On Sun, Sep 9, 2018 at 1:27 PM Reindl Harald via samba <samba at lists.samba.org> wrote:> Am 09.09.18 um 17:16 schrieb Sonic via samba: > > Currently using Samba 4 as AD at the main site and would like the main site > > AD to authenticate users at a remote site (about 3 systems). As I use my > > domain management system from a remote location via VPN I know this works, > > but the VPN may not be the lowest cost in terms of overhead. > > why?Encryption overhead.> > What other options are available? > > > > I'm thinking that port forwarding between the sites may incur the least > > overhead (which ports?). What are the common (and maybe not so common) > > practices in place for this scenario? > > frankly you even need bridged VPN instead routed - so how should this > work with port forwarding adn what problem do you try to solve befoe > come up with solutions?>From my office here I just use a site-to-site vpn when I need tomanage the AD via RSAT. Normally my site-to-site VPN is down, but in the case of the small remote site contact with the AD would need to be full time. If it can be done easily with port forwarding it may be the least expensive way in terms of processing and also provide the best performance. Chris
On Sun, 9 Sep 2018 15:52:38 -0400 Sonic via samba <samba at lists.samba.org> wrote:> On Sun, Sep 9, 2018 at 1:27 PM Reindl Harald via samba > <samba at lists.samba.org> wrote: > > Am 09.09.18 um 17:16 schrieb Sonic via samba: > > > Currently using Samba 4 as AD at the main site and would like the > > > main site AD to authenticate users at a remote site (about 3 > > > systems). As I use my domain management system from a remote > > > location via VPN I know this works, but the VPN may not be the > > > lowest cost in terms of overhead. > > > > why? > > Encryption overhead. > > > > What other options are available? > > > > > > I'm thinking that port forwarding between the sites may incur the > > > least overhead (which ports?). What are the common (and maybe not > > > so common) practices in place for this scenario? > > > > frankly you even need bridged VPN instead routed - so how should > > this work with port forwarding adn what problem do you try to solve > > befoe come up with solutions? > > From my office here I just use a site-to-site vpn when I need to > manage the AD via RSAT. > Normally my site-to-site VPN is down, but in the case of the small > remote site contact with the AD would need to be full time. If it can > be done easily with port forwarding it may be the least expensive way > in terms of processing and also provide the best performance. > > Chris >You have said it yourself, sites. create a site in AD for the remote site. Create a new DC at the site and point the clients at that. All you will then have to cope with down the VPN is replication traffic and will also allow the remote clients to keep working if the VPN goes down. Rowland
Am 09.09.18 um 21:52 schrieb Sonic:> On Sun, Sep 9, 2018 at 1:27 PM Reindl Harald via samba > <samba at lists.samba.org> wrote: >> Am 09.09.18 um 17:16 schrieb Sonic via samba: >>> Currently using Samba 4 as AD at the main site and would like the main site >>> AD to authenticate users at a remote site (about 3 systems). As I use my >>> domain management system from a remote location via VPN I know this works, >>> but the VPN may not be the lowest cost in terms of overhead. >> >> why? > > Encryption overheadirrelevant, completly irrelevant i drive a forest of 365/24 openvpn instances termination on the same virtual machine where each endpoint connects a complete network which runs most of the day below 100 MHz sorry, but encryption don't matter these days except you have stoneold hardware wich no AES support and even then i doubt that you could mease something relevant
For 3 remote systems, it seems that adding a remote DC will be more work than it is worth. Sonicwall UTM's make it pretty easy to set up site-to-site VPN connections even if only end has a static public IP. I believe that the remote PC's would locate the domain controllers via DNS so you shouldn't have to worry about NBT or WINS. The sonicwall's also include various IP Helpers (e.g. for relaying DHCP requests to a central DHCP server.) I am sure that Cisco and other SOHO solutions offer similar functionality. The hardware VPN approach is probably simpler than trying to build your own VPN server with OpenVPN. Assuming the client PC's are caching logins - even if the VPN link does down the remote users will still be able to login to their computers. On 09/09/18 16:28, Reindl Harald via samba wrote:> Am 09.09.18 um 21:52 schrieb Sonic: >> On Sun, Sep 9, 2018 at 1:27 PM Reindl Harald via samba >> <samba at lists.samba.org> wrote: >>> Am 09.09.18 um 17:16 schrieb Sonic via samba: >>>> Currently using Samba 4 as AD at the main site and would like the main site >>>> AD to authenticate users at a remote site (about 3 systems). As I use my >>>> domain management system from a remote location via VPN I know this works, >>>> but the VPN may not be the lowest cost in terms of overhead. >>> why? >> Encryption overhead > irrelevant, completly irrelevant > > i drive a forest of 365/24 openvpn instances termination on the same > virtual machine where each endpoint connects a complete network which > runs most of the day below 100 MHz > > sorry, but encryption don't matter these days except you have stoneold > hardware wich no AES support and even then i doubt that you could mease > something relevant >