We used to have a domain controller in our local office network. Now we have moved the servers to data center and the dc is there, behind the forefront TMG firewall.
In order for my office computers to be able to authenticate to the domain, I have the following options that I know of:
-
I can VPN into a data center servers network (vpn gateway is set up inForefront TMG) and authenticate as if I am in the local network with the domain. Ho can I setup VPN clients in Windows 7 to connect via vpn automatically at login?
-
I can publish the DC's Active Directory integrated DNS server via Forefront Publishing rule. Set up my local network to use this DNS, so that the DC can be found. And allow LDAP traffic through Firewall.
Which one of these approaches is better?
Best Answer
The VPN option is better, since you won't be exposing LDAP to the outside world unnecessarily.
Side note, I'd want at least one domain controller at my local site. If your link to the data center goes down, you're screwed.