win 2008 branch office DC

Hello,

I want to set up a branch windows 2008 connection. Mainly as lab work though.

I have a test win 2008 at one lab, which is the main office
I want to set the second DC at my other lab just 20 mins down the road. This will be again another win 2008 DC

As far as I know this is the steps.

1. create VPN link first

- I checked on the router at the main site and it has a Netgear router, which allows you to create a VPN Policy.
- The other site has a cisco router which allows for an Ipsec policy.

2. Create new subnets and assign them to a the appropriate sites

- The main site has a static ip and is 192.168.1.36/24
- The branch site will be sitting on a lan that will probably be 192.168.1.52/24

3. make sure that needed ports for AD replication are opended

UDP 389
TCP 389

LDAP 389

636 (Secure Sockets Layer [SSL])

LDAP

3268 (global catalog)

Kerberos 88

DNS 53
SMB over IP 445

4. Set up the second DC, go to DNS and create reverse lookup zones
Point the first DNS on the second DC to itself and then alternative to the primary DC (labtest.com)
Install Remote desktop connection on the Second DC

- I was thinking would it be easier to configure the 2nd DC at the main office first, then ship it? I want it to be on the existing Domain, with the same domain name (peer domain or additional DC) e.g. labtest.com

- Or would it be best to set it as a member server, then ship to my other test lab and then remote to it and dcpromo?

5. Setup the new DC as a GC and wait for replication.

Am I missing anything? I could go for an RODC on the branch lab, but I am going to decomission the thing, so security is not going to be a problem, I am mainly just doing this for test purposes.

Also, do I need to set up any trusts?

Sorry for asking so many questions in one go. Hope someone out there can help.

Thanks in advance.

Your two sites, on either side of the IPSEC tunnel, appear to be on the same IP range. For ease of configuration I would probably change one of the ranges to a different subnet/ip range. It will just help you to avoid any strange routing issues or any further complex config work.

You can always configure your IPSEC policy to pass all traffic between the subnets or just the IP's of the two DC's. You then don't need to worry about restricting/opening ports so much... unless its of a particular security concern for you.

I would suggest running DCPROMO etc whilst the server is on site with you, that way you can make sure your replication is working correctly and concentrate on any potential routing issues once its on the remote site. You don't need trusts because your already on the same domain. Sounds like you have the basic idea of what needs to be done though, hope this helps a bit! Don't forget if you do configure it locally first, you would then need to change IP address once on the remote site and update any DNS/WINS addresses etc for this server.

Thanks very much for getting back to me.

I am going to try set up VPN on the routers and see how they perform. Was told that its easier to get sonicwall or XTM devices or even using CISCO SRP at both ends to negotiate site to site VPNs.

You have given a lot for me to go on. Lets see how things go.

Out of curiosity, is the router at the branch site an actual Cisco router, or is it a Cisco Small Business (aka Linksys) router? I have set up a VPN between a Netgear and a Cisco Small Business router and it was pretty simple.