VPN tunnel between AD and offsite backup?

We have a small (residential) business which runs an AD with three or so
users, and a single Server 2008 R2 Exchange 2010 / AD server (say,
192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248) running
onsite. We're often away from the office (sometimes we're all abroad at the
same time with nobody at the address) so, in the interests of redundancy and
always being able to access email, we have bought a second server hosted in a
datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be an
AD and Exchange server, (both CAS and maibox servers with the mailbox
database in a Database Availability Group - hope this will work!).

What I'd like to do is figure out a way of joining the domain and keeping
all traffic flowing between the two networks encrypted by VPN tunnel or
similar. (I wouldn't mind it going over the public network, but it's probably
too insecure). How would I go around creating a VPN tunnel between the two in
WS2008R2? What routing parameters would I use? Given that there's no similar
private subnet on the colocated server (it only has a single IP allocated to
it, though I don't mind routing the entire 124.124.124.* subnet through the
VPN; it's so unlikely I'll ever need to contact any other server on the same
subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or
something?

I'm a little lost, and would love advice on what to do.

N

"Nippoo" <> wrote in message
newsB85A032-3E94-47D5-A18A-...
> We have a small (residential) business which runs an AD with three or so
> users, and a single Server 2008 R2 Exchange 2010 / AD server (say,
> 192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248)
> running
> onsite. We're often away from the office (sometimes we're all abroad at
> the
> same time with nobody at the address) so, in the interests of redundancy
> and
> always being able to access email, we have bought a second server hosted
> in a
> datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be
> an
> AD and Exchange server, (both CAS and maibox servers with the mailbox
> database in a Database Availability Group - hope this will work!).
>
> What I'd like to do is figure out a way of joining the domain and keeping
> all traffic flowing between the two networks encrypted by VPN tunnel or
> similar. (I wouldn't mind it going over the public network, but it's
> probably
> too insecure). How would I go around creating a VPN tunnel between the two
> in
> WS2008R2? What routing parameters would I use? Given that there's no
> similar
> private subnet on the colocated server (it only has a single IP allocated
> to
> it, though I don't mind routing the entire 124.124.124.* subnet through
> the
> VPN; it's so unlikely I'll ever need to contact any other server on the
> same
> subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or
> something?
>
> I'm a little lost, and would love advice on what to do.
>
> N


For something like this, you would want SCR.

Site Resilience Configurations: Exchange 2007, Oct 29, 2007
http://technet.microsoft.com/en-us/l...EXCHG.80).aspx

SCR (Standby Continous Replication)
http://www.n2networksolutions.com/blog/?p=477

You would have to establish a tunnel first to the colo. Then install and
promote a machine to a DC/GC. Then install Exchange 2007 on a separate
machine., then establish the SCR.

And I recommend to NOT install Exchange on a DC. It is not a recommended
config, and each entity causes issues with the other. Read more on this
issue:

================================================== ================
Exchange on a DC and performance issues:

If Exchange is on a DC, no need telling you that if you search on it, you
will find numerous topics by many engineers (including Microsoft) stating
Exchange is not recommended to be installed on a domain controller.
Exchange's database transactional logging system is different than AD's.
Once a machine is promoted to a DC, it disabled the write-behind cache
function on the controller. Exchange needs this, however it's done to allow
AD's database system properly work. A huge drawback of this scenario is that
it can cause Exchange to lose emails during certain scenarios, as well as
with the write-behind cache disabled, it drastically reduces performance on
the machine.

Exchange by default, will also consume all memory resources, for example,
the store.exe process and will drag down the OS it is installed on. If the
OS is a DC, it will hinder DC processes, such as the DC's Lsas.exe process.
This *may* result in other issues, possibly with replication.

Read more on it:
This Exchange server is also a domain controller, which is not a recommended
configuration
http://technet.microsoft.com/en-us/l.../aa997407.aspx
================================================== ================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

Before deploying SCR, you will certainly want to spend the time reading up
about it and understanding what it is and what it is not.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..

