Creating a Domain from pieces

pts.
Tags:
Active Directory
DataCenter
Management
Microsoft Windows
Networking
OS
Security
Servers
SQL Server
I'm inheriting a client who has a small number of systems spread out over various sites. All of these systems are in static IP's from the various DSL providers. We now want to bring them all together and use Active Directory (mainly for Group Policy and Permissions Control). While I've created domains and set up AD for new systems, I've never tried to cobble one together from existing stand alone computers. My real question is, do I need to look out for any particular pitfalls in doing this? The systems are all XP desktops, a w2k server, a w2k3 server, and 2 NT 4.0 servers that will soon be updated. Thanks Much!

Answer Wiki

Thanks. We'll let you know when a new response is added.

Dusty:
If there is no existing windows domain, this should be fairly straightforward. You can have a single domain and configure the various sites as, well, sites, in active directory. I recommend placing a domain controller at each site so if connectivity goes down, the users can still log in.
Are you already running VPNs connecting the sites? If so, and the private ranges at each site don’t overlap then connectivity shouldn’t be an issue. If you have overlaping IP ranges then either change this or use what linux refers to as “twice NAT”. Even if it is more work, I would recommend numbering the nets for no overlap.
Going to active directory from a win2k or 2k3 server shouldn’t be a problem. Get rid of the NT 4.0 box when you can. Don’t even consider it as a domain controller.

Notice how I am assuming your systems are on private IPs behind NATing firewalls. I strongly recommend against placing windows boxes directly on the internet without firewall protection. I know microsoft likes to say their systems are secure now, but my experience tells me it is only a matter of time before a windows machine with a public IP and no firewall to protect it will be compromised. If your DSL gateways are firewalls with site-site VPN capability, you are set.

If some sites are too small to have a domain controller, then these systems should have local accounts to fall back on if connectivity to the domain controllers goes down.

Has this answered your concerns?
rt

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Mortree
    Seems like a fair answer above. I will just add that if your static IPs above are public IPs on workstations, you might want to weigh deploying DHCP and private address at each site (not necessarily a separate machine). This increases workstation security and allow quicker updates of network changes in DC addresses etc for each local site. Remember to turn in any unused static IPs you'll never need again (allow for growth). And a firewall is imperative no matter how small the site...though you might scale the firewall cost and sophistication to the criticality and number of machines at the site. If some of those static IPs are on Internet servers you can still map addresses and forward the appropriate services through a firewall.
    0 pointsBadges:
    report
  • Mortree
    Oh and DSL should be plenty fast for DC replication traffic if you are not using some bandwidth eating application. Hmmm...The one issue I can see is if your company lets (doesn't fire) users play streaming video or music that sucks up all your bandwidth, you can have DC replication traffic delays. So account updates, GPO changes and such might be slow to propagate (worst case completes after they go home). The same can be true if an application hogs sometimes all the bandwidth for extended times. So you might want to look at firewalls (even in NetGear bottom end stuff) that support traffic shaping or priority etc. Or policies to block streaming traffic (by time?). Something that supports reserving bandwidth for DCs periodically.
    0 pointsBadges:
    report
  • Mortree
    What the heck. It probably isn't a bandwidth problem. And if you do have a problem you have two easy approaches. #1 Set things up to send all traffic down the VPN tunnel to your central site. There you have the only true Internet routing gateway and can easily adminster allowed traffic. Soem single point of failure issues here. #2 set each problem site up with two DSL links. One devoted to internal company traffic and one for general Internet. #3 Set up Webtrends and start firing people based on excess internet bandwidth to their workstation.
    0 pointsBadges:
    report
  • Mortree
    What the heck. It probably isn't a bandwidth problem. And if you do have a problem you have two easy approaches. #1 Set things up to send all traffic down the VPN tunnel to your central site. There you have the only true Internet routing gateway and can easily adminster allowed traffic. Soem single point of failure issues here. #2 set each problem site up with two DSL links. One devoted to internal company traffic and one for general Internet. #3 Set up Webtrends and start firing people based on excess internet bandwidth to their workstation.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following