Joing two windows domains across sites

[fox1977]

Hi there,

I am after a bit of advice and to double check I am going along the correct lines.

I have two sites running as two different domains. I want to get the two domains talking to each other so users in domain 1 can FTP, log into SQL and RDP into servers on domain two. I want to set it up so that users only have to use their details from domain 1.

I am initially looking at setting up an ipsec between the two firewalls on each site. This is the first stage I am looking to complete. I think i need to get the VPN up and running and possibly set some rules on the firewalls to direct traffic to each of the sites.

Once i am able to ping each of the sites i am looking to setup some kind of trust relationship between the sites so that domain 1 users can be used on domain 2.

I need to look at the groups on domain 1 and set them up securely and then with a bit of luck we can look at setting things up so that in order to FTP/connect to SQL/RDP into servers they can use their Domain 1 details. I know things like FTP will probably need to be configured to integrate with active directory but I am prepared for that!

Am I along the right lines?

Any tips gratefully received!

Thanks in advance!

[jamesb]

Sounds about right. If you don't need people to access domain 1 from domain 2 then the easiest way is to set up a one-way trust between the two. If I remember correctly (and I may not, the language gets a bit confusing) you'll want a one-way outgoing trust from domain 1 to domain 2.

Then just set up a few universal groups, sort out memberships and permissions, and that should be everything.

[fox1977]

Will i need to put static routes on each of the firewalls to direct the traffic from each subnet across the VPN tunnel or will it use the tunnel on its own?

[fox1977]

Hi folks,

Just an update, i have managed to get the site to site VPNs up and running between our two routers at each site. I am now able to ping the local subnet from the second site. All seems to be working fine.

I eventually managed to get the additional subnets to go over the VPN by creating additional VPN tunnels for each subnet as the draytek router was not able to get the additional subnets over the one VPN tunnel.

I am still looking the get the trust relationship up and running. This next issue i am looking at (i'm guessing) is the DNS setup. I need to be able to get users to be able to resolves servers from the remote site.

How do i go about doing this? Do i simply add the remote DNS server as a third server on each of the hosts (and through the DHCP options).

Anyone any tips?

Thanks