"Ace Fekay [MVP-DS, MCT]" <> wrote in message
news:...
> "Nippoo" <> wrote in message
> newsB85A032-3E94-47D5-A18A-...
>> We have a small (residential) business which runs an AD with three or so
>> users, and a single Server 2008 R2 Exchange 2010 / AD server (say,
>> 192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248)
>> running
>> onsite. We're often away from the office (sometimes we're all abroad at
>> the
>> same time with nobody at the address) so, in the interests of redundancy
>> and
>> always being able to access email, we have bought a second server hosted
>> in a
>> datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be
>> an
>> AD and Exchange server, (both CAS and maibox servers with the mailbox
>> database in a Database Availability Group - hope this will work!).
>>
>> What I'd like to do is figure out a way of joining the domain and keeping
>> all traffic flowing between the two networks encrypted by VPN tunnel or
>> similar. (I wouldn't mind it going over the public network, but it's
>> probably
>> too insecure). How would I go around creating a VPN tunnel between the
>> two in
>> WS2008R2? What routing parameters would I use? Given that there's no
>> similar
>> private subnet on the colocated server (it only has a single IP allocated
>> to
>> it, though I don't mind routing the entire 124.124.124.* subnet through
>> the
>> VPN; it's so unlikely I'll ever need to contact any other server on the
>> same
>> subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or
>> something?
>>
>> I'm a little lost, and would love advice on what to do.
>>
>> N
>
>
> For something like this, you would want SCR.
>
> Site Resilience Configurations: Exchange 2007, Oct 29, 2007
> http://technet.microsoft.com/en-us/l...EXCHG.80).aspx
>
> SCR (Standby Continous Replication)
> http://www.n2networksolutions.com/blog/?p=477
>
> You would have to establish a tunnel first to the colo. Then install and
> promote a machine to a DC/GC. Then install Exchange 2007 on a separate
> machine., then establish the SCR.
>
> And I recommend to NOT install Exchange on a DC. It is not a recommended
> config, and each entity causes issues with the other. Read more on this
> issue:
>
> ================================================== ================
> Exchange on a DC and performance issues:
>
> If Exchange is on a DC, no need telling you that if you search on it, you
> will find numerous topics by many engineers (including Microsoft) stating
> Exchange is not recommended to be installed on a domain controller.
> Exchange's database transactional logging system is different than AD's.
> Once a machine is promoted to a DC, it disabled the write-behind cache
> function on the controller. Exchange needs this, however it's done to
> allow AD's database system properly work. A huge drawback of this scenario
> is that it can cause Exchange to lose emails during certain scenarios, as
> well as with the write-behind cache disabled, it drastically reduces
> performance on the machine.
>
> Exchange by default, will also consume all memory resources, for example,
> the store.exe process and will drag down the OS it is installed on. If
> the OS is a DC, it will hinder DC processes, such as the DC's Lsas.exe
> process. This *may* result in other issues, possibly with replication.
>
> Read more on it:
> This Exchange server is also a domain controller, which is not a
> recommended configuration
> http://technet.microsoft.com/en-us/l.../aa997407.aspx
> ================================================== ================
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>

"Ed Crowley [MVP]" <> wrote in message
news:...
> Before deploying SCR, you will certainly want to spend the time reading up
> about it and understanding what it is and what it is not.
> --
> Ed Crowley MVP
> "There are seldom good technological solutions to behavioral problems."
> .


Good point. :-)

I believe adding to also study up on AD replication and implications, as
well.

Ace

What other options do I have apart from installing Exchange on a DC? Unless I
buy two new servers...

Exchange 2010, by the way. I don't have any option for SCR I don't think?

