I've got 2 sites with independent W2k3 servers. We've got about 10 users, a lot that work at both sites. Site1 has Exchange installed, IIS for OWA, a few shares, printer; site2 is just a simple server with a few shares and a printer. Site1 is called my_real_domain.local, and site2 is called other_city.my_real_domain.local. (even though they are subdomains, they are unrelated; sorry about the obfuscation)
I recently took over as admin, and I setup a site-to-site vpn (using bsd firewalls), and users can now login to the other site's servers across the vpn.
I want to simplify this setup so there is just 1 AD tree between the two sites. (we are running into password issues with some of the non-technical users and I want to reduce the number of passwords they have to manage)
I am not much of a MS guy... mostly app development, and a decade of Unix/Linux admining.
At one time, I fumbled around in the admin tools and tried to setup a domain trust, but I don't know how well that is working.
I'm guessing I could just uninstall / remove the AD tree (somehow) from site2's server and join it to the site1 domain over the vpn as a regular computer (repeat for each of the workstations at site2). The only issue with that is what happens if the vpn is down for a bit... I would like site2 users to still be able to login and access local resources. Is that a job for a backup/replicated AD? If so, is there a simple way of setting up site2's server to do that?
A related serverfault question: Active Directory Consolidation Strategy after Merger/Acquisition
The word "site" means something in Active Directory. It sounds to me like you're talking about merging two Active Directory forests.
With that small of a user base I wouldn't futz around with the Active Directory Migration Tool. I'd slash and burn.
This is a quick and dirty run-through of what you'd need to do. If you're uncomfortable with it, mock it up in virtual machines first until you're comfortable. If you're really wary, hire a professional. The server side of this process should only take a couple of hours. If you only have a handful of PCs in "site2", the disjoining / rejoining of the domain won't take very long either.
(Yes, yes other Server Fault readers, this could be done a LOT more elegantly and without requiring a manual "touch" on the client comptuers by using some carefully deployed virtual machines, a startup script using the "NETDOM" tool, and some elbow grease, but I'm going to go the quick, dirty, and easy-to-understand route here...)
I'd get rid of the domain trust, disjoin the clients in "site2" from the "other_city.my_real_domain.local" domain (be sure to set a known "Administrator" on each client as you do this), get rid of the "other_city.my_real_domain.local" domain (by running "dcpromo" on the site 2 server and removing Active Directory), and promote the "site2" server as a domain controller in the "my_real_domain.local" domain.
Create a "Site" in the "Active Directory Sites and Services" tool to represent "site2". Associate it with the "DEFAULTIPSITELINK" site link object during the creation. Rename the "Default-First-Site-Name" site to a descriptive name that represents "site1".
Create an IP subnet using the same tool for any IP subnets used at the sites and associate them with the right site.
Initially, you'll need to specify the server in site1 as the DNS server for the site2 server during the promotion. Make sure DNS works across the VPN before proceeding with the promotion of the site2 server as a replica domain controller. (You can test this from the "site2" server using the "nslookup" command and specifying the site1 server in "nslookup" via the "server " command. Verify you can resolve the domain's name using nslookup over the VPN before you proceed.)
After the promotion is complete on the site2 server, add the DNS Server component to it and configure it to refer to itself for DNS. Configure the DHCP server there to direct all the clients to the "site2" server for their DNS.
In the "Active Directory Sites and Services" tool, mark the "site2" server as a "Global Catalog Server" after the promotion is complete (in the "Properties" for the "NTDS Settings" node below the server).
With all of that done, clients in "site2" will need to be joined to the "my_real_domain.local" domain. They will authenticate to the "site2" server, which contains an equal readable / writable copy of the Active Directory for the "my_real_domain.local" domain. If the VPN fails clients will still be able to logon and access local resources.
Once you've gotten all this done you're well on your way do doing cool stuff like replicating folders between the sites using DFS-R and other such fun.
ADMT (Active Directory Migration Tool) tool can help you accomplish this. I would google this tool, or just search the MS site for details.