New Branch Office - High Security

Similar Messages

• Proper Configuration of DNS server for our new branch office

  Hi All,
  Our new office will setup a new branch office with a routed network link to our HO. In HO, we have 2 domain controllers configured as AD and DNS just for fail over scenarios.
  How will we configure the DNS server of our 3rd domain controller which we will placed in the new branch office. What would be the proper settings of DNS server integrated to AD to work well especially to have a successful replication and communication to
  the 2 DC's located in HO?

  Hi,
  If you have multiple DC's in that site i would recommend using any of the partner DC's IP addresses as preferred one and secondary DNS IP to pointing to itself. Dont use loopback addresses configure it with actual IP addresses.
  If you have only one server in branch office point itself as the primary DNS and HO DC as secondary and tertiary.
  Make sure that all clients in your branch site are pointing to the branch DC as primary DNS server.
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

• New Branch Office Opening. Active Directory Options

  Hello.
  Our company has a new branch site in Canada that's been in operation for some time now. the "admin" of that branch office is wanting to setup 2 new domain controllers, i was going to suggest that we could add a Canada site via Active directory
  sites and services and configure it that way.
  he suggested that he would like the to have a separate domain name, for instance if we're contoso.co.uk, they want to be contoso.ca
  is the best option in this situation to have them setup there own domain and then just federate between them?
  i have good experience with AD but as were a small company (geographically) so i have little knowledge of multi site / federation topology.
  any suggestions would be most welcome. 
  Many Thanks

  Hello
  If you decide to deploy new Domain this will lead to new administrative tasks to able to support users(creating trust to support access to resources in other domain, other suit of GPOs etc.). Instead if second site is added this will be more simple solution.
  semi -solution is to have child domain which back again will lead to other admin tasks. Also Recommendation by the vendor to have simple solution.

• To make a new site or not? (for branch office with small number of people)

  We have a main office, with our DC (DC01) and a single site (SiteHO), and we are about to open up a new branch office in another city.  This branch office is connected to the head office via a 5 Mbps MPLS network.  The branch office will have around
  5-7 domain joined workstations, and the people there will require access to the existing file and exchange servers in the head office. 
  I was thinking about not adding a RODC in the branch office and not creating another site in AD for the branch office either.  My thinking is that since the number of users is relatively low, it doesn't warrant having a new RODC and site.  The
  traffic generated by the 5-7 user logon activities will be minimal, and the local profiles are stored on the workstations (no roaming profiles), so there shouldn't be much WAN link impact.  Obviously I would have to add the subnet from the branch office
  to the SiteHO site. 
  Can anybody think of something wrong with my reasoning?

  I think the dedicated line has a little to do with AD since its used both to authenticate the users and move the data.
  I am not sure what bandwith you get from an internet provider in your location, but for example you might get a 100Mb internet connection from an ISP. A VPN tunnel over a 100Mb internet connection I am guessing is faster then a 5Mb guaranteed MPLS link.
  The advantage of MPLS is that you can have QoS policies for voice and video traffic.
  If users move 'very large files' perhaps a local file server might be an good option. DFS replication can save a lot of bandwidth in that case. And then you would have 'local resources' in the branch and in case of wan failure the users will not be able
  to access the local file server resource. So you would need a secondary DC in that location.
  And if they are moving the files think (and check) the impact on the MPLS, because authentication requests go through that link, Exchange traffic (RPC MAPI) goes through that link so these might be affected. For example, lets say you have 2GB mailboxes.
  All Outlook users use OST files. One user's profile gets corrupted and needs to be rebuilt. The Outlook client sets up a fresh OST copy of the mailbox so now its downloading a 2GB mailbox copy over a 5Mb MPLS while some other user is moving a 'large file'.
  By local resources I am referring to file servers, printers, applications in the branch location that require AD authentication. Authentication works with both VPN and MPLS and in case the wan/vpn is down users can even log in with
  cached credentials.
  Hope it helps.
  http://mariusene.wordpress.com/