N

"Ace Fekay [MVP-DS, MCT]" wrote:

> "Nippoo" <> wrote in message
> newsB85A032-3E94-47D5-A18A-...
> > We have a small (residential) business which runs an AD with three or so
> > users, and a single Server 2008 R2 Exchange 2010 / AD server (say,
> > 192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248)
> > running
> > onsite. We're often away from the office (sometimes we're all abroad at
> > the
> > same time with nobody at the address) so, in the interests of redundancy
> > and
> > always being able to access email, we have bought a second server hosted
> > in a
> > datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be
> > an
> > AD and Exchange server, (both CAS and maibox servers with the mailbox
> > database in a Database Availability Group - hope this will work!).
> >
> > What I'd like to do is figure out a way of joining the domain and keeping
> > all traffic flowing between the two networks encrypted by VPN tunnel or
> > similar. (I wouldn't mind it going over the public network, but it's
> > probably
> > too insecure). How would I go around creating a VPN tunnel between the two
> > in
> > WS2008R2? What routing parameters would I use? Given that there's no
> > similar
> > private subnet on the colocated server (it only has a single IP allocated
> > to
> > it, though I don't mind routing the entire 124.124.124.* subnet through
> > the
> > VPN; it's so unlikely I'll ever need to contact any other server on the
> > same
> > subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or
> > something?
> >
> > I'm a little lost, and would love advice on what to do.
> >
> > N
>
>
> For something like this, you would want SCR.
>
> Site Resilience Configurations: Exchange 2007, Oct 29, 2007
> http://technet.microsoft.com/en-us/l...EXCHG.80).aspx
>
> SCR (Standby Continous Replication)
> http://www.n2networksolutions.com/blog/?p=477
>
> You would have to establish a tunnel first to the colo. Then install and
> promote a machine to a DC/GC. Then install Exchange 2007 on a separate
> machine., then establish the SCR.
>
> And I recommend to NOT install Exchange on a DC. It is not a recommended
> config, and each entity causes issues with the other. Read more on this
> issue:
>
> ================================================== ================
> Exchange on a DC and performance issues:
>
> If Exchange is on a DC, no need telling you that if you search on it, you
> will find numerous topics by many engineers (including Microsoft) stating
> Exchange is not recommended to be installed on a domain controller.
> Exchange's database transactional logging system is different than AD's.
> Once a machine is promoted to a DC, it disabled the write-behind cache
> function on the controller. Exchange needs this, however it's done to allow
> AD's database system properly work. A huge drawback of this scenario is that
> it can cause Exchange to lose emails during certain scenarios, as well as
> with the write-behind cache disabled, it drastically reduces performance on
> the machine.
>
> Exchange by default, will also consume all memory resources, for example,
> the store.exe process and will drag down the OS it is installed on. If the
> OS is a DC, it will hinder DC processes, such as the DC's Lsas.exe process.
> This *may* result in other issues, possibly with replication.
>
> Read more on it:
> This Exchange server is also a domain controller, which is not a recommended
> configuration
> http://technet.microsoft.com/en-us/l.../aa997407.aspx
> ================================================== ================
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please
> contact Microsoft PSS directly. Please check http://support.microsoft.com
> for regional support phone numbers.
>
>
> .
>

"Nippoo" <> wrote in message
news:F3DCBF1B-0194-4060-BEFB-...
> What other options do I have apart from installing Exchange on a DC?
> Unless I
> buy two new servers...
>
> Exchange 2010, by the way. I don't have any option for SCR I don't think?
>
> N
>


Sorry, I misread you are using Ex2010. Either way, Exchange should not be on
a DC.

Here are some options with Ex2010:

You Had Me At EHLO... : Should You Virtualize Your Exchange 2007 ...Figure
2 - Possible Warm Site Disaster Recovery Configuration using Hyper-V .....
Exchange Server 2010...
http://msexchangeteam.com/archive/20...19/450463.aspx

Ace

"Nippoo" <> wrote in message
news:F3DCBF1B-0194-4060-BEFB-...
> What other options do I have apart from installing Exchange on a DC?
> Unless I
> buy two new servers...

You're running 2008R2!! That means you have Hyper-V! It is already
there,...and it is free.

You just have to buy one more Server License to cover the OS in the VM for
Exchange. but then 2008R2 might already cover having *one* copy in a
VM,...but you'll have to verify that.

Run Exchange in a VM under Hyper-V,...so it will still be on the same
"physical" box,...but will not be on the same "logical" machine as the DC.
Since the DC is on the Parent Machine, and since a DC should always be
already running *before* Exchange is started up or shutdown,...it should be
fine.

In the end your weak link would be if the hardware is not powerfull enough
to run two OSs efficiently.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Three or so users? Why not go to BPOS?

"Nippoo" <> wrote in message
newsB85A032-3E94-47D5-A18A-...
> We have a small (residential) business which runs an AD with three or so
> users, and a single Server 2008 R2 Exchange 2010 / AD server (say,
> 192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248)
> running
> onsite. We're often away from the office (sometimes we're all abroad at
> the
> same time with nobody at the address) so, in the interests of redundancy
> and
> always being able to access email, we have bought a second server hosted
> in a
> datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be
> an
> AD and Exchange server, (both CAS and maibox servers with the mailbox
> database in a Database Availability Group - hope this will work!).
>
> What I'd like to do is figure out a way of joining the domain and keeping
> all traffic flowing between the two networks encrypted by VPN tunnel or
> similar. (I wouldn't mind it going over the public network, but it's
> probably
> too insecure). How would I go around creating a VPN tunnel between the two
> in
> WS2008R2? What routing parameters would I use? Given that there's no
> similar
> private subnet on the colocated server (it only has a single IP allocated
> to
> it, though I don't mind routing the entire 124.124.124.* subnet through
> the
> VPN; it's so unlikely I'll ever need to contact any other server on the
> same
> subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or
> something?
>
> I'm a little lost, and would love advice on what to do.
>
> N

"Phillip Windell" <> wrote in message
news:%23v9RY9$...
> "Nippoo" <> wrote in message
> news:F3DCBF1B-0194-4060-BEFB-...
>> What other options do I have apart from installing Exchange on a DC?
>> Unless I
>> buy two new servers...
>
> You're running 2008R2!! That means you have Hyper-V! It is already
> there,...and it is free.
>
> You just have to buy one more Server License to cover the OS in the VM for
> Exchange. but then 2008R2 might already cover having *one* copy in a
> VM,...but you'll have to verify that.
>
> Run Exchange in a VM under Hyper-V,...so it will still be on the same
> "physical" box,...but will not be on the same "logical" machine as the DC.
> Since the DC is on the Parent Machine, and since a DC should always be
> already running *before* Exchange is started up or shutdown,...it should
> be fine.
>
> In the end your weak link would be if the hardware is not powerfull enough
> to run two OSs efficiently.
>
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>


Hi Phillip,

FYI, IMHO, I usually shy away from running Exchange or SQL in a VM due to
heavy processing and I/Os. DCs, etc, are fine.

Ace

"Ace Fekay [MVP-DS, MCT]" <> wrote in message
news:...
> Hi Phillip,
>
> FYI, IMHO, I usually shy away from running Exchange or SQL in a VM due to
> heavy processing and I/Os. DCs, etc, are fine.
>
> Ace

That's true. MS used to be really "down" on doing that, but it was mainly
when everyone was using Virtual Server on 2003. They used to say the same
about ISA Server as a VM, but now they don't have a problem with it.
Hyper-V on 2008 should be providing better performance than Virtual Server
anyway. With VMware virutalization I've actually had a VM outperform the
previous physical machine they were on just because the hardware on the
parent machine was so much more powerful than the original machine that was
being used,..of course it was not an I/O intensive machine.

But I still think it is better than running those things directly on the DC
itself. Looking back at the original post he said there were only "three or
so" users,...so the Exchange and the SQL are not going to be hit hard.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------