Saturday, June 30, 2012 8:00 PMHello,
I want to set up a branch windows 2008 connection. Mainly as lab work though.
I have a test win 2008 at one lab, which is the main office
I want to set the second DC at my other lab just 20 mins down the road. This will be again another win 2008 DC
As far as I know these are the steps.
1. create VPN link first
- I checked on the router at the main site and it has a Netgear router, which allows you to create a VPN Policy. Its is a N300 Wireless ADSL2 modem router Model: DGN2200.
- The other site has a cisco router which allows for an Ipsec policy.
- I was told I need a VPN server, can the role be on my primary DC? Or do I need a separate 2008 VPN server?
Here is the link of how I need to create one -> »www.howtonetworking.com/windows/2008vpn3.htm
2. Create new subnets and assign them to a the appropriate sites
- The main site has a static ip and is 192.168.1.0/24
- The branch site will be sitting on a lan that will probably be 192.168.2.0/24
So the main question is, when I create the VPN server, I configure this server to use the router's VPN policies? Plus how many VPN servers do I need? One at each site?
Thanks in advance
Saturday, June 30, 2012 11:34 PM
Yes, you need a RRAS router at each site. And no, you cannot use your DC as a router. And these RRAS routers need to be the default gatway for each site.
Setting up a site to site VPN is more complicated than just configuring a RRAS server to accept incoming VPN connections. You need to connect to a specific interface and you need to configure static routes linked to that interface so that the two sites can route between them.
The setup is pretty trdious but it does work. The setup is easier if you use ISA Server rather than RRAS.
Sunday, July 01, 2012 2:39 PM
If you are adhering to best practice in your LAB then you will need a VPN set up in one of the following ways:
1. A VPN appliance or hardware device which takes your internet connection as WAN and delivers to the switch as LAN
2. If you are using your windows server (which I recommend Avoid) you will need 2 NIC's of which one for WAN and one for LAN
When using 2 NIC's, your Server should connect direct to a modem in passive mode and authenticate using PPPOE or whatever relevant means, and the LAN port then can connect to the switch to feed the rest of the LAN.
If you find my information useful, please rate it. :-)
Sunday, July 01, 2012 4:58 PM
Thanks for getting back to me. I ve been trailing the net most of the day going through VPN solutions and making the server a VPN is putting me right off. I feel the answer has to lie with the routers themselves.I have a CISCO SRP527W model which has some options for VPN. My question is can the router act as the VPN server or do I have to configure a windows server to do all the VPN configure?
On the CISCO router it has all the options of VPN passthrough enabled. These being PPTP, IPSEC and L2TP enabled. Although no site to site IPSEC policies are defined as yet.
So if creating a windows 2008 DC at the other site, do I need to configure VPN on the server or just the cisco router alone?
As far as I know, these are the steps.
1. Set RRAS server (scratch that..use the router?)
2. set up VPN policies on both routers
3. Set up primary DC at HQ
4. Set up and additional DC at HQ
5. Move Additional DC to brance site
6. Ping primary DC over VPN
7. Change IP address of secondary DC and wait for replication
Thursday, July 05, 2012 2:03 AMModerator
For detailed information about setup VPN site-to-site connection, you may refer to the following article.
Checklist: Implementing a Site-to-Site Connection Design
Deploying VPN Site-to-Site Access
TechNet Community Support
- Marked As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Wednesday, July 11, 2012 1:30 AM
Thursday, July 05, 2012 3:43 AM
A VPN site to site must be established between two routers which are the default gateway for their site and have a connection to the public Internet. Whether you use RRAS, ISA server or third party routers is up to you. Whatever method you use makes no difference to the way you plan to implement AD sites. They should all work the same way and be transparent to the AD software. All they provide is routing between the subnets so that the two sites appear to be connected by a (slow) IP router.
The rest of your question is AD related, and you would be best serverd by posting there (just as the VPN bit would have been better posted to a routing forum).