AD site planning

Eddietop

Eddietop

Eddietop

Associate
Joined
3 Oct 2003
Posts
611
Location
Northampton,UK
Hi,

I have been asked to setup a remote office in Dubai, as my company is expanding there.

There is going to be 4/5 users in a small office, which will need email, domain login, shares etc.

Basically I think i have two options;

A) Buy SBS 2008, and let them host their own mail, and be entirely independent from us, although part of the same AD forest.

However the ISP in Dubai is a bit backwards and wont let us have a fixed IP address, even though the DSL connection is about 5 grand a year. This will make it a pain to host mail, unless i subscribe their HUB transport server back to our Exchange edge server back in the UK over VPN.

B) Buy 2003, make them a separate domain, however part of the same AD forest. Collect Email over VPN, Exchange stays hosted in the UK where we have a stable connection. Obviously this will make them entirely dependent on the VPN being up, so that exchange can function correctly.

I plan to place riverbed steelhead WAN optimizers at both ends to make the connection really compressed and efficient.

Would it be best to make the remote office a child domain of the UK domain, or is a new top level domain but part of the same forest fine?

Would be preferable to us to make a new top level domain.

Also is this fine for exchange licensing, as long as i buy the required amount of user cals?

I take it exchange is fine working cross domain, when the user objects are located in a domain that does not have any exchange roles installed and just clients?


Cheers for any input :)
 
SBS for your needs is a no-no really. It doesn't support multiple domains or domain trusts and HAS to hold the FSMO and other core AD server roles.
 
Ah, ok so i guess SBS is out of the question then.

I need to decide weather to install exchange HUB/CAS on their server or let them come across the VPN for everything.
 
Is there any way to cache users logon credentials on the domain that's hosting Exchange?

The users objects will actually be in a different domain to Exchange, and if the domain controller is down because of the VPN link, Exchange wont be able to authenticate them.
 
Or use webmail (OWA) if you have exchange 2007, even 2003 is pretty workable on IE (not on other browsers where you only get OWA lite)
 
Yes, was planning to use this. However one thing i'm worried about is if VPN goes down, exchange will not be able to contact their DC to authenticate them.
 
Eddietop said:
Yes, was planning to use this. However one thing i'm worried about is if VPN goes down, exchange will not be able to contact their DC to authenticate them.
Click to expand...

That all depends how you plan on setting up AD. If it's one domain with their office just being another site (simpler imo which is the way i like it), then you don't need to worry as exchange will authenticate with its local DC. If you really want 2 domains, maybe set up as small DC for their domain at your end of the link for those times that the VPN is down.
 
Depends on the size of the domain, but I cant imagine a problem with another site in the same domain.

Single server running ESXi with a DC, file server and exchange server.

If they have a separate external domain you could look at using the DNS host's mail and either a POP connector for Exchange or using dynamic DNS.
 
Keep it simple. Unless you've faced with a compelling argument against doing so (which would more than likely be political and not technical), extend your current domain to them and install a DC on their site. Do the steelhead boxes allow you to itnsall an OS also and run a server? (excuse the ignorance I've not worked with them before)
 
I agree. no need for another domain really. Keep them in your domain and add them as a separate AD site. Put a DC and FS onsite for local authentication and storage. use outook in cached mode so if the VPN goes down they still have access to all their existing emails.
 
It may be the best solution then to keep them in our AD.

It just seems logically wrong to me because our domain is company.co.uk, which spans across two UK offices, and the DNS has been split-brained so that the website is just www.company.co.uk, emails are [email protected] etc.

The Dubai office is going to be using @company.ae for their email address's so i was planning to make their domain called company.ae, like i have done for the UK operations.

Guess this makes more sense structurally but technically it will be less reliable for them to do it this way and host their email from the .co.uk domain.
 
You can always register the .ae domain and use it for external emails - it doesnt matter that the internal domain is different
 
As said above, external domain name and ad domain name have no relation. They can be the same or different. We have over 50 domain names in use in our exchange system
 
As someone else has said, give them outlook anywhere and host their mail at the main office.

The simplest option by far, and when its thousands of miles away simple is what you really need.

So much so, i'd really look very carefully at their file serving requirements to assess if they even need a server there at all. I've seen more than 5 people authenticate over ADSL to a remote DC and its really not that bad. Depends on how much you trust the connection.

If you do keep data out there, investigate replication of it back to head office too, and just incorporate it into your backup scheme. Often getting remote people to swap tapes etc is less reliable than foreign ISP's and tape drives can and do go wrong.
 
Outlook anywhere plus RDP into a TS server in the UK. If you set it up right using TS-2008 it looks just like everything is running locally (excel can open up in its own window etc).
 
I would have thought terminal services would have been the best option for this, no need to have anything other than PCs/thin clients in the remote office. Either open up RDP connections through the firewall to let them connect or do it over the VPN connection you have been looking at setting up.
 
You must log in or register to reply here.
Back
Top Bottom