VPN tunnel between AD and offsite backup?
in [Windows Servers]
|
From: Nippoo on 20 Feb 2010 20:49 We have a small (residential) business which runs an AD with three or so users, and a single Server 2008 R2 Exchange 2010 / AD server (say, 192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248) running onsite. We're often away from the office (sometimes we're all abroad at the same time with nobody at the address) so, in the interests of redundancy and always being able to access email, we have bought a second server hosted in a datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be an AD and Exchange server, (both CAS and maibox servers with the mailbox database in a Database Availability Group - hope this will work!). What I'd like to do is figure out a way of joining the domain and keeping all traffic flowing between the two networks encrypted by VPN tunnel or similar. (I wouldn't mind it going over the public network, but it's probably too insecure). How would I go around creating a VPN tunnel between the two in WS2008R2? What routing parameters would I use? Given that there's no similar private subnet on the colocated server (it only has a single IP allocated to it, though I don't mind routing the entire 124.124.124.* subnet through the VPN; it's so unlikely I'll ever need to contact any other server on the same subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or something? I'm a little lost, and would love advice on what to do. N
From: Ace Fekay [MVP-DS, MCT] on 21 Feb 2010 03:14 "Nippoo" <Nippoo(a)discussions.microsoft.com> wrote in message news:DB85A032-3E94-47D5-A18A-29AA3754039B(a)microsoft.com... > We have a small (residential) business which runs an AD with three or so > users, and a single Server 2008 R2 Exchange 2010 / AD server (say, > 192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248) > running > onsite. We're often away from the office (sometimes we're all abroad at > the > same time with nobody at the address) so, in the interests of redundancy > and > always being able to access email, we have bought a second server hosted > in a > datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be > an > AD and Exchange server, (both CAS and maibox servers with the mailbox > database in a Database Availability Group - hope this will work!). > > What I'd like to do is figure out a way of joining the domain and keeping > all traffic flowing between the two networks encrypted by VPN tunnel or > similar. (I wouldn't mind it going over the public network, but it's > probably > too insecure). How would I go around creating a VPN tunnel between the two > in > WS2008R2? What routing parameters would I use? Given that there's no > similar > private subnet on the colocated server (it only has a single IP allocated > to > it, though I don't mind routing the entire 124.124.124.* subnet through > the > VPN; it's so unlikely I'll ever need to contact any other server on the > same > subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or > something? > > I'm a little lost, and would love advice on what to do. > > N For something like this, you would want SCR. Site Resilience Configurations: Exchange 2007, Oct 29, 2007 http://technet.microsoft.com/en-us/library/bb201662(EXCHG.80).aspx SCR (Standby Continous Replication) http://www.n2networksolutions.com/blog/?p=477 You would have to establish a tunnel first to the colo. Then install and promote a machine to a DC/GC. Then install Exchange 2007 on a separate machine., then establish the SCR. And I recommend to NOT install Exchange on a DC. It is not a recommended config, and each entity causes issues with the other. Read more on this issue: ================================================================== Exchange on a DC and performance issues: If Exchange is on a DC, no need telling you that if you search on it, you will find numerous topics by many engineers (including Microsoft) stating Exchange is not recommended to be installed on a domain controller. Exchange's database transactional logging system is different than AD's. Once a machine is promoted to a DC, it disabled the write-behind cache function on the controller. Exchange needs this, however it's done to allow AD's database system properly work. A huge drawback of this scenario is that it can cause Exchange to lose emails during certain scenarios, as well as with the write-behind cache disabled, it drastically reduces performance on the machine. Exchange by default, will also consume all memory resources, for example, the store.exe process and will drag down the OS it is installed on. If the OS is a DC, it will hinder DC processes, such as the DC's Lsas.exe process. This *may* result in other issues, possibly with replication. Read more on it: This Exchange server is also a domain controller, which is not a recommended configuration http://technet.microsoft.com/en-us/library/aa997407.aspx ================================================================== -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
