...not sure. I could be mistaken in what I said, but I am leaning towards that firewall setting you're referring to being the enabling factor.

Can anybody clarify?