2

I recently started working as a network admin for a company who has 2 locations and we use a VPN to connect them. We need to set up an Active Directory and Exchange Server at the second location to be fully integrated with the first. I already created and tested a new server with a new forest/domain. My question is, what it the best way to do this? Keeping in mind that we need to keep VPN traffic to a minimum, we need all AD actions to remain local, and only if we need to access information on the other domain, then we need to go through the VPN. So is it best to go with a single forest or 2 forests and set trusts between the domains? Keep in mid that we also need to fully integrate the 2 exchange servers with each other and with both AD Domains.

arazvan
  • 21
  • 1

2 Answers2

8

I think you're thinking this through too much. As long as it's the same company in both locations and you don't have some other reason to create a second domain in the forest, why not just install a second DC, bound to the same domain?

In AD, you can create sites and within each site, list which subnets are present and then also which domain controllers are in which site. That way, clients in each site will automatically try and contact the DC in their site first and if that's not available, they'll fail over to the DC in the other site.

Additionally, you can easily control AD's replication behavior. If you only need the two DCs to sync nightly, then you can configure that. That said, replication traffic is typically very small and would likely comprise only a small portion of your VPN traffic.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • +1 We use this for a number of sites and traffic is low. It also means users will have a DC locally in case the VPN goes down – Dave M Feb 09 '12 at 15:29
0

Unless there was a second set of administrators at the second site, I would simply set the whole system up as one domain and create a site for each location. Assign the computers to the proper sites and all authentication and related traffic should stay at the local site unless there are problems with the DC at the local site.

With exchange, just have two different servers, one for each site, and assign users to the server at their site.

EEAA
  • 108,414
  • 18
  • 172
  • 242
Glenn Sullivan
  • 1,368
  • 9
  • 17
  • We have administrators at the other site, and we would like to keep administrative tasks split. So that's why I'm looking for a solution with 2 domains which keeps VPN traffic to a minimum and keeps the data separate. – arazvan Feb 09 '12 at 14:54
  • Also we need to keep the first system pretty much untouched. – arazvan Feb 09 '12 at 14:57
  • @arazvan, that doesn't seem like a valid reason to implement multiple domains to me. I remember from the AD training courses I did many years ago, that you should avoid creating multiple domains unless you absolutely must. You can use delegation to do what you are wanting to achieve with a single domain. – Bryan Feb 10 '12 at 08:40