I am planning to implement Win2k AD domain at work, hoping it would help me
manage accounts and security across wide spread branch offices. I would
appreciate any comments/suggestions. The setup is as follows:
1. HQ with 6-10 users and 8 computers (Win98, Win2k) + 1 server
2. 4 branch offices each with 6-10 users, 3-6 computers (Win98, Win2k), 1
server
Currently HQ and BOs use workgroup networking with Win2k standalone file and
printer server. HQ uses private subnet 192.168.1.x, and BOs use 192.168.2.x,
192.168.3.x, etc. Also, one workstation at each branch office runs and
shares an Access db, with other workstations accessing the db over the
network. Internet connection is through 64k ISDN (shared by a router) at
each location, and HQ may be getting a slightly faster static connection in
near future. Dialup access is fairly stable, but there are times when any
particular BO is without for a few hours due to ISP problems. Also we will
be opening a new BO by the end of the year with one more coming up next year
(more or less the same setup as others). Due to existing equipment
limitations I am planning to use direct dialin for replication and
management, until I can set up a VPN connection from BOs to HQ (hopefully
two directional). I don't expect there to be many changes in the AD, mainly
passwords, and some network access permissions.
After doing some reading and research, I concluded that I should:
Use a single domain, with AD sites for each BO.
Each site/BO will have a DC (existing Win2k server upgraded) running AD and
AD integrated DNS for the site (which will use ISP DNS servers for external
resolution). From what I read I should set each DC to hold global catalog
information.
Instead of running WINS, I am planning to use lmhosts since there are
relatively few stations involved and I should be able to maintain lmhost
files (workstations will not use DHCP).
I am planning to use OUs by branch office for permissions, etc.
My concern is that I will not have a backup DC at each site until I get the
VPN running (and will logon authentication work reliably through VPN tunnels
anyway), which would mean users can not access network resources until the
DC is back up -- if anyone has suggestions how to work around this without a
second DC on site, I would appreciate hearing them.
Also, I am not able to work on branch DCs at the central offices, so I was
planning to create a Ghost image of a DC that is joined to an AD site,
restore the image on the server at the branch office, and then move it to a
different site while connected to the HQ through dialup.
Thank you for reading this, and again any comments/concerns/suggestions are
welcomed and appreciated.
Mer
manage accounts and security across wide spread branch offices. I would
appreciate any comments/suggestions. The setup is as follows:
1. HQ with 6-10 users and 8 computers (Win98, Win2k) + 1 server
2. 4 branch offices each with 6-10 users, 3-6 computers (Win98, Win2k), 1
server
Currently HQ and BOs use workgroup networking with Win2k standalone file and
printer server. HQ uses private subnet 192.168.1.x, and BOs use 192.168.2.x,
192.168.3.x, etc. Also, one workstation at each branch office runs and
shares an Access db, with other workstations accessing the db over the
network. Internet connection is through 64k ISDN (shared by a router) at
each location, and HQ may be getting a slightly faster static connection in
near future. Dialup access is fairly stable, but there are times when any
particular BO is without for a few hours due to ISP problems. Also we will
be opening a new BO by the end of the year with one more coming up next year
(more or less the same setup as others). Due to existing equipment
limitations I am planning to use direct dialin for replication and
management, until I can set up a VPN connection from BOs to HQ (hopefully
two directional). I don't expect there to be many changes in the AD, mainly
passwords, and some network access permissions.
After doing some reading and research, I concluded that I should:
Use a single domain, with AD sites for each BO.
Each site/BO will have a DC (existing Win2k server upgraded) running AD and
AD integrated DNS for the site (which will use ISP DNS servers for external
resolution). From what I read I should set each DC to hold global catalog
information.
Instead of running WINS, I am planning to use lmhosts since there are
relatively few stations involved and I should be able to maintain lmhost
files (workstations will not use DHCP).
I am planning to use OUs by branch office for permissions, etc.
My concern is that I will not have a backup DC at each site until I get the
VPN running (and will logon authentication work reliably through VPN tunnels
anyway), which would mean users can not access network resources until the
DC is back up -- if anyone has suggestions how to work around this without a
second DC on site, I would appreciate hearing them.
Also, I am not able to work on branch DCs at the central offices, so I was
planning to create a Ghost image of a DC that is joined to an AD site,
restore the image on the server at the branch office, and then move it to a
different site while connected to the HQ through dialup.
Thank you for reading this, and again any comments/concerns/suggestions are
welcomed and appreciated.
Mer