Thanks mostiguy, that article is great. That will definitly get me on the right path. What do I need to do set up the DC at the remote site? Just a normally joined to the domain DC? Once I set that up how do i get the replication going? Do the two LANs have to addressed the same? Can I use the DHCP server in my main site to address the LAN at the remote site?

This is one area where I have no experience, thanks again for you advice!!

Basically, you could create the DC at your main site, and drive it over. Or, on any win2k server that is a member of the domain, you could run DCPROMO to make it a DC. There is nothing exotic about it - you will want to read up on AD sites however - sites are a replication construct. I believe AD replication will be setup automagically for you.

The sites will not be addressed the same - they will effictively act as separate subnets with a router between them. FOr setting up the point to point tunnel, it is pretty much imperative that you properly address the sites separately.

So, you will want the remote site to be, say, 192.168.1.0/24, and the main site to be 192.168.0.0/24. This way, routing will work properly - effectively, when your hosts on the 192.168.0.0 network send packets to its default gateway (probably the pix in your scenario), the pix knows to forward them, they need to be sent through the ipsec tunnel.

AD sites are based on IP netblocks to - when they are properly setup, your clients on 192.168.1.0/24 (remote site) will know that remote.AD.DC.servernamehere is its local DC, and will authentication against that, before trying to authenticate against a DC across the VPN (wasting bandwidth).

I would set up the remote DC, or the PIX as the DHCP server. I would strongly recommend using the remote DC so you can properly implement dynamic DNS. I would also setup wins, and replication between the two DCs for it, to ensure that Network Neighborhood is properly populated for all hosts.

Mostiguy,

Looks like I have my work cut out for me then. This is exactly the direction I am looking for.

I think I will start by re-addressing my network, as it was addressed with 128.100.0.0 class B for some reason before I got here. As I just started my CCNA studying, I am still weak in subnetting and addressing but this will give me some good practice.

One question though, do I need a router on each network or can I get away with the PIX doing the 'routing' on each network? Thanks again for all the help!

Marc

Thanks,

Well now I am mix of excited and scared sh*@less. I will just do one thing at a time, as I have no real way of testing this before deployment. I think I will get the PIXes up and running as firewalls, then configure the VPN then work on the AD part. I still hope I am not biting off more then I can chew ! LOL. Thanks again, marc