Windows Server 2016 - Remote Access Solution

S

sansa

New Member
Hi! Good day,

We have a server with windows server 2016 standard with AD, DHCP and DNS roles installed in our main office and acting as a File server, our problem is how we can connect or link multiple branch office and client workstation from remote location to our main office network? (I have research it is possible using Site-to-site VPN, RADIUS Server and DirectAccess but it requires a public ip address)

Based on my diagram below, It is possible to connect branch office site to my Main office site without using or owning a public ip address? or can I use the public ip address of my router and port forwarding it to my server? Do I need to register the domain name for the branch office and client workstation to be able to join to my main domain? Any suggestion or recommendation is a big help for us. Thank you and more power.

MAPIO_FILE.SERVER_v1.6-forPrajwaldesai.jpg
 
You need a public static IP address for all all remote locations participating on the active directory forest. This simplifies things greatly. If the Internet is already going over VPN, I would be surprised that you do not have it. You don't necessarily have to add the server at the branch office as a separate domain. As long as it passes on AD from the main office and the connection is uninterrupted, this should be fine. This is also where roaming profiles comes in for when there needs to be an offline sync. Just adding the server to the domain over VPN gives you many options overall and can reduce overhead, unless you absolutely want the data there stored locally. If you absolutely, for whatever reason, cannot achieve a static IP address at the branch office or the main office (not recommended), what you can do is use a service like DynDNS.org. Most routers have configuration options for this. If not, you could also place their software on the Windows servers. Basically, I recommend having one domain controller. You would want and need to make sure the IP is updated for any clients pointing to the main domain controller already. This is especially true if the domain controller is also acting as the primary domain name server (DNS). Presumably this is the case if you are enforcing custom DNS using group policy to point to the DC. I hope this helps.

Note: If VPN connections are already established I would be quite surprised if you are not already using static IP addresses.
 
Mike said:
You need a public static IP address for all all remote locations participating on the active directory forest. This simplifies things greatly. If the Internet is already going over VPN, I would be surprised that you do not have it. You don't necessarily have to add the server at the branch office as a separate domain. As long as it passes on AD from the main office and the connection is uninterrupted, this should be fine. This is also where roaming profiles comes in for when there needs to be an offline sync. Just adding the server to the domain over VPN gives you many options overall and can reduce overhead, unless you absolutely want the data there stored locally. If you absolutely, for whatever reason, cannot achieve a static IP address at the branch office or the main office (not recommended), what you can do is use a service like DynDNS.org. Most routers have configuration options for this. If not, you could also place their software on the Windows servers. Basically, I recommend having one domain controller. You would want and need to make sure the IP is updated for any clients pointing to the main domain controller already. This is especially true if the domain controller is also acting as the primary domain name server (DNS). Presumably this is the case if you are enforcing custom DNS using group policy to point to the DC. I hope this helps.

Note: If VPN connections are already established I would be quite surprised if you are not already using static IP addresses.
Click to expand...

Thanks mate for your reply, Your a legend. By the way, based on the diagram only the 2 windows server are on the commercial VPN (ExpressVPN), the client workstation that are in remote location are on public internet with no VPN connections, and we are on a short budget to purchase a public ip address, where can you recommend to me where to buy a public ip? and how about the domain name e.g "mydomain.com" do I need to registered it? and the DNS, DHCP that I setup on main server is for intranet only
 
You don't need a domain name unless you are running IIS from the same server as the domain controller, which is not really recommended anyway. You should call the ISP for static IP options. Since you already have VPN established, if the internal IP of the main server never changes on the intranet, can you ping/reach that server from a workstation or server at the branch office? If so, you may still be able to run Active Directory over the pre-existing VPN by adding those machines to the domain controller. However, when you point to this machine, or domain, it needs to be reachable on the network.
 
@ Mike: The internal IP on the intranet from the Main network are in DHCP mode, I can't ping the workstation and the server from branch office because they are not yet join my main domain, that's my problem how can I connect them? Is there any solution without using public static ip? our office are short in budget right now. Thanks for your help mate.
 
sansa said:
@ Mike: The internal IP on the intranet from the Main network are in DHCP mode,
Click to expand...

Please ignore this message if you already know this!

In case it helps, you can use DHCP Reservation to provide static IP addresses on the Private network (static private IP address):

 
sansa said:
@ Mike: The internal IP on the intranet from the Main network are in DHCP mode, I can't ping the workstation and the server from branch office because they are not yet join my main domain, that's my problem how can I connect them? Is there any solution without using public static ip? our office are short in budget right now. Thanks for your help mate.
Click to expand...

Just to understand your question:
do you mean without a public IP address for the Server at the Branch Office or do you mean if it is possible to connect the Branch Office site to the Main Office without a public IP address at all?
 
livix07 said:
Just to understand your question:
do you mean a single public IP address just for the Server at the Branch Office or a single public IP address for the whole Branch Office site? or do you mean if it is possible to connect the Branch Office site to the Main Office without a public IP address at all?
Click to expand...

Yes, I mean if it is possible to connect the branch office site and the workstation from remote location to the main office without a public ip address designated to the server
 
sansa said:
Yes, I mean if it is possible to connect the branch office site and the workstation from remote location to the main office without a public ip address designated to the server
Click to expand...

It should work with Port Forwarding as long as you do the correct settings. You don't need a public IP address for each server on a private network. You can have one public IP address and several servers on that network, each having its own private static IP address. This is the reason I have asked you about DHCP reservation. I actually played one day in virtual mode, I did load balancing like this:

reverse-proxy.png
 
livix07 said:
It should work with Port Forwarding as long as you do the correct settings. You don't need a public IP address for each server on a private network. You can have one public IP address and several servers on that network, each having its own private static IP address. This is the reason I have asked you about DHCP reservation. I actually played one day in virtual mode, I did load balancing like this:

Reverse Proxy Guide - Apache HTTP Server Version 2.4
Click to expand...
I don't intend to use the public IP for the private network or in my intranet, @Mike recommends me to used public ip in his above post so that the branch office and remote workstation can join to my domain using different type of vpn solutions that windows server offers
 
sansa said:
@Mike recommends me to used public ip in his above post so that the branch office and remote workstation can join to my domain using different type of vpn solutions that windows server offers
Click to expand...

Of course having a static IP address for your server would give you more options. So, Mike is right. But you wrote this:

sansa said:
..Is there any solution without using public static ip?. our office are short in budget right now...
Click to expand...
 
You must log in or register to reply here.

Similar threads

vzsolti
Windows Server 2022 VPN with RRAS - Could not connect
Replies
1
Views
887
ChatGPT
ChatGPT
K
DHCP Server on Windows 11 Home
Replies
2
Views
7K
Neemobeer
Neemobeer
R
Why are Credentials never working properly on Win 10 Pro?
Replies
2
Views
392
ussnorway
ussnorway
N
Assign same static IP to a Windows 2003 VPN connection
Replies
5
Views
2K
ChatGPT
ChatGPT
S
Can't connect Remote Desktop Server to License manager for RDP connections. 2022 Server on Vmware
Replies
2
Views
3K
ussnorway
ussnorway
Back
Top