Help - Changing from work group to Domain environment

Networking, Wireless Routers (802.11 a/b/g/n/ac/ax WiFi), NAT, LAN configuration, equipment, cabling, hubs, switches, and general network discussion
Post Reply
User avatar
TeddyTed
Regular Member
Posts: 224
Joined: Tue Mar 20, 2001 12:00 am
Location: Briarwood NY

Help - Changing from work group to Domain environment

Post by TeddyTed »

Hi all,
I'm looking for a bit of advice on changing a network from a workgroup setup to a domain environment.
We're a small and growing business with a total of four office locations ( one main office, and three satellite offices).
All satellite offices are connected into the main office via VPN tunnel using Sonicwall TZ appliances.
Network info

Main office
Network : 192.168.1.1
Location : NYC
# of users : 16



Satellite Offices

Location #1
Subnet : 192.168.2.1
Philadelphia
# of users : 6

Location #2
Subnet : 192.168.3.1
New York
# of users : 6

Location #3
Subnet : 192.168.4.1
Connecticut
# of users : 5


Problem:

In order to address some security concerns, and ultimately expansion in the near future, I would like to setup active directory to better manage the environment.
My concern is how do I properly deploy / provide active directory access across all locations, when obviously the satellite office are too small to set up a read only DC , as well as the issue of cost?

I know user authentication over WAN (through the tunnel) is possible.
The nodes on the main office work will obviously receive IP address from the DC / DHCP server locally.
However, I am not sure if the satellite locations should be set up to receive DHCP over VPN, and therefore I would have to disable disabling DHCP on the remote routers and allow ip address distribution from the main office. Does my assumption make sense ? If not , what is the proper way to handles this ? Forgive me if this sounds like nonsense. :confused:

Thanks
TB
Top
SamirD
Member
Posts: 31
Joined: Sat Jan 24, 2015 8:07 pm

Post by SamirD »

I don't have any experience in this, but have run into various discussion on the same topic of multi-subnet vpn active directory deployments. Do some searches and I'm sure you'll find TONS to read. Good luck!
Top
User avatar
YeOldeStonecat
SG VIP
Posts: 51171
Joined: Mon Jan 15, 2001 12:00 pm
Location: Somewhere along the shoreline in New England

Post by YeOldeStonecat »

Main office has your DC....say the DC has an IP address of 192.168.0.10
Satellite offices run their own DHCP (from the router is fine)...have the router hand out 192.168.0.10 as the primary DNS server.
This way workstations at the satellite offices are properly logging into active directory. Yeah...if the bandwidth is "light"...their logins can be a little slow as GPOs and scripts are processed...but..that's the way it is.

Some people add a secondary DNS server to hand out (in case the VPN tunnel goes down...so they can still surf the web), such as the ISPs or the router itself (which just does DNS forwarding to its WAN interface which is the ISP anyways)....BUT..you'll find that this responds quickly, the primary DNS server may take too long..so workstations will tend to turn to the secondary DNS...thus failing to log into the DC...thus breaking DNS too often.

It's better to leave the primary DNS as the DC..and that's it....until you get budget getting a local DC at each satellite office.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Top
Post Reply

Return to “Networks and Wireless Routers”