• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Domain Controller in remote Site to SBS 2003 Site Link

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> Domain Controller in remote Site to SBS 2003 Site Link Page: [1]
Login
Message << Older Topic   Newer Topic >>
Domain Controller in remote Site to SBS 2003 Site Link - 12.Nov.2008 9:50:20 AM   
kyleheath

 

Posts: 35
Joined: 3.Aug.2005
From: UK
Status: offline
I need to have a domain controller in a branch office so that users can authenticate locally, I have a SBS 2003 with ISA 2004 at the main site and I have setup a PPTP VPN from a Draytek Vigor 2800 Router at the branch office in a site to site VPN to the main office.

The VPN works fine and branch clients can ping the SBS Server and a Terminal Server at the main site.

The clients and Terminal Server at the main site can ping the router and clients at the branch site.

The issue I have is that the SBS Server cannot communicate with the clients at the branch site so I cannot replicate the domain controller to the branch site.  If I ping from the SBS to the branch office server I have a request timed out, a pathping shows that the packet reachs the router at the branch office but I can ping nothing behind it.

Is this because the VPN is from the internal network to the branch network and when I try to communicate from the SBS Server this uses the external IP of the SBS Server when trying to communicate over the VPN and this is not part of the VPN?

My thinking is that because ISA Server in part of SBS Server and I have my PDC Domain Controller on the end point of the VPN I will not be able to terminate my VPN into the ISA Server and still be able to access the resources on it?

Thanks

kyle
Post #: 1
RE: Domain Controller in remote Site to SBS 2003 Site Link - 12.Nov.2008 10:59:08 AM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
Hi Kyle,

Do you have a persistent static route (using the route command) on the SBS/ISA defined to the Branch office network?

Make sure you have also defined and added the Branch network to the ISAís Internal network object networks IP definition.

quote:


My thinking is that because ISA Server in part of SBS Server and I have my PDC Domain Controller on the end point of the VPN I will not be able to terminate my VPN into the ISA Server and still be able to access the resources on it?


If youíre adding a Branch Office Domain Controller you do know that you have to define and add it as new site in Active Directory Sites and Services? If not, youíll be authenticating across your VPN! Make sure you configure it as a GC as well. Subnets will also need to be defined.

HTH

RB


_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to kyleheath)
Post #: 2
RE: Domain Controller in remote Site to SBS 2003 Site Link - 12.Nov.2008 11:09:53 AM   
kyleheath

 

Posts: 35
Joined: 3.Aug.2005
From: UK
Status: offline
I have the branch office as a Remote Network in ISA Server so I cannot add its subnet to the Internal Network Range, if I added a persistent route on the ISA Server to the branch office what would I add as the gateway, the IP address used by the remote network when it connects in?

I have the AD S&S setup at the branch office with the correct subnets and sites, the reason for this domain controller is that users are authenticating over the VPN and this is causing speeds issues and problems with DNS lookups.  I want DNS and AD at the branch office so I can remove this issue.

Is the problem here not that SBS Server because it has ISA Server on a Domain Controller breaks with best practice and means I may not be able to do what I want without either a hardware endpoint at the main office or another Domain Controller at the main site that is "behind" the ISA Server.

(in reply to Rotorblade)
Post #: 3
RE: Domain Controller in remote Site to SBS 2003 Site Link - 12.Nov.2008 2:17:46 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
quote:


I have the branch office as a Remote Network in ISA Server


Please clarify remote network in ISA? You mean you have defined the Branch Office as a separate network object in ISA? How many NICís do you have installed and is the remote network (Branch Office) on a separate NIC?  What other networks are defined in ISA?

quote:


if I added a persistent route on the ISA Server to the branch office what would I add as the gateway, the IP address used by the remote network when it connects in?


Well that would depend on a possible network object  miss-configuration with ISA mentioned above. From your description youíre using a VPN\Router so is the router behind ISA in parallel or in front of ISA; accessing through the ISAís external NIC?

quote:


Is the problem here not that SBS Server because it has ISA Server on a Domain Controller breaks with best practice and means I may not be able to do what I want without either a hardware endpoint at the main office or another Domain Controller at the main site that is "behind" the ISA Server.


Well Iím not a big fan of the SBS concept anyway and especially when it comes to ISA being installed on the same box. But technically speaking, your SBS DC is behind the ISA firewall not in front as you think. The ISA system policy has SBS specific rules for that purpose.

If the VPN router is in front of ISA then I bet the issue is that you have miss-configured the Networks in ISA; issue being 99.9% of the time the absence of a network interface card to bind the associated defined network object  to.

quote:


I have the AD S&S setup at the branch office with the correct subnets and sites, the reason for this domain controller is that users are authenticating over the VPN and this is causing speeds issues and problems with DNS lookups.  I want DNS and AD at the branch office so I can remove this issue.


Yep, I would agree on that.

Yes, the best thing you could do Security wise is get the DC off the Firewall!


_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to kyleheath)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> Domain Controller in remote Site to SBS 2003 Site Link Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts