Professional Documents
Culture Documents
Connecting Remote Sites
Connecting Remote Sites
Connecting Remote Sites
Connecting Remote
Sites
The Routing and Remote Access service in the Microsoft® Windows® Server 2003 operating system supports
remote site connectivity by using dial-up or virtual private network (VPN) connections. You can deploy either a
temporary or persistent site-to-site (also known as router-to-router) connectivity solution in your network to
achieve optimal scalability, security, and performance while reducing your connection costs.
In This Chapter
Overview of Remote Site Connectivity......................................... .......................220
Choosing the Remote Site Connection Type...................................... ..................225
Choosing Security Features...................................................................... ...........234
Integrating the Remote Site Connection into Your Network.................................251
Preparing for Server Configuration........................................................... ...........262
Deploying a Site-to-Site Connection............................................................ ........268
Additional Resources.............................................................................. .............299
Related Information
• For more information about name resolution, see “Deploying DNS” and “Deploying WINS” in
this book.
• For more information about IP address assignment, see “Deploying DHCP” in this book.
• For more information about the Active Directory® directory service replication between sites,
see “Designing the Site Topology” in Designing and Deploying Directory and Security Services
of this kit.
• For more information about creating hardware and software inventories and mapping your
existing network before deploying new features, see “Planning for Deployment” in Planning,
Testing, and Piloting Deployment Projects of this kit.
220 Chapter 10 Connecting Remote Sites
Note
The Routing and Remote Access service can support both site-to-site
connections between remote offices and remote access connections
for individual computers. This chapter focuses on site-to-site
connections.
Before you begin the design process to introduce a new site-to-site connection into your network, or modify an
existing connection, inventory your existing hardware and software, and create or update a map of your current
network. Updating your inventory and network configuration information facilitates both the design and the
deployment phases. For a guide to conducting inventories and creating a network map, see “Planning for
Deployment” in Planning, Testing, and Piloting Deployment Projects of this kit.
Additional Resources 221
Note
For a list of job aids that are available to assist you in deploying site-to-
site connection technology, see “Additional Resources” later in this
chapter.
The following sections describe three typical remote site connection solutions — a Point-to-Point Tunneling
Protocol (PPTP) VPN connection, a Layer Two Tunneling Protocol over Internet Protocol security
(L2TP/IPSec) VPN connection, and a dial-up connection. For detailed information about each connection type
and the range of available configuration and security options, see “Choosing the Remote Site Connection Type”
and “Choosing Security Features” later in this chapter.
Dial-up Solution
Organizations with moderate traffic between a branch and a main office might choose to replace an existing
leased WAN link with a dial-up WAN link or use a dial-up WAN link to create a new connection. Figure 10.4
shows an example of a site-to-site connection that uses an ISDN dial-up link. One common situation in which
you might deploy a dial-up link is as a backup solution when a VPN link provides your primary connection. For
more information about when to use a dial-up connection, see “Choosing a Dial-up or VPN Connection” later in
this chapter.
A one-way initiated on-demand dial-up connection disconnects when the connection is idle for a specified
period of time and thus provides efficient access for branch office users who need only intermittent access to the
main office. A dial-up connection typically uses MS-CHAP v2as the user authentication method to authenticate
the calling router together with Microsoft Point-to-Point Encryption (MPPE) for data encryption. Configuring
reciprocal replication enables replication between domain controllers in separate sites over a one-way initiated
on-demand connection. Figure 10.4 depicts this solution.
Figure 10.4 One-Way Initiated On-Demand Dial-up Solution
Additional Resources 225
Dial-up Connections
Routing and Remote Access connections that run over a physical device (such as an ISDN adapter or analog
modem) that is installed on both the calling and answering routers are known as dial-up connections. These
connections differ from traditional WAN links in that they use existing telephone lines instead of leased lines. A
dial-up connection differs from a VPN connection in that it does not cross the Internet.
Using existing phone lines can substantially reduce connection costs, especially where traffic volume between
sites is low. Instead of paying for a permanent WAN connection 24 hours a day, you can configure the link to
disconnect when no traffic crosses the connection for a specified period of time. For example, customers who
use ISDN typically pay by the minute or by the byte, so configuring the call to hang up when the connection is
idle reduces cost.
To keep data transmission secure, a dial-up connection uses private, dedicated lines or circuits across a carrier’s
network. In addition, the connection uses Point-to-Point Protocol (PPP) user authentication and MPPE for data
encryption.
An organization might choose to deploy a dial-up connection if it has a small branch office that needs an
occasional dial-up connection to a main office. For a dial-up link used as the main site-to-site connection, using
ISDN is a viable option.
A larger organization that uses a VPN connection might also deploy an ISDN dial-up connection as a backup
solution in case the Internet connection in either site is ever unavailable. You can use a Public Switched
Telephone Network (PSTN) dial-up link as the backup if the primary link is Frame Relay with a committed
information rate (CIR) of 56 Kbps. If the link for which you need a backup is faster than 56 Kbps CIR, using a
PSTN dial-up connection as the backup is not feasible, because users accustomed to a faster connection will
perceive the dial-up connection as too slow or inoperable. If the primary link is faster than 56 Kbps, instead use
a synchronous circuit solution, such as ISDN or a leased-line circuit, for the backup.
In either of these situations, a dial-up connection provides a solution that is easy to deploy and cost-effective.
Additional Resources 227
VPN Connections
Routing and Remote Access connections that cross the Internet (or other shared network) are known as virtual
private network (VPN) connections. A VPN connection typically uses a physical link to a local ISP. A
VPN-based answering router always uses a permanent WAN link to an ISP, such as a T-Carrier, Frame Relay,
DSL, or cable modem link. The answering router’s permanent link to the Internet ensures that the router is
available whenever a calling router attempts to establish a connection. This link requires a static IP address,
which is assigned by your local ISP (or by InterNIC), on the answering router’s Internet-connected interface.
However, a VPN-based calling router might use a permanent WAN link to an ISP, or it might use a temporary
link (such as a modem or adapter) to the ISP.
When traffic volume is high or permanent connectivity across long distances is required, using a VPN
connection to transport data across the Internet is more cost-effective than using a dedicated WAN line or a
dial-up connection.
To keep data transmission secure, a VPN connection uses PPP user authentication, routes packets encapsulated
in a secure tunnel across the Internet, and uses MPPE or IPSec encryption to protect the data portion of the
packet. This virtual point-to-point connection emulates a dedicated, private, physical point-to-point connection
but lets you replace long-distance WAN links with local WAN links to your nearby ISP. The ISP does not install
any VPN software on its equipment, nor is any VPN software installed on the intermediate routers that a VPN
data packet crosses.
If you choose a VPN connection in which the calling router uses a temporary link to connect to its local ISP, the
temporary link can be either a dial-up link or a PPP over Ethernet (PPPoE) link. The calling router first
establishes the dial-up or PPPoE link to the ISP and then establishes the VPN tunnel across the Internet to the
answering router. Many broadband ISPs use PPPoE. PPPoE links to the ISP are faster than dial-up links.
An example of an organization that might choose to deploy a VPN connection is a large enterprise with several
large satellite offices that each need secure connection for high-volume traffic across the Internet to a
headquarters office.
228 Chapter 10 Connecting Remote Sites
(continued)
Additional Resources 229
If you use both a PPTP and an L2TP/IPSec solution, you can create separate remote access policies that define
different connection parameters for each connection type. For example, if you have PPTP VPN connections to
two branch offices whose calling routers run Windows NT 4.0 with RRAS, you might want to create a more
restrictive remote access policy for those connections than the remote access policy that you create for an
L2TP/IPSec VPN connection to a branch office whose calling routers run Windows Server 2003 and use
computer-level authentication. For more information about creating remote access policies for a site-to-site
connection, see “Configure a Remote Access Policy” later in this chapter.
Additional Resources 231
Choosing an On-Demand or
Persistent Connection
You can configure the calling router for any of the connection types — dial-up, PPTP VPN, or L2TP/IPSec
VPN — with either an on-demand or a persistent connection. Table 10.3 describes and compares these
connection type options.
Table 10.3 Comparing On-Demand and Persistent Connections
Connection Type Description Use
On-demand Establishes a Use an on-demand connection if
connection connection when using the communications link
traffic is forwarded, incurs per-minute charges.
and it terminates the For an on-demand VPN
connection when the connection, the initiating router
link is not used for a can use either a permanent or a
specified period of dial-up link to the Internet. The
time. answering router must have a
permanent link to the Internet to
ensure that it is available when a
calling router attempts to
establish a connection.
Persistent Sustains a connection Use a persistent connection in
connection for 24 hours a day. the following circumstances:
• When the cost of the connection
is based on a flat fee, such as
for a link to a local ISP for each
site when sites are located in
separate cities or for a
connection between different
sites within the same city.
• When data traffic is time-
sensitive. For example, if you
support mainframe terminal
connectivity between sites,
if the terminals must wait for an
on-demand VPN connection to
be activated, the connection
attempt will time out before the
session can be launched.
For a persistent VPN connection,
both the calling and the
answering router must use
a permanent link to the Internet.
232 Chapter 10 Connecting Remote Sites
For on-demand connections, to prevent the calling router from establishing unnecessary connections, you can
use demand-dial filtering and dial-out hours:
• Demand-dial filters. To prevent a VPN calling router from initiating unnecessary connections,
you can configure demand-dial filters to specify the types of IP traffic for which the router will
or will not create a demand-dial connection. You can identify traffic to accept or reject based on
source and destination addresses of incoming traffic and the protocol in use. It is recommended
that you match the demand-dial filters to the IP packet filters configured on the demand-dial
interface. If there is specific traffic that is not allowed across the demand-dial interface when it
is connected, that same traffic should not be allowed to initiate a demand-dial connection using
that interface. For example, if you have a packet filter that prevents ICMP traffic from being
sent across the demand-dial interface, then you should configure a demand-dial filter to prevent
ICMP traffic from initiating the demand-dial connection. For more information about matching
demand-dial filters to IP packet filters, see “Integrate the VPN Server into a Perimeter
Network” and “Configure IP Packet Filters and Demand-Dial Filters” later in this chapter.
• Dial-out hours. To prevent a dial-up or VPN calling router from initiating unnecessary
connections, you can configure dial-out hours to specify the hours during which a calling router
is either permitted to make a site-to-site connection or denied the connection. You can also
configure remote access policies on the answering router to restrict the time periods when
incoming demand-dial connections are allowed.
Additional Resources 233
For both a one-way and a two-way initiated connection, use the properties of the router in the Routing and
Remote Access snap-in to configure both the calling and the answering router as a local area network (LAN)
router and as a demand-dial router.
234 Chapter 10 Connecting Remote Sites
If you have more than one answering router or other types of access servers (such as wireless access servers),
you can use a single RADIUS server to provide centralized authentication, authorization, and accounting for all
answering routers and access servers instead of administering each answering router and access server
separately. To simplify administration for a combined site-to-site and remote access connection, you can use
IAS to store both site-to-site and remote access information.
In an Active Directory domain, it is recommended that you use the Windows Server 2003 version of IAS as
your RADIUS server. The IAS RADIUS server is tightly integrated with Windows Server 2003, Active
Directory, and the Routing and Remote Access service. When you use RADIUS authentication, you configure
each of participating answering router as a RADIUS client. After you configure both the answering router and
the IAS server, the answering router uses remote access policies stored on the IAS server instead of those on the
answering router.
Although it is possible to use RADIUS as the authentication provider for a site-to-site only connection, you do
not need RADIUS. Deploying an IAS server is unnecessary administrative overhead for a demand-dial
connection that connects two sites but does not support remote access users.
The credentials that the calling router passes to the answering router for verification are those of a user account,
either in Active Directory or on the local computer. Authorization is granted based on the dial-in properties that
you specify in the user account and on remote access policies configured on the answering router (or on the
RADIUS server). For more information, see “Choosing Router User Accounts and Groups” and “Choosing a
Remote Access Policy Type” later in this chapter.
The authentication provider that you choose also functions as the authorization provider. However, the Routing
and Remote Access service does not require that you use the same provider for authentication and authorization
that you use for accounting. You can use Windows for authentication and RADIUS for accounting, or vice
versa. However, if you have multiple answering routers that support remote access users, consider using
RADIUS for integrated authentication, authorization, and accounting, and, if you use IAS, to manage remote
access policies.
For more information about RADIUS authentication, see “Checklist: Configuring IAS for dial-up and VPN
access” in Help and Support Center for Windows Server 2003. For more information about deploying IAS to
perform centralized authentication, authorization, and accounting, see “Deploying IAS” in this book.
238 Chapter 10 Connecting Remote Sites
Certificate-based EAP-TLS
EAP-TLS is a more secure protocol than MS-CHAP v2 for user-level authentication on a dial-up, PPTP VPN, or
L2TP/IPSec VPN connection. EAP-TLS requires a certificate infrastructure, because it uses a user certificate for
the calling router and a computer certificate for the authenticating server of the answering router. The identity of
the authenticating server depends on the authentication provider:
• If Windows provides authentication, as is the case for a site-to-site only connection, the
computer certificate is installed on the answering router. The answering router must be joined to
the Active Directory domain.
• If RADIUS provides authentication, as might be the case if your answering router also supports
remote access users, the computer certificate is installed on the RADIUS server. If the RADIUS
server is an IAS server, it must be joined to the Active Directory domain. In this case, the
answering router does not need to belong to the domain.
EAP-TLS is recommended for all connection types both because it is the strongest method for user
authentication and because it provides mutual user authentication between calling and answering routers. The
calling router submits a user certificate for authentication, and the answering router (or RADIUS server)
submits a computer certificate for authentication. With EAP-TLS, the user account that the answering router
uses to authenticate and authorize the calling router must be an Active Directory user account.
Additional Resources 239
If you plan to use certificate-based EAP-TLS, you can use a third-party CA if the conditions in Table 10.5 are
met.
Table 10.5 Requirements for Using a Third-Party CA
Certificates Installed on Authenticating
Server Certificates Installed on Calling Router
(Answering Router or RADIUS Server)
• Computer certificates must be • User certificates must have a
installed in the Local Computer corresponding private key.
certificate store. • User certificates must contain the
• Computer certificates must have a Client Authentication EKU (the
corresponding private key. 1.3.6.1.5.5.7.3.2 object identifier).
• The cryptographic service provider • User certificates must be installed in
for the certificates must support the Current User certificate store.
secure channel (Schannel). (If not, • User certificates must contain the
the authenticating server cannot use universal principal name (UPN) of the
the certificate and the certificate user account in the Subject
cannot be selected from the Alternative Name property.
properties of the Smart Card or Other
• The root CA certificates of the CAs
Certificate EAP type on the
that issued the authenticating server
Authentication tab in the properties of
computer certificates must be
a profile for a remote access policy.)
installed in the Trusted Root
• Computer certificates must contain Certification Authorities store.
the Server Authentication certificate
purpose (also known as an enhanced
key usage [EKU]). An EKU is
identified using an object identifier
(also known as an OID). The object
identifier 1.3.6.1.5.5.7.3.1 represents
Server Authentication.
• Computer certificates must contain
the fully qualified domain name
(FQDN) of the computer account of
the authenticating server computer in
the Subject Alternative Name
property.
• The root CA certificates of the CAs
that issued the calling router user
certificates must be installed in the
Trusted Root Certification Authorities
certificate store.
For examples of how to deploy EAP-TLS certificate-based user authentication for site-to-site connections, see
“Deploying certificate-based authentication for demand-dial routing” in Help and Support Center for Windows
Server 2003. For more information about certificate types and requirements, see “Certificate Services” in Help
and Support Center for Windows Server 2003, and see “Designing a Public Key Infrastructure” in Designing
and Deploying Directory and Security Services of this kit.
240 Chapter 10 Connecting Remote Sites
Password-based MS-CHAP v2
Like EAP-TLS, MS-CHAP v2 also provides mutual authentication between the calling router and the answering
router. MS-CHAP v2 is a password-based authentication method in which the answering router uses either an
Active Directory user account or a local user account to authenticate the calling router. MS-CHAP v2 is the
recommended method for user authentication if a certificate infrastructure is not available.
If you use a local user account for MS-CHAP v2 authentication, the demand-dial routers do not need to join the
Active Directory domain. Be sure to use strong passwords with MS-CHAP v2. In an Active Directory domain,
you can use Group Policy settings to enforce the use of strong passwords.
Understanding the following features can help you decide how you want to manage encryption:
• Link encryption versus end-to-end encryption. MPPE provides link encryption. Link
encryption encrypts data as it passes between the calling and answering routers. In addition to
providing computer-level authentication, IPSec provides end-to-end encryption for data that
passes between the sending and receiving nodes.
• Encryption method used if VPN connection type is Automatic. If you configure a VPN
connection for an Automatic server type (the default), the connection first tries to use PPTP
and its associated MPPE encryption, and then it tries to use L2TP and its associated IPSec
encryption. If you configure the VPN connection to connect to a PPTP server, only MPPE
encryption is used. If you configure the VPN connection to connect to an L2TP server, only
IPSec encryption is used.
• No encryption needed for link to ISP. For VPN connections, you do not need to use
encryption for the link between your site and the ISP, because no data is transmitted during the
process that establishes this connection. After the connection to the ISP is made, the data that
passes between the calling and answering routers is encrypted as it passes through the VPN
tunnel.
You configure MPPE and IPSec encryption strengths on the Encryption tab for the properties of a remote
access policy. For information about how to configure encryption in a remote access policy for a site-to-site
connection, see “Configure a Remote Access Policy” later in this chapter. For general information about
configuring encryption, see “Add a remote access policy” and “Remote access policy examples” in Help and
Support Center for Windows Server 2003.
Configure either MPPE or IPSec to use one of the encryption keys as shown in Table 10.7.
Table 10.7 Encryption Strength by Connection Type
Encryption Strength Dial-up or PPTP L2TP/IPSec
Basic 40-bit MPPE 56-bit DES
Strong 56-bit MPPE 56-bit DES
Strongest 128-bit MPPE 3DES (three 56-bit keys)
Additional Resources 243
Note
Windows NT 4.0 with the 128-bit version of Service Pack 4 (SP4) can
support 128-bit MPPE, but it does not support 56-bit MPPE. Therefore,
any Windows operating system earlier than Windows NT 4.0 SP4 is not
recommended, because security enhancements for MS-CHAP and
MPPE are not included.
Caution
If the user account name does not match the name of the demand-dial
interface, the answering router identifies the calling router as a remote
access client rather than as a demand-dial router. In this case, the
connection might not work correctly. For this reason, do not change the
user account name without also changing the corresponding demand-
dial interface name.
Table 10.8 shows an example configuration of the demand-dial interfaces and user accounts for a two-way
initiated VPN connection. The example in Table 10.8 uses Active Directory user accounts for the routers. In
some cases, you can alternatively use a local user account.
Table 10.8 Example Configuration of Demand-Dial Interfaces and User Accounts for a Two-
Way Initiated VPN Connection
User Account
Router Demand-Dial Interface
for Calling Router
Router located in Interface Name: VPN_NewYork VPN_NewYork
Seattle Destination IP Address: PasswordTwo
(Functions as both a 131.107.0.1
calling and an Credentials: VPN_Seattle
answering router)
Password: PasswordOne
Router located in New Interface Name: VPN_Seattle VPN_Seattle
York Destination IP Address: PasswordOne
(Functions as both a 157.54.0.1
calling and an Credentials: VPN_NewYork
answering router)
Password: PasswordTwo
For a two-way initiated VPN connection, such as the example in Table 10.8, the name of the demand-dial
interface for each router must match the user name in the remote router’s user credentials so that each router
knows that a requested connection is for a site-to-site connection rather than for a remote access connection. The
destination address of the remote router is configured on the demand-dial interface so that each router knows
what address to connect to for the site-to-site connection. Each router uses the user account (the credentials and
password of the remote router) to authenticate the remote router when it attempts to establish a connection.
Additional Resources 245
Table 10.9 shows an example configuration of the demand-dial interfaces and user accounts for a one-way
initiated dial-up connection in which two branch offices — Portland and Olympia — call the headquarters office
in Seattle. In this case, because the connection is a one-way initiated connection, no demand-dial interface is
required on the answering router. Therefore, the “rule” that the calling router’s user account name must match
the name of a demand-dial interface on the answering router does not apply. If you do not create a demand-dial
interface on the answering router, you use the calling router’s local or Active Directory user account to
configure static routes that identify the network IDs of the calling router’s site.
Table 10.9 Example Configuration for a Dial-up One-Way Initiated Connection
Calling Router User
Router Demand-Dial Interface
Accounts
Answering No demand-dial interface needed. DD_Olympia
router in If you do not configure a demand- PasswordOne
Seattle dial interface on the answering -and-
router, you must configure static
DD_Portland
routes specifying the network IDs
of the calling router’s site on the PasswordTwo
Dial-in tab of the calling router’s
user account.
Calling router Interface Name: DD_Seattle No user accounts needed,
in Olympia Modem or adapter: Modem on because the Seattle router
COM1 does not call the routers
in Olympia or Portland.
Phone number: 555-0111
Credentials: DD_Olympia /
PasswordOne
Calling router Interface Name: DD_Seattle No user accounts needed,
in Portland Modem or adapter: Modem on because the Seattle router
COM2 does not call the routers
in Olympia or Portland.
Phone number: 555-0111
Credentials: DD_Portland /
PasswordTwo
If you use a local account and password, you must use MS-CHAP v2 rather than EAP-TLS for user
authentication.
If you use RADIUS authentication, the RADIUS server can use a local user account to authenticate the calling
router. If you use a Windows Server 2003 IAS server as your RADIUS server, however, using Active Directory
accounts is recommended.
Note
If the user account is in a Windows Server 2003 or Windows 2000
mixed-mode domain, the Control access through Remote Access
Policy setting is not available, and you must set the remote access
permission in each calling router’s user account to Allow access.
Even when remote access permission is allowed, the connection attempt still can be denied on the basis of other
user account properties, such as callback options configured on the Dial-in tab, or it can be denied on the basis
of remote access policy conditions or profile settings. Authorization of the site-to-site connection is controlled
by a combination of the account dial-in properties (which includes the account remote access permission), the
policy remote access permission, and the profile constraints configured on the remote access policy.
248 Chapter 10 Connecting Remote Sites
You can configure the following settings on the user account Dial-in tab:
• Verify Caller ID (for dial-up router only). Typically, you use this option to increase security
when accepting dial-in connections from telecommuters, but you can also use it for a calling
router. Selecting this option requires that the calling router always call from the phone number
that you type. Windows Server 2003 uses the caller ID functionality of the modem and the
phone connection to verify that the dial-up router is in fact using the correct number; if the
number matches, the connection is allowed. This option is not available if the answering router
is in a Windows NT 4.0 domain or a Windows Server 2003 or Windows 2000 mixed-mode
domain.
Note
For caller ID verification to work, the calling router, the answering
router, and the phone system that connects them must all support
caller ID. In addition to supporting the caller ID feature, the calling and
answering routers must have the appropriate drivers to support the
transmission of caller ID information to the Routing and Remote Access
service.
• Callback Options. Typically, these options are used for managing individual dial-up remote
access users rather than demand-dial calling router user accounts. However, you can also
configure callback options for a dial-up demand-dial connection. For example, you can specify
that the main office router call the branch office router back if the main office has fixed or low-
cost long-distance rates and the branch office has higher long-distance rates.
• Assign a static IP address (for dial-up or VPN routers). Use this option to cause the remote
router to assign a static IP address to this router when a connection is made. For more
information about assigning IP addresses, see “IP Address Assignment for the Logical
Interface” later in this chapter. You can increase security by specifying which IP address the
router must use. This option is not available in a Windows NT 4.0 domain or a Windows
Server 2003 or Windows 2000 mixed-mode domain.
If the static IP address that you specify is not valid or is already in use by another calling router
or by a remote access user, the answering router assigns a dynamic IP address to the calling
router.
• Apply static routes (for dial-up or VPN routers). This option is designed for one-way
initiated site-to-site connections. You select Apply static routes to add static IP routes (network
IDs) for the calling router’s site to the routing table of the answering router when a connection
is made. This lets the answering router forward packets to all addresses on the calling router’s
intranet across the connection to the calling router. This option is not available if the answering
router is in a Windows NT 4.0 domain or a Windows 2000 mixed-mode domain.
Additional Resources 249
For more information about using Windows Server 2003 remote access policies, see “Remote access policies”
in Help and Support Center for Windows Server 2003. For more information about using remote access policies
with an Internet Authentication Service (IAS) server, see “Deploying IAS” in this book and see the Networking
Guide of the Microsoft® Windows® Server 2003 Resource Kit (or see the Networking Guide on the Web at
http://www.microsoft.com/reskit).
• Demand-dial interface for the local ISP. On the calling router — for a VPN connection in
which the branch office router uses a temporary link to a local ISP only — you must configure a
static host route on the demand-dial interface that connects to the local ISP. The destination that
you specify for this static host route is the IP address of the answering router’s Internet-
connected interface; this IP address is assigned to the answering router by its local ISP (or by
InterNIC).
• Router user account. For a one-way connection in which the answering router is a standalone
router or a member of a native-mode Active Directory domain, you can omit creating a
demand-dial interface on the answering router. In this case, you must configure a static route or
routes in the calling router’s user account that identify the network IDs of the calling router’s
site.
For information about how to configure these static routes, see “Configure Static Routes” later in this chapter.
For general information about the difference between using static routes or routing protocols, see the discussion
of developing routing strategies in “Designing a TCP/IP Network” in this book.
Auto-static Updates
You can add the static routes that correspond to the network IDs available across a demand-dial interface either
manually or by using auto-static updates. An auto-static update is a one-time, one-way transfer of routing
information. In contrast to the periodic announcements issued by routing protocols, an administrator must either
issue a command to initiate a manual auto-static update or must schedule auto-static updates by running the
update as a scheduled task.
When instructed, a demand-dial interface that is configured for auto-static updates sends a request across an
active connection to request all of the routes of the router on the other side of the connection. In response to the
request, all of the routes of the requested router are automatically entered as static routes in the routing table of
the requesting router.
Numbered Connection
A numbered IP address assignment can occur in one of the following ways:
• Dynamic IP addresses allocated by a DHCP server. The answering router obtains the IP
address to assign to a calling router from a DHCP server. This is the default method for IP
address assignment. If no DHCP server is available, the router uses an address from the
Automatic Private IP Addressing (APIPA) range 169.254.0.1–169.254.255.254. You must
install a DHCP server on each network that contains an answering router.
• Dynamic IP addresses allocated from a static address pool configured on the answering
router. The answering router obtains the IP address from a static pool of addresses. If you
configure a static address pool, be sure to use only IP addresses that are not in a range that your
DHCP server might assign to another computer and that are not already assigned to specific
computers. The pool can be ranges of addresses that are a subset of addresses from the IP
network to which the server is attached or from a separate subnet. As described earlier, if the
static IP address pool address ranges represent a different subnet, ensure that routes to the
address ranges exist on the routers of your intranet so that traffic to the logical interface of a
calling router is forwarded to the remote server.
• Static IP address specified in the calling router user account. You configure a static IP
address on the router user account Dial-in tab for both the calling and the answering router. In
this case, when a calling router initiates a connection, creates a temporary logical interface, and
requests that the answering router assign an IP address to this logical interface, the answering
router assigns the IP address specified in the calling router’s user account. The answering router
then creates a logical interface and requests an IP address for itself from the calling router. The
calling router assigns the IP address specified in the answering router’s user account.
Additional Resources 259
Unnumbered Connection
Site-to-site connections in Windows Server 2003 and Windows 2000 do not require a numbered connection
(Windows NT 4.0 RRAS connections do require a numbered connection). If one of the routers rejects the
request for an IP address during the connection establishment process between a calling and an answering router
(because no addresses are available to assign, probably due to a misconfiguration), a connection is still
established. In this case, the logical interface on the PPP connection does not have an assigned IP address. This
is known as an unnumbered connection.
The routing protocols provided with Routing and Remote Access cannot operate over unnumbered connections.
Therefore, you must use static routing if you use unnumbered connections.
A related problem is that if you configure packet filters on the answering router to allow only traffic over a VPN
connection, all other traffic is discarded. Attempts to connect to services running on the answering router fail in
this situation, because traffic attempting to connect to those services is not sent over the site-to-site VPN
connection.
If the site DNS and WINS servers do not contain a record mapping the name of the VPN router to its public IP
address, traffic to services running on the VPN router is always sent across the VPN connection. To ensure that
the name of the VPN router is always resolved to the private or site IP address of the VPN router, disable DNS
dynamic update and NetBIOS over TCP/IP (NetBT) on the Internet-connected interface (or interfaces) of the
VPN router from the properties of the Internet connection in Network Connections as follows:
• Prevent DNS name resolution. To prevent a VPN router from dynamically registering the
public IP address of its Internet interface on the site DNS servers, on the Internet interface of
the router, configure the properties of Internet Protocol (TCP/IP) by clicking the Advanced
button, selecting the DNS tab, and then clearing the Register this connection’s addresses in
DNS check box.
• Prevent WINS name resolution. To prevent a VPN router from dynamically registering the
public IP address of its Internet interface on the site WINS servers, on the Internet interface of
the router, configure the properties of Internet Protocol (TCP/IP) by clicking the Advanced
button, selecting the WINS tab, and then selecting the option Disable NetBIOS over TCP/IP.
Note
By default, the Routing and Remote Access Wizard clears Register
this connection’s addresses in DNS and selects Disable NetBIOS
over TCP/IP. Be sure not to change these defaults if you want users to
be able to access services such as file shares on the answering VPN
router.
For more information about name resolution, see “Deploying DNS” and “Deploying WINS” in this book.
For more information about creating hardware and software inventories, see “Planning for Deployment” in
Planning, Testing, and Piloting Deployment Projects of this kit. The flowchart in Figure 10.8 shows the tasks
required when preparing to configure the router server.
Figure 10.8 Preparing for Server Configuration
New Features
In Windows NT Server 4.0, routing and remote access are separate services. In Windows 2000 Server and
Windows Server 2003, these functions are combined in the single Routing and Remote Access service.
Table 10.10 lists new features available in Windows Server 2003 and Windows Server 2000.
Table 10.10 New Features for Dial-up or VPN Site-to-Site Connections Since Windows NT
Server 4.0 RRAS
Windows
New Features
Release
Windows 2000 • L2TP/IPSec. An L2TP/IPSec VPN tunnel provides stronger
Server security than a PPTP VPN tunnel.
• Remote access policies. This feature gives administrators
more flexibility in setting remote access permissions and
connection restraints.
• MS-CHAP v2. This type of password–based user
authentication provides a stronger alternative to MS-CHAP.
(MS-CHAP v2 is also available in Windows NT 4.0 SP4.)
• EAP. Support for EAP lets you use installable authentication
methods, such as EAP-TLS certificate-based user
authentication, which is stronger than password-based user
authentication.
Windows • Improved wizards and snap-in. The Routing and Remote
Server 2003 Access and Demand-Dial Interface wizards and the Routing
and Remote Access snap-in are easier to use.
• Intranet and Internet-connected interface improvements.
By default, the Routing and Remote Access service now
disables dynamic DNS on the intranet interface and disables
dynamic DNS and NetBIOS over TCP/IP on the Internet-
connected interface to ensure correct name resolution of the
router and to ensure access to services running on the router.
• Preshared keys. Support for configuring preshared keys using
the Routing and Remote Access snap-in provides an
alternative to computer certificates in L2TP/IPSec
authentication.
• NAT/Basic Firewall configuration. You can use Manage Your
Server to configure the NAT/Basic Firewall component of
Routing and Remote Access. NAT integration with static and
dynamic packet filtering lets you configure NAT interfaces to
work with Basic Firewall or with incoming or outgoing static
packet filters.
• NAT-T. IPSec NAT traversal (NAT-T) lets you create
L2TP/IPSec connections from a calling or answering router
that is located behind one or more NATs.
• PPPoE. Support for PPPoE lets a small business use
NAT/Basic Firewall and their broadband Internet connection to
connect a branch office to their local ISP. Using PPPoE for an
on-demand connection is faster than using a dial-up link to
connect to the ISP.
Additional Resources 265
Before you deploy a dial-up or VPN router, install and configure the required hardware and the appropriate
drivers, and test whether each one functions properly. To determine if the hardware in your organization is
certified and compatible, see the Windows Catalog link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
The following is a list of services that you might be able to disable on a server that you plan to use as a demand-
dial router:
• Distributed File System (DFS)
• Distributed Transaction Coordinator
• Fax Services
• File Replication service (FRS)
• Indexing Service
• Internet Connection Sharing (ICS)
• Intersite Messaging
• Kerberos Key Distribution Center
• License Logging Service
• Print Spooler
• Task Scheduler
• Telnet
• Windows Installer
Important
Do not disable the remote registry service. If you disable it, the
demand-dial router cannot operate correctly.
Deploying a Site-to-Site
Connection
After you make all the necessary design decisions, you can deploy a remote site connection for your
organization. The flowchart in Figure 10.9 shows the tasks that can help you to successfully deploy a site-to-site
connection.
Figure 10.9 Deploying a Site-to-Site Connection
If you want to try a test deployment to prepare for your production deployment, see “Perform a Test
Deployment in Your Lab” later in this chapter. If you are ready to connect two sites in your production
environment now, see “Deploy a Remote Site Connection” later in this chapter.
When testing how to deploy a remote site connection, evaluate the following key issues in a lab setting before
deciding how to deploy the technology in your production environment:
• Whether to deploy a dial-up connection, a PPTP VPN, or an L2TP/IPSec VPN.
• Whether to deploy an on-demand connection or a persistent connection.
• Whether to deploy a one-way initiated connection or a two-way initiated connection.
• If you plan to deploy a VPN connection, what type of perimeter network you want to use.
• Whether to use certificate-based EAP-TLS or password-based MS-CHAP v2 for user-level
authentication.
• If you plan to deploy an L2TP/IPSec VPN connection (the only connection type that offers
computer-level authentication), whether to use computer certificates or preshared keys.
• Whether the encryption method, such as a dial-up or PPTP VPN connection using MPPE
encryption or an L2TP/IPSec VPN using IPSec for encryption, influences your decision about
which connection type to use.
• Whether to use an Active Directory account (and join your routers to the Active Directory
domain) or use a local account for your router user accounts.
• Which dial-up options to set in the router user account.
• Whether to use a default remote access policy, a common policy, or a custom policy.
• Which static IP addresses and which static routes are needed.
• Which routing protocol or protocols are needed.
• Whether your demand-dial routers will support Internet traffic.
• Whether to enable multicast connectivity between your sites.
• Whether to deploy a DHCP server in each site.
• Whether to deploy a domain controller in each site.
For a tool to assist you in evaluating some of the remote connectivity features presented in this list, see
“Example: Contoso Connects Remote Sites” (DNSREM_1.doc) on the Windows Server 2003 Deployment Kit
companion CD (or see “Example: Contoso Connects Remote Sites” on the Web at
http://www.microsoft.com/reskit). This job aid shows you how to deploy a PPTP VPN and a dial-up connection
in a lab environment.
For additional test lab deployment examples, including information about deployments that include certificates
and L2TP/VPN connections, see “Routing scenarios” and “Virtual private network implementation examples”
in Help and Support Center for Windows Server 2003.
270 Chapter 10 Connecting Remote Sites
For a copy of Figure 10.10 that you can use to record which deployment options you need for your site-to-site
deployment, see “Site-to-Site Connection Deployment Steps” (DNSREM_2.doc) on the Windows Server 2003
Deployment Kit companion CD (or see “Site-to-Site Connection Deployment Steps” at
http://www.microsoft.com/reskit). You can also use this worksheet as a guide for the sequence in which you
must perform the tasks.
Additional Resources 271
Note
This procedure assumes that both sites belong to the same Active
Directory domain.
1. Install the Windows Server 2003 operating system on a computer at the main office, promote it
to a domain controller, and then confirm that it successfully replicates with the existing domain
controllers.
2. Log on as a member of either the Domain Administrators or Enterprise Administrators security
group of the forest root domain, open Active Directory Sites and Services, right-click Sites,
select New Site, type a name for the new branch office site, and then, under Link Name, select
the appropriate site link (such as DEFAULTIPSITELINK).
3. Right-click the server object of the new branch office domain controller from its current
location (which might be under Default-First-Site-Name), click Move, and then, in the Move
Server dialog box, click the new site that you just created.
4. Right-click Subnets, click New, and then click Subnet to create a new child for the new remote
site, providing the appropriate network ID and subnet mask.
Note
If, until now, your domain has had only one site, you must create two
child objects under Subnets — one for the main office site and one for
the branch office site, each with its own network ID and subnet mask.
5. If necessary to optimize network performance, make the domain controller a global catalog.
6. Ship the new domain controller to the remote site.
7. Install a LAN adapter connected to the branch office intranet, and then, on the LAN adapter’s
Internet Protocol (TCP/IP) Properties page, configure an IP address, subnet mask, and
gateway appropriate for the branch office subnet.
The domain controllers in the main and branch offices cannot replicate yet, because the demand-dial connection
does not exist yet. For information about how to configure replication after a connection exists, see “Configure
Replication” later in this chapter.
272 Chapter 10 Connecting Remote Sites
Each calling router must have a user account, which the answering router uses to authenticate the calling router.
If you have more than one calling router and if you joined your routers to the Active Directory domain, you can
add each router user account to an Active Directory group to simplify administration.
Use the following procedures to accomplish these tasks:
• Create Active Directory user accounts for routers.
• Add router user accounts to an Active Directory group.
Note
If a router is positioned between the demand-dial router that you are
configuring and the intranet, the Routing and Remote Access Wizard
might not be able to add the demand-dial router to the list of valid
remote access servers in the Active Directory. One workaround to this
problem is to temporarily configure the default gateway on the LAN
adapter. To do this, enter a value for the default gateway, run the
Routing and Remote Access and Demand-Dial Interface wizards (as
described later), and then remove the default gateway from the LAN
adapter.
Do not configure the intranet interface of the router to be a DHCP client. However, an answering router can still
use DHCP to obtain IP addresses for calling routers, and vice versa.
276 Chapter 10 Connecting Remote Sites
Note
Alternatively, you can set up the routers to dial in once, install Active
Directory on the computer in the branch office that you want to use as
the domain controller, replicate, and then join the routers to the domain.
Note
It is also possible to use a preshared key to provide authentication for
IPSec security associations for an L2TP/IPSec connection. However,
using computer certificates is the recommended method.
For information about how to create a certificate infrastructure and install computer certificates, see “Certificate
Services” in Help and Support Center for Windows Server 2003, and see “Designing a Public Key
Infrastructure” in Designing and Deploying Directory and Security Services of this kit. For more information
about configuring a preshared key, see “Configure a pre-shared key for a demand-dial routing interface” in Help
and Support Center for Windows Server 2003.
For information about how to deploy certificates required by EAP-TLS see “Deploying certificate-based
authentication for demand-dial routing” in Help and Support Center for Windows Server 2003.
Note
You can skip step 1 if either of the following is true:
• If this server uses local authentication or authenticates against a
RADIUS server.
• If you have administrative rights to add the computer account of
the Routing and Remote Access server to the RAS and IAS
Servers security group. The wizard automatically adds the
computer to RAS and IAS Servers.
When the Routing and Remote Access Wizard completes, you might see the message
“Windows was unable to add this computer to the list of valid remote access servers in the
Active Directory. Before you can use this computer as a remote access server, the domain
administrator must complete this task.” If you see this message, click OK. Later, after you
complete the Demand-Dial Interface Wizard (described next), you will add the computer
account to the RAS and IAS Servers security group.
280 Chapter 10 Connecting Remote Sites
(continued)
Additional Resources 281
If the Routing and Remote Access Wizard (which ran before the Demand-Dial Interface Wizard) was unable to
add the computer to the list of valid remote access servers in Active Directory, you saw the error message
“Windows was unable to add this computer to the list of valid remote access servers in the Active Directory.
Before you can use this computer as a remote access server, the domain administrator must complete this task.”
To enable the computer to function as a remote access server, add the computer account for the router to the
RAS and IAS Servers security group. For information about how to add a computer account to a group, see
“Add a computer account to a group” in Help and Support Center for Windows Server 2003. If you did not see
the error message indicating that the computer had not been added to the valid remote access servers in Active
Directory, you do not need to perform this step.
After at least one demand-dial interface exists, you can run the Demand-Dial Interface Wizard at any time to
add additional demand-dial interfaces by right-clicking Network Interfaces in console tree, and then clicking
New Demand-dial Interface. You run the wizard again for the following reasons:
• To add other branch office sites, repeat the steps in this procedure for each additional demand-
dial interface you want to create.
• To establish a temporary link to the local ISP at the branch office in order to create a demand-
dial interface for that link, perform the steps as described in the next section.
Note
If you are deploying a non-VPN dial-up link, or a VPN connection
between two sites, each of which connects to its local ISP through a
dedicated link, do not perform these steps. Instead, perform the steps
in “Configure the Routing and Remote Access Service and Demand-
Dial Interfaces” earlier in this chapter.
Note
Do not perform these steps if you plan to create a common or custom
remote access policy, described next.
Note
Do not perform these steps if you plan to use the default policy,
described earlier.
• Router user account. For a one-way initiated connection in which the answering router is a
standalone router or a member of a native-mode Active Directory domain, you can omit
creating a demand-dial interface on the answering router, but, in this case only, you must create
one or more static routes on the calling router’s user account that identify the network IDs of
the calling router’s site.
Use the following procedures to accomplish these tasks:
• Create static routes on the LAN or demand-dial interfaces.
• Create static routes on the router user account.
Create static routes on the LAN or demand-dial interfaces
For each static route you create, fill out the Static Route dialog box as shown in Table 10.18. For information
about how to add static routes, see “Add a static route” in Help and Support Center for Windows Server 2003.
Table 10.18 Configuring the Static Route Dialog Box for a Site-to-Site Connection
Interface Action
LAN Specify values for the following fields:
interface • Interface. Select Local Area Connection.
(Calling and • Destination. Type the network ID of the local site.
answering
• Network mask. Type the subnet mask of the local site.
routers)
• Gateway. Do not specify a default gateway on the LAN interface.
• Metric. Select a number representing the appropriate metric.
(The check box Use this route to initiate demand-dial
connections is unavailable.)
Demand-dial Specify values for the following fields:
interface for • Interface. Select the demand-dial interface for the connection to
the remote the remote site.
site 1
• Destination. Type the network ID of the remote site.
(Calling (Alternatively, you can use the default route.)
router only)
• Network mask. Type the subnet mask of the remote site.
• Gateway. This field is unavailable.
• Metric. Select a number representing the appropriate metric. To
prevent this static route from causing problems with RIP or OSPF,
give it a higher cost than the cost of the static route configured on
the LAN interface.
Select the following check box:
• Use this route to initiate demand-dial connections.
(continued)
Additional Resources 289
Table 10.18 Configuring the Static Route Dialog Box for a Site-to-Site Connection (continued)
Interface Action
Demand-dial Specify values for the following fields:
interface for • Interface. Select the demand-dial interface for the link to the local
the local ISP ISP.
(if any) 1
• Destination. Type the IP address (static host route) of the
(Calling answering router’s Internet-connected interface.
router only)
• Network mask. 255.255.255.255
• Gateway. This field is unavailable.
• Metric. Select a number representing the appropriate metric. To
prevent this static route from causing problems with RIP or OSPF,
give it a higher cost than the cost of the static route configured on
the LAN interface.
Select the following check box:
• Use this route to initiate demand-dial connections.
