Planning Active Directory Integration
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Integrating a remote site connection into an Active Directory–based network requires you to decide which choices you want to make about the following tasks:
Put a domain controller at the branch office.
Use one domain to include geographically remote sites.
Use scheduled replication or reciprocal replication.
Join demand-dial routers to the Active Directory domain.
Putting a Domain Controller at the Branch Office
If you deploy a persistent site-to-site connection between a branch office and a main office, you might not need a domain controller at the branch office. Branch office users can access a domain controller in the main office when they log on to their computers or use other Active Directory services.
For an on-demand connection, install a domain controller at the remote site.
Using One Domain to Include Geographically Remote Sites
You can include a main office and a branch office in one Active Directory domain. However, geographically remote sites must not share the same address space and must have separate Active Directory sites. You must create a separate Active Directory site for the branch office and create a child object for the branch office, providing the appropriate network ID and subnet mask for the branch office site.
For more information about deploying Active Directory, see "Deploy Active Directory" later in this chapter.
Using Scheduled Replication or Reciprocal Replication
Typically, domain controllers have a constantly available connection so that all domain controllers obtain a steady flow of updated directory information. If you have domain controllers in sites that are connected by a site-to-site connection, you must ensure that replication takes place. Directory updates can be exchanged through a site-to-site connection in one of two ways:
Scheduled replication. On a persistent site-to-site connection, you can schedule replication to take place at specified intervals.
Reciprocal replication. For a one-way initiated on-demand connection in which no constantly available connection exists between domain controllers in the two sites, you must enable reciprocal replication. With reciprocal replication, all replication occurs simultaneously between the domain controllers in the two sites, and the connection is closed when replication is complete. Reciprocal replication maximizes the efficiency of directory information exchange while minimizing connection time and eliminating timeout errors that can occur if the main site domain controller requests changes from the branch site domain controller when the connection is not available. You can configure reciprocal replication on a site link or on a connection.
For more information, see "Configure Replication for Active Directory" later in this chapter.
Joining Demand-Dial Routers to the Active Directory Domain
In an Active Directory domain, you can choose either to join a demand-dial router computer to the domain or not to, based on the following factors:
If your answering router uses Active Directory user accounts to authenticate and authorize a calling router, you must join the answering and calling routers to the domain.
If you use EAP-TLS user authentication with Windows as the authentication provider, you must join the answering router (which is the authenticating server) to the Active Directory domain. If you use EAP-TLS user authentication with RADIUS as the authentication provider, you must join the IAS server (which is the authenticating server) to the Active Directory domain. With RADIUS authentication, the answering router does not need to be joined to the domain. (Use Windows authentication for a site-to-site only connection. You might use RADIUS authentication for a site-to-site connection if the answering router also supports remote access users.)
If you use L2TP/IPSec with computer certificates, the demand-dial routers are not required to join the Active Directory domain. However, the Windows Server 2003 PKI uses Active Directory, if it is installed, to store certificates, certificate revocation lists, and delta certificate revocation lists and to publish root CA certificates and cross-certificates. Using Active Directory makes this information easy to locate from anywhere on the network. (If you use L2TP/IPSec with preshared keys, you are not required to join the VPN routers to the Active Directory domain.)
For more information about planning and deploying Active Directory for an organization with multiple branch office sites, see the Active Directory Branch Office Planning Guide link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
For more information about deploying Active Directory domains and sites and Active Directory replication between sites, see "Designing the Site Topology" in Designing and Deploying Directory and Security Services of this kit.