Hey guys, I was told to re-post my thread here. You can see the original here before continuing: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/853019bb-5e6d-4ad6-9e9e-85dfa19b50cf/ --- I have 2 locations (we'll say location 1 and location 2). Location 1, which is the main location, is being installed with an AD server on Server 2008 R2. We need to run GPOs from the AD server at this location onto the client computers at location 2. Location 2 does not have a branch office server at all. Right now, they are not connected to the AD server. Is it possible, using the internet, to connect the systems to AD using the internet, more specifically so we can distribute GPOs from the server at location 1 to the computers at location 2 without a branch office server? We do not have routers that provide VPN support, they can only do static routes. The only way for us to use VPN is for each client at location 2 to connect to the server at location 1 over VPN itself (which is an option for us, if we can find out how to do that). Owner, Quilnet Solutions

No server is required at the branch office to be able to deliver GPOs. However, when you say the "internet", you are considering moving this traffic outside of a secure VPN tunnel? I wouldnt recommend that approach. I assume that this can be done using static routes as you have described, but your traffic is not secured. The best approach would be to create a VPN tunnel between the main and office branch so that you can securly transport this traffic. Visit anITKB.com, an IT Knowledge Base. Follow me on Facebook. No, right now there is no VPN tunnel at all. There is no connection between location 1 and location 2 right now. WHen I say over the internet, I'm referring to using the internet as the conduit used to connect them (versus directly connecting over a hardline). How the connection happens while using the internet (eg: VPN tunnel) is fine, but I wanted to find out if this could be done without having a second server. I didn't think there was but I wanted to ask just to be sure. It took me 6 months to convince the small business owner of this company I'm contracted to, to get 1 server, I won't be able to quickly convince him for a second server for the other location so I'll have to do everything manually. Let me ask this, normally when I set up these types of networks, I have a primary server at one location and a second server at another location connected to each other over a VPN tunnel (generally using VPN through Server 2008 R2 and running a site to site trust) what does connecting clients from location 2 to the server at location 1 directly over VPN get me? What can I do (since I can't get GPO's)? I assume it gives me something. I've never really tried this because I've never had to soo.. Owner, Quilnet Solutions

Have a second server (I assume you are referring to a domain controller) at the second location buys you performance gain. That second server at the remote office can authenticate user logons, store login scripts, distribute GPOs, resolve DNS queries (by installing DNS), and could be used for file and print services (although I absolutely do not recommend installing F/P on DCs. or other apps such as Exchnage or SQL). The cost of a second server is obvious, actual monetary cost of licenses, maintenance, hardware. For most scenarios, the deciding factor deals with the number of users at the remote site and their dependance on networking services (AD, DNS, F/P, etc...). So lets say there are 3 users. If the network link fails, how long can these 3 users be down until the network link is back up (scenario where there is no additional DC at the remote site). What if you had 20 users? You have to consider how much the business will rely on having that DC at the remote site for the reasons already discussed. Its really a business decision. From a technical approach, a remote office does not require a DC to be on site. Visit anITKB.com, an IT Knowledge Base. Follow me on Facebook.

Have a second server (I assume you are referring to a domain controller) at the second location buys you performance gain. That second server at the remote office can authenticate user logons, store login scripts, distribute GPOs, resolve DNS queries (by installing DNS), and could be used for file and print services (although I absolutely do not recommend installing F/P on DCs. or other apps such as Exchnage or SQL). The cost of a second server is obvious, actual monetary cost of licenses, maintenance, hardware. For most scenarios, the deciding factor deals with the number of users at the remote site and their dependance on networking services (AD, DNS, F/P, etc...). So lets say there are 3 users. If the network link fails, how long can these 3 users be down until the network link is back up (scenario where there is no additional DC at the remote site). What if you had 20 users? You have to consider how much the business will rely on having that DC at the remote site for the reasons already discussed. Its really a business decision. From a technical approach, a remote office does not require a DC to be on site. Visit anITKB.com, an IT Knowledge Base. Follow me on Facebook. Yup. I'm aware of all that. I've never had a business give me grief over getting 1 server like this, let alone 2. Heh, Hard headed business owners are getting in the way. ;-). We have 2 primary users at the second location and 3 floaters (float between the first and second location. They only need guarenteed access from location 1, location 2 they can technically be without if they need to). There are 4 computers total at the second location. The only real services they require to do business at the second location is file services (an application they use is hosted on the file share service). The rest, AD and GPO are just to ease management. Technically I can do the work at the second location without AD and GPO if I need to. I'm just trying to find a way to make my job a little easier (and cheaper for my customer). But yeah, it is a business decision. Before I go to the owners, I want to be sure there are no other practical options. Because the first thing they are going to ask is, how can we do this without a server and I want to be able to intelligently say, there is no other way. I've never had to handle this type of problem before since most of my customers is easy to sell them on getting at least 1 server per branch office. This is the first I've had that has come up and said no.Owner, Quilnet Solutions

So, its going to be a tough sell because technically you can run without the server at the branch office, at least for domain authentication, GPOs, and other traffic that will need to go back to the main office. I hope they have a solid internet connection and some backup in the event that the connection goes down. They will tell you that they can run stand-alone, until there is no internet and then they will ask you who's idea was it to sacrifice a server at the remote office. If the business can afford it, its probably worth it. If the files are large, going over the internet connection to a main office server is going to degrade performance. Visit anITKB.com, an IT Knowledge Base. Follow me on Facebook.

So, its going to be a tough sell because technically you can run without the server at the branch office, at least for domain authentication, GPOs, and other traffic that will need to go back to the main office. I hope they have a solid internet connection and some backup in the event that the connection goes down. They will tell you that they can run stand-alone, until there is no internet and then they will ask you who's idea was it to sacrifice a server at the remote office. If the business can afford it, its probably worth it. If the files are large, going over the internet connection to a main office server is going to degrade performance. Visit anITKB.com, an IT Knowledge Base. Follow me on Facebook. Yup! Then I'm gonna say, "You did". lol. Yeah, I understand the implications involved. In most cases the branch office is read-only, with few updates here and there. Most of the heavy lifting goes through the main office (location 1). We will be setting up BranchCaching in distributed mode, which should help with the application a little bit. (I don't think the application payload is too taxing but I don't have benchmarks yet). In the event of a connection failure (no, there is no backup), they will probably do most of the work using the phone, basically call the main office for the information. But I really wanna get a server at the branch office. Part of me hopes there is a failure somewhere in the internet connection, so I can justify the purchase of a second server but thats probably the only way it's going to happen at this point. Yes, the business can afford it, but the owners are a bit cheap when it comes to technology (they hate it or something). Just curious, how does domain authentication happen without a branch office server running a trust? I've never had to do that before. Also, I've never ran GPO's over a VPN without a branch server either so is there any information on how that works too? Owner, Quilnet Solutions

Thanks. I think that'll do it. Lets pray the internet fails so I can get a second server in here. Thanks for your help!Owner, Quilnet Solutions