1. You might have already created one or more static routes for one or both of these demand-dial
interfaces when you ran the Demand-Dial Interface Wizard.
Configure IP Multicasting
You can configure your site-to-site connection to support IP multicast applications.
To configure demand-dial routers for IP multicasting
1. For both the calling and the answering router, in the Routing and Remote Access snap-in,
expand IP Routing, right-click General, click New Routing Protocol, and then click IGMP
Router and Proxy.
2. Right-click IGMP, click New Interface, select the interface you want to enable, and then
configure the interface as follows:
a. Select Enable IGMP (the default), and then do the following:
If this is the demand-dial interface, select IGMP proxy.
If this is an intranet interface, select IGMP router.
b. Typically, for IGMP protocol version, you can accept Version 3 (the default).
3. If needed, modify the default IGMP router settings. In most cases, no changes are needed.
For more information about how to modify these settings, if analysis of your network indicates
that you do need to modify them, see “Configure IGMP router settings” in Help and Support
Center for Windows Server 2003.
Additional Resources 293
Configure Ports
If needed, you can change the default values for Ports in Routing and Remote Access.
To configure ports
• Fill out the Configure Device dialog box as shown in Table 10.19. For information about how
to configure ports for your site-to-site connection, see “Enable routing on ports” in Help and
Support Center for Windows Server 2003.
Table 10.19 Using the Configure Device Dialog Box to Configure Ports
Option Action
Remote access Select this option if you want to allow connections
connections (inbound from individual remote access users in addition to
only) connections from a remote router.
Demand-dial routing Select this option if you want to enable a site-to-site
connections (inbound demand-dial connection. This is the default.
and outbound)
Demand-dial routing This option is available only for a PPPoE
connections connection to the Internet. Select this option if you
(outbound only) want this router to function only as a calling router.
(continued)
Additional Resources 295
Table 10.19 Using the Configure Device Dialog Box to Configure Ports
(continued)
Option Action
Phone number for this If you configure a value for Called-Station-ID in the
device remote access policy associated with this
connection, you must manually type a value for this
field:
• If this is a dial-up connection, type the phone
number that was entered in the Called-Station-ID
remote access policy attribute.
• If this is a VPN connection, type the IP address of
the VPN server’s Internet-connected interface
(entered in the Called-Station-ID remote access
policy attribute).
Maximum ports For PPTP or L2TP/IPSec VPN routers only, change
the default number of ports. For optimal scalability,
use 10 or fewer ports.
Test Connectivity
Use the following procedures to test the remote site connection:
• Test network connectivity. To test network connectivity, ping a client computer at the main
office from a client computer in the branch office.
• Test application connectivity. To test application connectivity, map a network drive to a client
computer at the main office from a client computer in the branch office. For example, map a
drive to \\ClientComputerName\c$.
• Force replication between domain controllers in both sites. If you have a domain controller
in both sites, use the following procedure to test replication:
1. Open Active Directory Users and Computers, and create a new user account called, for
example, TestReplication.
2. Use the Active Directory Replicate Now option to test that replication takes place over
the site-to-site connection.
For information about how to force replication between the two sites, see “Force
replication over a connection” in Help and Support Center for Windows Server 2003.
3. Confirm that the new user account exists on domain controllers located in both sites.
Configure Replication
If you installed an Active Directory domain controller in the branch office, you must ensure that replication
takes place continually. How you do this depends on whether this is a persistent connection or an on-demand
connection.
Use the following procedures to accomplish these tasks:
• Configure a replication interval for a persistent connection
• Configure reciprocal replication for a one-way initiated on-demand connection
Caution
If you use the ADSI Edit snap-in and incorrectly modify the attributes of
Active Directory objects, you can cause serious problems that might
require you to reinstall Windows Server 2003. Microsoft cannot
guarantee that problems resulting from the incorrect modification of
Active Directory object attributes can be solved. Modify these attributes
at your own risk.
Additional Resources
These resources contain additional information related to this chapter.
Related Information
• “Planning for Deployment” in Planning, Testing, and Piloting Deployment Projects of this kit
for more information about creating hardware and software inventories and mapping your
existing network before deploying new features.
• “Deploying DNS” and “Deploying WINS” in this book for more information about name
resolution.
• “Deploying DHCP” in this book for more information about IP address assignment.
• “Deploying Dial-up and VPN Remote Access Servers” and “Deploying Remote Access Clients
Using Connection Manager” in this book for more information about using the Routing and
Remote Access service to connect individual computers (such as computers of users working
from home or mobile users) to a central office.
300 Chapter 10 Connecting Remote Sites
• “Deploying IAS” in this book for more information about deploying IAS.
• “Designing the Site Topology” in Designing and Deploying Directory and Security Services of
this kit for more information about Active Directory replication between sites.
• “Designing a Public Key Infrastructure” in Designing and Deploying Directory and Security
Services of this kit for more information about creating a certificate infrastructure.
• The Internetworking Guide of the Windows Server 2003 Resource Kit (or see the
Internetworking Guide on the Web at http://www.microsoft.com/reskit) for more information
about Routing and Remote Access, demand-dial routing, virtual private networking, unicast IP
routing, and Network Address Translation (NAT).
• The Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide
on the Web at http://www.microsoft.com/reskit) for more information about Internet
Authentication Service (IAS).
• The Virtual Private Networks link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about virtual
private networking.
• The Windows Catalog link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about hardware
compatibility.
• The Active Directory Branch Office Planning Guide link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about planning
and deploying Active Directory for multiple branch office sites.
Related Help Topics
For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set
search options. Under Help Topics, select the Search in title only checkbox.
• “Setting up demand-dial routing” and “Deploying router-to-router VPNs” in Help and Support
Center for Windows Server 2003 for more information about deploying site-to-site connections.
• “Routing scenarios” and “Virtual private network implementation examples” in Help and
Support Center for Windows Server 2003 for more examples of test lab deployments for site-to-
site connections.
Related Job Aids
• “Example: Contoso Connects Remote Sites” (DNSREM_1.doc) on the Windows Server 2003
Deployment Kit companion CD (or see “Example: Contoso Connects Remote Sites” on the Web
at http://www.microsoft.com/reskit).
• “Site-to-Site Connection Deployment Steps” (DNSREM_2.doc) on the Windows Server 2003
Deployment Kit companion CD (or see “Site-to-Site Connection Deployment Steps” on the
Web at http://www.microsoft.com/reskit).