RE: AD replication over WAN

From: Tom Sutherland (
Date: 01/16/03

  • Next message: Sergey V. Gordeychik: "RE: Understaing Event Details in Windows NT"
    From: Tom Sutherland <>
    To: "''" <>
    Date: Thu, 16 Jan 2003 10:55:29 -0500

    Or you can wait till Windows Server 2003 which purportedly can create VPN's
    using IPSEC/L2TP that can traverse NAT. Or did I not read the MS sales
    literature closely enough.

    Tom Sutherland
    silver-lake resources

    -----Original Message-----
    From: Chris Weiscopf []
    Sent: Monday, January 13, 2003 12:06 PM
    To: 'Valentine M. Smith';
    Subject: RE: AD replication over WAN

    At the very least you can deploy a site to site VPN using Windows 2000
    Routing and Remote Access Service. Open you LAN routers to pass the VPN
    traffic, set up the site-to-site VPN in RRAS and set a static route in your
    router pointing back to the server to reach the remote network. VPN
    benefits with no additional hardware costs.

    Chris Weiscopf
    MCSE 2000, CCNA, Network+, A+
    Uni-Point, LLC

    -----Original Message-----
    From: Valentine M. Smith []
    Sent: Thursday, January 09, 2003 6:21 AM
    Subject: AD replication over WAN


    I'm looking for some feedback from the community regarding the transfer of
    traffic over a public WAN.

    The basic plan is this:

    Single Win 2000 domain spread over two sites in different cities. Each site
    has perimeter NAT device and are obscuring internal subnets with IP
    provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
    at both sites. Both DCs are patched to SP3.

    The MS documentation I've consulted indicates that AD replication, and by
    extension, DNS zone information that is AD-integrated is automatically

    My question: if the data is already encrypted and is passing only across a
    single ISP's network, should one be bothering with a router-router VPN
    for this traffic? IOW, would setting up such a tunnel for this data be
    redundant/unnecessary or am I missing something important here? Would anyone

    care to comment on the relative safety of AD encryption out-of-the-box?

    Thanks in advance for any feedback,