Plan Active Directory Integration

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Integrating a remote site connection into an Active Directory–based network requires you to decide which choices you want to make about the following tasks:

If you deploy a persistent site-to-site connection between a branch office and a main office, you might not need a domain controller at the branch office. Branch office users can access a domain controller in the main office when they log on to their computers or use other Active Directory services.

For an on-demand connection, install a domain controller at the remote site.

You can include a main office and a branch office in a single Active Directory domain. However, geographically remote sites must not share the same IP address space and must have separately defined Active Directory sites. You must create a separate Active Directory site for the branch office and create a child object for the branch office, providing the appropriate network ID and subnet mask for the branch office site.

For more information about deploying Active Directory, see Deploy Active Directory in the RRAS Deployment Guide.

Typically, domain controllers have a constantly available connection so that all domain controllers obtain a steady flow of updated directory information. If you have domain controllers in sites that are connected by a site-to-site connection, you must ensure that replication takes place. Directory updates can be exchanged through a site-to-site connection in one of two ways:

  • Scheduled replication. On a persistent site-to-site connection, you can schedule replication to take place at specified intervals.

  • Reciprocal replication. For a one-way initiated on-demand connection in which no constantly available connection exists between domain controllers in the two sites, you must enable reciprocal replication. With reciprocal replication, all replication occurs simultaneously between the domain controllers in the two sites, and the connection is closed when replication is complete. Reciprocal replication maximizes the efficiency of directory information exchange while minimizing connection time, and eliminating timeout errors that can occur if the main site domain controller requests changes from the branch site domain controller when the connection is not available. You can configure reciprocal replication on a site link or on a connection.

For more information, see Configure Replication for Active Directory in the RRAS Deployment Guide.

In an Active Directory domain, you can choose either to join a demand-dial router computer to the domain or not, based on the following factors:

  • If your answering router uses Active Directory user accounts to authenticate and authorize a calling router, you must join the answering and calling routers to the domain.

  • If you use Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) user authentication with Windows as the authentication provider, you must join the answering router (which is the authenticating server) to the Active Directory domain. If you use EAP-TLS user authentication with RADIUS as the authentication provider, you must join the authenticating Network Policy Server (NPS) server to the Active Directory domain. With RADIUS authentication, the answering router does not need to be joined to the domain.

    We recommend that you use Windows authentication for a site-to-site only connection. Consider RADIUS authentication for a site-to-site connection if the answering router also supports remote access users.

  • If you use L2TP/IPsec with computer certificates, the demand-dial routers are not required to join the Active Directory domain. However, a public key infrastructure (PKI) can use Active Directory Domain Services (AD DS) to store certificates and certificate revocation lists and to publish root CA certificates and cross-certificates. Using Active Directory makes this information easy to locate from anywhere on the network.

  • If you use L2TP/IPsec with preshared keys, you are not required to join the VPN routers to the Active Directory domain.

    securitySecurity Note
    Because preshared keys are not considered secure, we recommend that you do not use preshared keys in a production environment.

Community Additions