VPN tunnel between AD and offsite backup?

Discussion in 'Server Setup' started by Nippoo, Feb 21, 2010.

  1. Nippoo

    Nippoo Guest

    We have a small (residential) business which runs an AD with three or so
    users, and a single Server 2008 R2 Exchange 2010 / AD server (say,
    192.168.0.2/255.255.255.0, public IP 123.123.123.123/255.255.255.248) running
    onsite. We're often away from the office (sometimes we're all abroad at the
    same time with nobody at the address) so, in the interests of redundancy and
    always being able to access email, we have bought a second server hosted in a
    datacenter nearby (say, 124.124.124.124/255.255.255.0) which will also be an
    AD and Exchange server, (both CAS and maibox servers with the mailbox
    database in a Database Availability Group - hope this will work!).

    What I'd like to do is figure out a way of joining the domain and keeping
    all traffic flowing between the two networks encrypted by VPN tunnel or
    similar. (I wouldn't mind it going over the public network, but it's probably
    too insecure). How would I go around creating a VPN tunnel between the two in
    WS2008R2? What routing parameters would I use? Given that there's no similar
    private subnet on the colocated server (it only has a single IP allocated to
    it, though I don't mind routing the entire 124.124.124.* subnet through the
    VPN; it's so unlikely I'll ever need to contact any other server on the same
    subnet) - do I need to create a 'ghost private subnet' of 192.168.1.* or
    something?

    I'm a little lost, and would love advice on what to do.

    N
     
    Nippoo, Feb 21, 2010
    #1
    1. Advertisements


  2. For something like this, you would want SCR.

    Site Resilience Configurations: Exchange 2007, Oct 29, 2007
    http://technet.microsoft.com/en-us/library/bb201662(EXCHG.80).aspx

    SCR (Standby Continous Replication)
    http://www.n2networksolutions.com/blog/?p=477

    You would have to establish a tunnel first to the colo. Then install and
    promote a machine to a DC/GC. Then install Exchange 2007 on a separate
    machine., then establish the SCR.

    And I recommend to NOT install Exchange on a DC. It is not a recommended
    config, and each entity causes issues with the other. Read more on this
    issue:

    ==================================================================
    Exchange on a DC and performance issues:

    If Exchange is on a DC, no need telling you that if you search on it, you
    will find numerous topics by many engineers (including Microsoft) stating
    Exchange is not recommended to be installed on a domain controller.
    Exchange's database transactional logging system is different than AD's.
    Once a machine is promoted to a DC, it disabled the write-behind cache
    function on the controller. Exchange needs this, however it's done to allow
    AD's database system properly work. A huge drawback of this scenario is that
    it can cause Exchange to lose emails during certain scenarios, as well as
    with the write-behind cache disabled, it drastically reduces performance on
    the machine.

    Exchange by default, will also consume all memory resources, for example,
    the store.exe process and will drag down the OS it is installed on. If the
    OS is a DC, it will hinder DC processes, such as the DC's Lsas.exe process.
    This *may* result in other issues, possibly with replication.

    Read more on it:
    This Exchange server is also a domain controller, which is not a recommended
    configuration
    http://technet.microsoft.com/en-us/library/aa997407.aspx
    ==================================================================

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Feb 21, 2010
    #2
    1. Advertisements

  3. Before deploying SCR, you will certainly want to spend the time reading up
    about it and understanding what it is and what it is not.
     
    Ed Crowley [MVP], Feb 21, 2010
    #3

  4. Good point. :)

    I believe adding to also study up on AD replication and implications, as
    well.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 21, 2010
    #4
  5. Nippoo

    Nippoo Guest

    What other options do I have apart from installing Exchange on a DC? Unless I
    buy two new servers...

    Exchange 2010, by the way. I don't have any option for SCR I don't think?

    N
     
    Nippoo, Feb 21, 2010
    #5

  6. Sorry, I misread you are using Ex2010. Either way, Exchange should not be on
    a DC.

    Here are some options with Ex2010:

    You Had Me At EHLO... : Should You Virtualize Your Exchange 2007 ...Figure
    2 - Possible Warm Site Disaster Recovery Configuration using Hyper-V .....
    Exchange Server 2010...
    http://msexchangeteam.com/archive/2009/01/19/450463.aspx

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 21, 2010
    #6
  7. You're running 2008R2!! That means you have Hyper-V! It is already
    there,...and it is free.

    You just have to buy one more Server License to cover the OS in the VM for
    Exchange. but then 2008R2 might already cover having *one* copy in a
    VM,...but you'll have to verify that.

    Run Exchange in a VM under Hyper-V,...so it will still be on the same
    "physical" box,...but will not be on the same "logical" machine as the DC.
    Since the DC is on the Parent Machine, and since a DC should always be
    already running *before* Exchange is started up or shutdown,...it should be
    fine.

    In the end your weak link would be if the hardware is not powerfull enough
    to run two OSs efficiently.


    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 22, 2010
    #7
  8. Three or so users? Why not go to BPOS?
     
    Russ Kaufmann, Feb 22, 2010
    #8

  9. Hi Phillip,

    FYI, IMHO, I usually shy away from running Exchange or SQL in a VM due to
    heavy processing and I/Os. DCs, etc, are fine.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 23, 2010
    #9
  10. That's true. MS used to be really "down" on doing that, but it was mainly
    when everyone was using Virtual Server on 2003. They used to say the same
    about ISA Server as a VM, but now they don't have a problem with it.
    Hyper-V on 2008 should be providing better performance than Virtual Server
    anyway. With VMware virutalization I've actually had a VM outperform the
    previous physical machine they were on just because the hardware on the
    parent machine was so much more powerful than the original machine that was
    being used,..of course it was not an I/O intensive machine.

    But I still think it is better than running those things directly on the DC
    itself. Looking back at the original post he said there were only "three or
    so" users,...so the Exchange and the SQL are not going to be hit hard.


    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 23, 2010
    #10

  11. True, for that minimal number of users, it seems negligent and should be ok
    virtualizing it. I had one customer 2 years ago running Exchange 2003 using
    MS Virtual Server, and he told me there were numerous complaints about
    Outlook performance. After suggesting to move it out of the VM and make it
    physical, performance increased 10 fold. That was a 125 user shop in a child
    domain, with Exchange also installed at the corp location with 300 users.
    There were also DSAccess issues that also disappeared after making it
    physical.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 23, 2010
    #11
  12. Virtualization is the trend and more and more are virtualizing Exchange,
    even mailbox servers. I don't see any problem with virtualizing anything as
    long as one knows what one is doing.
     
    Ed Crowley [MVP], Feb 27, 2010
    #12

  13. I guess one of the ingredients is the horsepower, which that customer I
    mentioned, lacked. That was a couple of years ago, come to think of it, it
    was in Nov, 2006. I think hardware has changed to support virtualization
    better than the past. I haven't virtualized Exchange 2007 yet, but I may
    give it a shot on my own private system to evaluate it.

    Thanks, Ed.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 27, 2010
    #13
  14. Everything has changed since 2006.
     
    Ed Crowley [MVP], Feb 27, 2010
    #14
  15. Apparently. Server hardware power has dramatically increased, especially
    with the 6-core cpus. Along with 15k spindles, and 1GB interfaces, I guess
    that should be plenty to virtualize just about anything.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 27, 2010
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.