"richhanew***@gmail.com" wrote:

> I have a main headquarters location in Pittsburgh, PA. with 2 AD
> machines setup. I have a remote off with 15 users connected back to
> here over a IPSEC VPN tunnel(T1- to a T3).
>
> I'd like to put a server at the remote site to allow users to login/
> authenicate to that box, rather than over the VPN tunnel(which works)
> just for speed purposes/latency.
>
> Does this make sense?
>
> How does the computers at the remote site know to use the "closest" AD
> server instead of trying to authenicate over the VPN tunnel which they
> do now?
>
>

> Yes, it does make sense, because in your topology, if the WAN link will fail,
> the workstations in the branch office will be cut off from the main
> headquarters location in Pittsburgh and users won't even be able to log in
> (unless they use cached credentials) because there will be no domain
> controller available to them.
> Also DNS would be offline, so you would have to resolve any local servers
> via IP address or cached DNS information.
> You have to place the domain controller at the branch office into a separate
> Active Directory site. Doing this, the computers at the remote site know to
> use the "closest" AD, and as you said, authentication is done locally at the
> site, and this will speed up login times and authentication requests.
>
> "richhanew***@gmail.com" wrote:
> > I have a main headquarters location in Pittsburgh, PA. with 2 AD
> > machines setup. I have a remote off with 15 users connected back to
> > here over a IPSEC VPN tunnel(T1- to a T3).
>
> > I'd like to put a server at the remote site to allow users to login/
> > authenicate to that box, rather than over the VPN tunnel(which works)
> > just for speed purposes/latency.
>
> > Does this make sense?
>
> > How does the computers at the remote site know to use the "closest" AD
> > server instead of trying to authenicate over the VPN tunnel which they
> > do now?