From: Ed Crowley [MVP] on 21 Feb 2010 12:01 Before deploying SCR, you will certainly want to spend the time reading up about it and understanding what it is and what it is not. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." .. "Ace Fekay [MVP-DS, MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message news:uj14c3ssKHA.4704(a)TK2MSFTNGP04.phx.gbl... > "Nippoo" <Nippoo(a)discussions.microsoft.com> wrote in message > news:DB85A032-3E94-47D5-A18A-29AA3754039B(a)microsoft.com... >> We have a small (residential) business which runs an AD with three or so >> users, and a single Server 2008 R2 Exchange 2010 / AD server (say, >> 192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248) >> running >> onsite. We're often away from the office (sometimes we're all abroad at >> the >> same time with nobody at the address) so, in the interests of redundancy >> and >> always being able to access email, we have bought a second server hosted >> in a >> datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be >> an >> AD and Exchange server, (both CAS and maibox servers with the mailbox >> database in a Database Availability Group - hope this will work!). >> >> What I'd like to do is figure out a way of joining the domain and keeping >> all traffic flowing between the two networks encrypted by VPN tunnel or >> similar. (I wouldn't mind it going over the public network, but it's >> probably >> too insecure). How would I go around creating a VPN tunnel between the >> two in >> WS2008R2? What routing parameters would I use? Given that there's no >> similar >> private subnet on the colocated server (it only has a single IP allocated >> to >> it, though I don't mind routing the entire 124.124.124.* subnet through >> the >> VPN; it's so unlikely I'll ever need to contact any other server on the >> same >> subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or >> something? >> >> I'm a little lost, and would love advice on what to do. >> >> N > > > For something like this, you would want SCR. > > Site Resilience Configurations: Exchange 2007, Oct 29, 2007 > http://technet.microsoft.com/en-us/library/bb201662(EXCHG.80).aspx > > SCR (Standby Continous Replication) > http://www.n2networksolutions.com/blog/?p=477 > > You would have to establish a tunnel first to the colo. Then install and > promote a machine to a DC/GC. Then install Exchange 2007 on a separate > machine., then establish the SCR. > > And I recommend to NOT install Exchange on a DC. It is not a recommended > config, and each entity causes issues with the other. Read more on this > issue: > > ================================================================== > Exchange on a DC and performance issues: > > If Exchange is on a DC, no need telling you that if you search on it, you > will find numerous topics by many engineers (including Microsoft) stating > Exchange is not recommended to be installed on a domain controller. > Exchange's database transactional logging system is different than AD's. > Once a machine is promoted to a DC, it disabled the write-behind cache > function on the controller. Exchange needs this, however it's done to > allow AD's database system properly work. A huge drawback of this scenario > is that it can cause Exchange to lose emails during certain scenarios, as > well as with the write-behind cache disabled, it drastically reduces > performance on the machine. > > Exchange by default, will also consume all memory resources, for example, > the store.exe process and will drag down the OS it is installed on. If > the OS is a DC, it will hinder DC processes, such as the DC's Lsas.exe > process. This *may* result in other issues, possibly with replication. > > Read more on it: > This Exchange server is also a domain controller, which is not a > recommended configuration > http://technet.microsoft.com/en-us/library/aa997407.aspx > ================================================================== > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Please reply back to the newsgroup or forum for collaboration benefit > among responding engineers, and to help others benefit from your > resolution. > > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & > MCSA 2003/2000, MCSA Messaging 2003 > Microsoft Certified Trainer > Microsoft MVP - Directory Services > > If you feel this is an urgent issue and require immediate assistance, > please contact Microsoft PSS directly. Please check > http://support.microsoft.com for regional support phone numbers. >
