Originally posted by: Darksamie
I have a query about Active directory and what you can and cannot do -
I have a VPN set up between a few of my offices and wanted to add another branch office in to the mix. From what I understand of AD, I would need to create tunnels from this office to every other office which has an AD server of the same domain.
Is there any way around this?
/q]
Nope. There are two AD replication protocols. They are discussed here:
http://www.microsoft.com/technet/prodte...edirectory/deploy/projplan/adarch.mspx
Replication Protocols
Directory information can be exchanged using the following network protocols:
?
IP replication. IP replication uses remote procedure calls (RPC) for replication within a site (intra-site) and over site links (inter-site). By default, inter-site IP replication adheres to replication schedules. IP replication does not require a certification authority (CA).
?
SMTP replication. If you have a site that has no physical connection to the rest of you network but that can be reached via Simple Mail Transfer protocol (SMTP), that site has mail-based connectivity only. SMTP replication is used only for replication between sites. You cannot use SMTP replication to replicate between domain controllers in the same domain?only inter-domain replication is supported over SMTP (that is, SMTP can be used only for inter-site, inter-domain replication). SMTP replication can be used only for schema, configuration, and global catalog partial replica replication. SMTP replication observes the automatically generated replication schedule.
If you choose to use SMTP over site links, you must install and configure an enterprise certification authority (CA). The domain controllers obtain certificates from the CA, which the domain controllers then use to sign and encrypt the mail messages that contain directory replication information, ensuring the authenticity of directory updates. SMTP replication uses 56-bit encryption.
You could use SMTP synchronization over the internet but it is complicated and it can't be used to synchronize domain controllers in the same domain.