Comments on: Connect 2003 Small Bus. Server to 2 networks

By: bigshybear

bigshybear — Wed, 19 Oct 2005 14:03:21 +0000

The Windows 2003 Small Business Server HAS to be the first domain controller, but according to Microsoft’s documentation, you can have additional Windows 2003 server domain controllers. I did not see anything about Windows 2000 Server domain controllers though.
http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx#EQHAC
Your first message said the second server was a Windows 2000 Server. I missed that first time around. If somebody KNOWS whether or not a Windows 2000 server can act as the second domain controller in the domain, please let us know.
Going with the idea that the Windows 2000 server is going to have to be a member server, the clients at the site remote from the Windows SBS 2003 server will need to login across the internet.
See Microsoft article
http://support.microsoft.com/default.aspx?scid=kb;en-us;314861
about the login procedure. For pre-Windows XP clients the only way the remote clients can login will be if there is a VPN tunnel between the two sites, and even that is questionable depending on round trip delay for the packets. In the last 5 years EVERY ISP I have worked with has blocked some of the netbios packets so direct connect is out.
The Windows XP clients at the remote site will have to have their DNS set to the Windows SBS 2003 server, though the Windows 2000 server there can provide DHCP.
I want to jump up and shout about putting in a firewall at each site and setting up a VPN between the two sites.
Within 15 minutes of your servers coming up on the internet they were being probed. If you are not absolutely obsessive about keeping the security patches installed on the computers visible to the internet, they WILL be hacked.
http://www.avantgarde.com/xxxxttln.pdf
(8 hours until the Windows SBS server was hacked)
After all these years, one of the harshest lesson I have learned is get a firewall in between ANY computer and the internet. If you absolutely have no budget at all you can try a free Linux firewall on an older computer. I currently use IPCOP (www.ipcop.org) (on an old 933mhz small form factor IBM computer) between my home network and the internet and I like it, but I have never done a VPN with it. The software is free and for the last 9 months it has done as well as $2000 firewall for me. I’ve also heard good things about Smoothwall.

BigShyBear

By: jheadley

jheadley — Wed, 19 Oct 2005 10:28:50 +0000

I agree with Bigshybear. Your best bet is to get a couple firewalls for each location. I would recommend the Watchguard Edge product which starts around $350. I understand that you client does not want to spend any more money on hardware but you need to factor in your time. If you spend several hours trying to get these suggestions and it still does not work where is the savings.

From personal experience you could have both the Watchguards up and running in less than an hour. Plus you will have a much more secure solution. You DO NOT want your servers on the front line.

By: jhnyqst

jhnyqst — Tue, 18 Oct 2005 15:49:43 +0000

1st thing … thanks everyone for the input so far. Let me give you all a little more info. The 2003 Small Business Server, I would like to use it as Domain Controller. My client does not wish to spend anymore money on what she has bought. As far as new network equipment … umm … well … a couple of hubs is all I am getting. I will be trying the solutions that everyone gave me so far. Thanks again everyon!

By: keithd1967

keithd1967 — Tue, 18 Oct 2005 14:37:51 +0000

Is the Win2k server office in its own domain? If so, that may be your problem. All SBS servers (5.0, 5.5, Win2k, and Win2k3) are their own Domain Controller, and no other DCs can connect to it. You cannot connect the SBS server as part of a tree nor forest. Nor can you connect the two seperate domains in any kind of trust: one-way or two-way; neither will work.

So, if your Win2k server is DomainA and your SBS server is DomainB, and you have a user in DomainA trying to connect to DomainB, you’ll get authentication errors up the ying-yang. Even if they have the same login ID/PW on both servers.

By: bigshybear

bigshybear — Tue, 18 Oct 2005 12:47:38 +0000

on review of my previous post I mistyped something.
The Small Business Server HAS to be the first domain controller. The remote Windows 2003 server will be added to the domain after the Small Business Server is up and running.

By: bigshybear

bigshybear — Tue, 18 Oct 2005 12:25:55 +0000

I support a couple of small networks that do this.
From experience the way I always quote customers is:
1. Get a fixed IP address at each end from your ISP.
2. Have both sites on a different IP address scheme.
One can be 192.168.1.x and the other 192.168.2.x, or 10.0.0.x, doesn’t matter what they are as long as they are different.
3. Set up a VPN between the two sites. I ALWAYS tell people to get this off the server and put in a VPN/Firewall hardware device at both ends. For these two devices my experience has been that there is an inverse relationship between price and stability, the cheaper they are the more likeley they need to be reset weekly, or monthly, and reprogrammed. Absolutely do NOT use the sub $100 firewall VPN boxes. I’ve used Fortigate 50a’s successfully but at $500 each they may be beyond your budget. (As a side note, you ALWAYS want to put Windows based computers behind a firewall.) You want both servers to have only one ethernet controller turned on, with the inside IP address as a fixed IP address.
4. Once the VPN is up, set up one server as a domain controller. I’d recommend that you start with the Windows 2003 server. In Active Directory, create 2 sites, one for each IP address scheme. Verify BOTH servers can ping each other on their INSIDE IP address.
Now bring up the second server as a domain controller.
I normally create 2 separate Organization Units in Active Directory Users and Computers, one for each site, then create the user logins for each person in the OU that corresponds to the site they are going to be logging in from. People will login into their local server, and you can set them up to connect to the remote server if you want to.

By: spadasoe

spadasoe — Tue, 18 Oct 2005 11:54:49 +0000

Assuming you need to connect separate locations,
SOHO routers on each end would make this easier also. Most of the off the shelf routers from Linksys, Dlink, Netgear, MS have capabilities to handle point to point connections as long as the ISP doesnt block the ports or limit traffic.
These devices also provide a small office switching fabric for multiple connections.

By: paul144hart

paul144hart — Tue, 18 Oct 2005 09:23:31 +0000

You’ll need to check if the provider gave you fixed IPs. If not, when one of the modems gets reset the DHCP lease could be too short and you’ll get a different IP. Specially true if one of the offices had a power failure.

Otherwise, use ipchicken.com to find the public IP of each server and try pinging from both sides first. If sucessful, use tracert or something to see you see the machine’s name.

If you don’t have fixed IPs, your alternate is to create a VPN tunnel and rely on the local IP addressing schemes.

By: baes64

baes64 — Mon, 17 Oct 2005 15:33:38 +0000

Both Windows 2000 and 2003 support VPN site-to-site connection, allowing intradomain communications between two or more networks. A cost-effective and secure solution managed by RRAS component.
In that scenario, for instance, a user in network “A” could logon as authenticated user using a domain controller in network “B”, and computers and servers can be members of the same domain.