Getting in a bit over my head here ...
We have a small office with a Windows 2003 AD domain controller. About to open a second small (remote) office, and would like both to share the same domain. They are across the Internet from each other, but an occasional VPN connection could be created.
My first thought is to setup the second office on a separate subnet. I planned to duplicate the PDC to the new office, but somehow demote it to a backup domain controller that would periodically connect to the PDC via VPN (domain changes are quite rare).
Is this just a disaster waiting to happen? Is there a better way to go about it? I've tried googling, but not quite sure what to call this mess I'm creating :)
Thanks for any suggestions.
I would suggest a VPN between the two offices using VPN routers if you can. You do not say what Windows version you are using but there are various options for Domain Controllers depending on version. Win 2008 will permit a read only Domain controller, for example. PDC and BDC are not used with later versions of Windows
As noted by others there are many VPN devices to make the link. The router you have at the main site may have this feature. We use Cisco 800 series at secondary sites and Cisco 1800 at main office. There are Cisco Small Business VPN units that work well. We have used these for clinets and they are solid. Put them on a good UPS
You also need to look at what will handle DNS, DHCP, etc at the second site and what happens if the link fails for some reason.
If you have a Domain Controller at each site, DNS will work if VPN goes down. That works for us
At the remote site the local server will be primary DNS and make the main site secondary. You can make remote site secondary DNS at main site as well.
We have a similar set up. Main office with a single domain and a remote office using the same domain. We have a SonicWall NSA 3500 at each site that has an 'always up' site-to-site VPN tunnel. The remote office is on their own subnet and the Sonicwalls handle the routing between the two subnets. Works like a charm. There are multitude of routers with site-to-site VPN capabilities. The SonicWalls have worked really well for us (we actually have a third remote location that's got site-to-site tunnels to the other two locations, so we have a 'triforce' VPN thing going on).
Install server at second site, but do not make it a domain member (much less a domain controller) yet. Use a network IP range different from your other office.
Set up "Routing and remote access" at both ends inside of windows, make the old site a VPN server.
Use RRAS to create a demand dial VPN connection from the new site to old. Set it to reconnect automatically if dropped.
Create a second "site" in active directory for the new office, with appropriate subnet
Start up VPN connection.
Set DNS client settings on new server to point to DNS servers on old office network (over the VPN)
Join new server to domain over VPN connection
install DNS services on new server, but do not configure yet.
Run DCPROMO to promote new server to domain controller over VPN
Assuming AD-integrated DNS, all you have to do is change the new servers DNS client settings to point to itself as primary with the old site as secondary for DNS.
Make old site point to new site's domain controller as secondary for DNS.