From: Ace Fekay [MVP-DS, MCT] on 21 Feb 2010 13:15 "Ed Crowley [MVP]" <curspice(a)nospam.net> wrote in message news:ej4iEexsKHA.5940(a)TK2MSFTNGP02.phx.gbl... > Before deploying SCR, you will certainly want to spend the time reading up > about it and understanding what it is and what it is not. > -- > Ed Crowley MVP > "There are seldom good technological solutions to behavioral problems." > . Good point. :-) I believe adding to also study up on AD replication and implications, as well. Ace
From: Nippoo on 21 Feb 2010 18:02 What other options do I have apart from installing Exchange on a DC? Unless I buy two new servers... Exchange 2010, by the way. I don't have any option for SCR I don't think? N "Ace Fekay [MVP-DS, MCT]" wrote: > "Nippoo" <Nippoo(a)discussions.microsoft.com> wrote in message > news:DB85A032-3E94-47D5-A18A-29AA3754039B(a)microsoft.com... > > We have a small (residential) business which runs an AD with three or so > > users, and a single Server 2008 R2 Exchange 2010 / AD server (say, > > 192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248) > > running > > onsite. We're often away from the office (sometimes we're all abroad at > > the > > same time with nobody at the address) so, in the interests of redundancy > > and > > always being able to access email, we have bought a second server hosted > > in a > > datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be > > an > > AD and Exchange server, (both CAS and maibox servers with the mailbox > > database in a Database Availability Group - hope this will work!). > > > > What I'd like to do is figure out a way of joining the domain and keeping > > all traffic flowing between the two networks encrypted by VPN tunnel or > > similar. (I wouldn't mind it going over the public network, but it's > > probably > > too insecure). How would I go around creating a VPN tunnel between the two > > in > > WS2008R2? What routing parameters would I use? Given that there's no > > similar > > private subnet on the colocated server (it only has a single IP allocated > > to > > it, though I don't mind routing the entire 124.124.124.* subnet through > > the > > VPN; it's so unlikely I'll ever need to contact any other server on the > > same > > subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or > > something? > > > > I'm a little lost, and would love advice on what to do. > > > > N > > > For something like this, you would want SCR. > > Site Resilience Configurations: Exchange 2007, Oct 29, 2007 > http://technet.microsoft.com/en-us/library/bb201662(EXCHG.80).aspx > > SCR (Standby Continous Replication) > http://www.n2networksolutions.com/blog/?p=477 > > You would have to establish a tunnel first to the colo. Then install and > promote a machine to a DC/GC. Then install Exchange 2007 on a separate > machine., then establish the SCR. > > And I recommend to NOT install Exchange on a DC. It is not a recommended > config, and each entity causes issues with the other. Read more on this > issue: > > ================================================================== > Exchange on a DC and performance issues: > > If Exchange is on a DC, no need telling you that if you search on it, you > will find numerous topics by many engineers (including Microsoft) stating > Exchange is not recommended to be installed on a domain controller. > Exchange's database transactional logging system is different than AD's. > Once a machine is promoted to a DC, it disabled the write-behind cache > function on the controller. Exchange needs this, however it's done to allow > AD's database system properly work. A huge drawback of this scenario is that > it can cause Exchange to lose emails during certain scenarios, as well as > with the write-behind cache disabled, it drastically reduces performance on > the machine. > > Exchange by default, will also consume all memory resources, for example, > the store.exe process and will drag down the OS it is installed on. If the > OS is a DC, it will hinder DC processes, such as the DC's Lsas.exe process. > This *may* result in other issues, possibly with replication. > > Read more on it: > This Exchange server is also a domain controller, which is not a recommended > configuration > http://technet.microsoft.com/en-us/library/aa997407.aspx > ================================================================== > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Please reply back to the newsgroup or forum for collaboration benefit among > responding engineers, and to help others benefit from your resolution. > > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & > MCSA 2003/2000, MCSA Messaging 2003 > Microsoft Certified Trainer > Microsoft MVP - Directory Services > > If you feel this is an urgent issue and require immediate assistance, please > contact Microsoft PSS directly. Please check http://support.microsoft.com > for regional support phone numbers. > > > . >
|
Next
|
Last
Pages: 1 2 3 Prev: windows server 2003 SP2 failed with error 0x800703e7. Next: FSMT Error |