TERMS This document and what comes with it are provided as-is with blunt warning: Use at your own risk, buyer beware. You break your system; you own the resolution as well. We have no liability for what you do, or can't do, or fail to do with this information. Your entire protection is to start over again with a protected backup, or from protected system. If you don't want to accept this idea, please don't use this document. Hardware VPN from remote router to SBS router: this is a very stable connection and will always be up so the remote server and its clients will be connecting to the domain from boot, but the SBS server should only have one network adapter and thus can't be running ISA. Hardware VPN from remote router to a second SBS router that is directly connected to the internal SBS network: this is also very stable but can only be done if the SBS network has multiple public IP's and if the SBS internet device is capable of routing the several public IP's to different internal IP's. The SBS server can have two network adapters and can have ISA installed. Javier (SBS-MVP) has described the layout of this kind of a VPN connection here: Javier's SBS Wonderland : Site to Site VPN while keeping ISA in the Mix: http://msmvps.com/blogs/javier/archive/2004/12/08/23045.aspx An article with the complete steps to create such a branch office connection will be published soon. Software VPN from remote DC to SBS: on the remote DC we could create a VPN connection just like you would normally do that on a remote client machine to connect to the SBS network. The disadvantage of this kind of a connection is, that the remote DC needs to be logged in to start up the VPN connection. we can use RAS on the remote DC to create a persistent VPN connection to the SBS server which will automatically start when this remote DC is rebooted and doesn't need to be logged in. This will only work when the SBS has two nics and ISA 2004 installed. Disadvantage of this kind of a connection is that it will take a little while after a reboot before RAS will connect automatically to the SBS with a dial in on the remote DC, which will give some warnings in the event log. Another disadvantage is that although the remote network will see all machines in its Network Neighborhood, the remote machines will NOT be visible in the SBS internal Network Neighborhood. This will mean you will have to map a drive manually if that is needed, as the browse won’t show the remote machines. I would like to thank Justin Crosby from Microsoft CSS for additional investigation he has done to help me write these articles. The first article will describe the steps that will need to be done on the SBS server to prepare for a remote additional domain controller. The second article will describe the steps that will need to be done on the remote Windows 2003 server up to including the joining and promoting this server to an additional DC. The third article (not yet available) has the steps that will need to be done after the remote DC has successfully replicated and will include some fine tuning on the SBS server as well as on the remote DC. It doesn't matter which kind of VPN connection you are using for connecting a remote office to the SBS network, you will have to do several steps on the SBS server as well as on the remote server to get them properly connected. On the SBS server we will use Active Directory Sites and Services to create a new site for the remote office and we will create the subnets of both locations. Then we will create a new Reverse Lookup Zone in DNS server for the remote subnet. As we will be using RRAS on the remote server for the VPN connection, we will have to create a special user account. Because the SBS server has got ISA installed, we will need to add the remote subnet to the network configuration and we need to add the remote site vpn connection and some rules. And finally we will need to enable the Intersite Messaging service and fix a DCOM 10016 error. Then the SBS server is ready and the new remote server can be joined to the SBS domain. We will want the remote server to have DNS, DHCP and WINS installed. We don't need to configure these options yet, we will configure that after the joining. DNS server will already be configured by the dcpromo but will need some corrections later. All the preparing work and actual joining and promoting of this remote server, will be described in the second article of this series. When the new remote server is successfully joined and replication has taken place, there are a few more things that will need to be done at the SBS server to complete the new remote office connection. Also the remote DC will have some fine tuning. Those will be published in the third article of this series.