Dee Lowndes wrote:
> Sorry I should have said that only one Windows 2003 SBS server would be
> in use and that would be located in the main office. Indeed to figure
> out a way for both offices to be able to use that one server.
> Ideas on a postcard please ;)
> On Wed, 2006-02-01 at 07:04 -0600, MN wrote:
>>Your Windows 2003 servers will have DNS, you can use this for the domain
>>connectivity. Point your "fringe" office back at a DNS server at the "home"
>>office. As for DHCP, it may be more trouble than it is worth to get that
This should be possible. The key is using the hidden options in the
config.xml file so that m0n0wall providing DHCP services on the remote
network assigns the IP address of your SBS server as the primary DNS
server for the remote clients. This will allow the remote clients to
participate properly in Active Directory.
If this is properly setup in combination with the site-site VPN, then
there should be no need for WINS. If WINS is required (some legacy
software fusses without it) then the IP address of your SBS server can
be again assigned to the remote clients by DHCP and standard m0n0wall
DHCP configuration options. See
http://doc.m0n0.ch/handbook/faq-hiddenopts.html and the DHCP section on
http://doc.m0n0.ch/handbook/config-services.html for details.
A few observations.
1. You are going to need a small block of static IPs on each xDSL
connection between the router and m0n0wall. The m0n0wall-m0n0wall VPN
just won't work without the m0n0walls all having Internet IPs. A /30 is
ideal though if you have to use BT (avoid if at all possible) the
minumum they generally supply is a /29.
2. Assuming that you are using MS Windows on your client PCs, this is
all going to work much better and be easier to configure and
troubleshoot without fighting with MS Win9x or WinME clients. If you
have any of these left and were thinking about replacing them, now is
3. Your SBS server does not need to do DHCP for the remote networks. You
will cause yourself more work if you try, though it is possible using
DHCP relay in m0n0wall. The key is that all PCs on the network are using
your SBS server for DNS.
4. Minimise the amount of traffic that is passed between the server and
remote clients at login and logoff. If you are using Group Policy for
folder redirection on your main site then create Organisational Units
for each the remote site which has a policy with either the folder
redirction disabled or pointing to a UNC path on the remote local
network. The clients at the remote sites then need adding to the
appropriate OU. This doesn't apply for MS Win9x clients.
5. MS Outlook as a client to MS Exchange does not play nicely across
firewalls and VPNs. In our experience the packets generated by the RPC
traffic between the client and server are just too big for anything
other than a LAN. The solution is to use a combination of MS Outlook
2003 (licensed with your SBS CALs), MS Windows XP Pro SP2 and configure
Outlook RPC over HTTP (or better HTTPS).
This works really well and in addition to giving everybody the full
functionality of MS Outlook and Exchange; avoids the hell of PSTs,
POP3/IMAP connections to Exchange mailboxes and other nastiness. If you
have Exchange SP2 installed then this is a matter of clicking a few
options in Exchange Administrator, manually configuring two registry
entries and changing a couple of options in IIS. I believe we have a
hint-sheet for this somewhere; email me if you want it. Traffic across
the WAN between Exchange and the Outlook clients can be minimised by
using the default Cached Exchange Mode in Outlook.