Windows 2003 network, mobile sites, AD replication & signon

I am in a quandry about a requirement to provide server access to mobile
networks.

Site A: Our HQ... Static Internet IP, Firewall, VPN capabilities. Two Win2k3
DC's on private network, about a dozen other servers, etc... ~200 client PCs.


Site B: Our mobile unit consists of a satelite for Internet access that is
unreliable for VPN traffic... basically it does not work for VPN (IPSEC,
PPTP). We currently bring the mobile unit (consisting of about 50 PCs and 1
Server w/ AD) into our office every few weeks to replicate and synch data.
This causes problems due to breaking off one of our DCs when they leave
again. I have tried separating them into sites, but there are still problems
with the design
affecting HQ logon (single subnet), mobile logon, and password
changes/workstation additions. SMTP replication may be an option, but would
require multi-domain/single forest, and a static IP address on the mobile
unit satelite (I think?).


Site C: This is a network that consist of a server and about 25 PCs that
only communicates with Site B, never with Site A. Site C maintains a DC that
replicates with Site B, then Site B replicates with Site A every few weeks.
This also causes problems because this means our server DC's on the mobile
networks rarely if ever communicate with the Root server. There is no method
of communicating Site C with A in the foreseable future.


One thought I had was to have 2 Forests, 2 Domains, and no trust as
communication is a problem. Then, I would image my mobile laptops (these
systems must communicate with all Sites) to dual boot Windows XP, with each
OS joined to a different domain. At least this way authentication could take
place without interfering with my HQ (hot item), and while mobile would have
access to the mobile site servers. Now my problem becomes replicating data
from the Site B&C servers to the HQ...

Another solution that may work is set the servers in Site B&C as Stand alone
servers in a workgroup that matches our NetBIOS domain, and enable guest
access. These systems never communicate with the Internet, and the wireless
is 128bit AES encryption. The likelyhood of someone plugging in with an
ethernet port is small, but still possible.

I thought there was some software available that would allow a PC to
dynamically configure it's domain membership. Maybe this is just an IT urban
myth, but if it is available... anyone use it?

If anyone has some light to shed, please elaborate your expertise.

1. can you have a reliable internet connection for the VPN?
2. Since each office has over 50 computers, you should not use workgroup network in each site.
3. I would make a domain network for each site. create the same username and password for remote access.
For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

"Kevin0Tech" <(E-Mail Removed)> wrote in message news:1162D728-0330-48A3-BC60-(E-Mail Removed)...
I am in a quandry about a requirement to provide server access to mobile
networks.

Site A: Our HQ... Static Internet IP, Firewall, VPN capabilities. Two Win2k3
DC's on private network, about a dozen other servers, etc... ~200 client PCs.


Site B: Our mobile unit consists of a satelite for Internet access that is
unreliable for VPN traffic... basically it does not work for VPN (IPSEC,
PPTP). We currently bring the mobile unit (consisting of about 50 PCs and 1
Server w/ AD) into our office every few weeks to replicate and synch data.
This causes problems due to breaking off one of our DCs when they leave
again. I have tried separating them into sites, but there are still problems
with the design
affecting HQ logon (single subnet), mobile logon, and password
changes/workstation additions. SMTP replication may be an option, but would
require multi-domain/single forest, and a static IP address on the mobile
unit satelite (I think?).


Site C: This is a network that consist of a server and about 25 PCs that
only communicates with Site B, never with Site A. Site C maintains a DC that
replicates with Site B, then Site B replicates with Site A every few weeks.
This also causes problems because this means our server DC's on the mobile
networks rarely if ever communicate with the Root server. There is no method
of communicating Site C with A in the foreseable future.


One thought I had was to have 2 Forests, 2 Domains, and no trust as
communication is a problem. Then, I would image my mobile laptops (these
systems must communicate with all Sites) to dual boot Windows XP, with each
OS joined to a different domain. At least this way authentication could take
place without interfering with my HQ (hot item), and while mobile would have
access to the mobile site servers. Now my problem becomes replicating data
from the Site B&C servers to the HQ...

Another solution that may work is set the servers in Site B&C as Stand alone
servers in a workgroup that matches our NetBIOS domain, and enable guest
access. These systems never communicate with the Internet, and the wireless
is 128bit AES encryption. The likelyhood of someone plugging in with an
ethernet port is small, but still possible.

I thought there was some software available that would allow a PC to
dynamically configure it's domain membership. Maybe this is just an IT urban
myth, but if it is available... anyone use it?

If anyone has some light to shed, please elaborate your expertise.