• TMG 2010 to connect Branch Office

  We have TMG 2010 installed for proxy solution. Recently we opened new branch office but they are unable to internet through proxy. I have added the route add command in TMG Server.
  route add 10.24.84.0 mask 255.255.255.224 10.24.30.20 -p           - Branch 1
  route add 10.24.86.0 mask 255.255.255.224 10.24.30.20 -p                           - Branch 2
  10.24.30.20 is our core router IP...
  Is there any configuration required in core router and branch office router...Branch office users can access all server service except proxy solution.Please advice

  HI
  In your branch office,
  YOu need to ensure that internal Branch office subnet is able to reach TMG server. Need route to TMG networ from branch office on branch office Router,
  TMG should have route to reach Branch office network.
  Add branch office subnet as internal in TMG network range

• Help on set up branch office with 2921 H323 gateway

  I setup a new branch office with 2921 H323 gateway and cucm in HQ.  When I call a number in remote office, I get dead silence and busy tone.  However, user can hear ring at the remote location and able to answer the phone.  I was able to talk to him.  Any place I need to check? 
  Question #2, should cucm in HQ handle all calls between HQ and remote office?  I tried to call from my VoIP phone to remote office VoIP phone and monitored remote office GW running "debug voip ccapi inout".  I saw messages like gateway is handling calls.  Is this normal?  
  I'm fairly new to VoIP environment, still trying to learn.  Thanks. Let me know if you need anything to troubleshoot this. 

  I think that's where I'm confused.  I'd like to have CUCM to handle every calls for remote sites.  when I searched for the number I'm dialing for remote office, there is a route pattern that covers this number and it points to gateway.  This route pattern covers all of their local numbers including our remote office numbers.  For example, I have 9.1201456XXXX point to H323 GW.  That I got it.  However, I want the numbers belong to our office like 1111 don't go to GW for call processing.  Do I make sense?  I want only their local call to remote office go through GW not our internal call between our offices.  I'm sorry if I don't make much sense.  Thanks for your help. 

• Branch office setup with L3 switch and router with IOS security

  Hello,
  I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
  I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
  Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
  I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
  If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
  Any input would be appreciated.
  Thanks,
  Austin

  Thanks for the input.
  1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
  2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
  3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
  Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

• How to extend wireless to Branch keeping it secure

  Hello everyone
  I would like to discuss an implementation scenario here.
  Let me define my current wireless network scenario at Head Office first.
  At Head Office
  Access points 3600 series
  WLC 5500 series
  Cisco ISE 3415 K9
  SSIDs = 2
  1. Company wireless
  2. BYOD wireless
  Company wireless only runs on company provided (Domain Joined) machines.
  Have implemented NAC 802.1X s that checks the devices and assigns the machine particular VLAN and IP address.
  BYOD wireless is for non company (Non Domain Joined) devices but (For Company Employees only)
  for that Cisco ISE is synced with Active Directory, user's credentials are checked then connected to the Internet (Not Company Network).
  BYOD SSID is just used to provide internet service, machines joined with this SSID are not on our company network they are bypassed to connect to the internet.
  THE QUESTION
  Now have to implement wireless at branch office with approx. 40 - 50 users.
  approx. 3 Access points will be used.
  have to make 2 SSIDs
  Company Wireless
  BYOD Wireless
  We don't have NAC 802.1X implemented there.
  How to keep the network secure so that everyone cannot connect to the "Company Wireless" ? Just company (Domain Joined) devices should connect.
  How and where the credentials be checked ?
  How to use BYOD there just like Head Office, so that users may not get on to the corporate network but be bypassed and use Internet services ?
  Highly thankful
  Regards
  Ali

  Hello,
  How and where the credentials be checked ?
  The credentials can continue being checked in the head office Cisco ISE and you can use local switching with vlan segmentations and VLAN-ACL in the AP in FlexConnect Mode or firewall to deny access to local networks comming from BYOD SSID.
  How to use BYOD there just like Head Office, so that users may not get on to the corporate network but be bypassed and use Internet services ?
  You can segment your SSIDs (BYOD and Corporate) in two differents networks (VLANs) using Local Switching and mapped it in the Access Point and apply the ACL in the firewall or gateway from these networks or directly in the Access Point using VLAN-ACL feature in FlexConnect Mode.
  I have some cases below with this same solicitation :
  Implementation 01 :
  Central Authentication and Central Switching
  If you have a MPLS Link to the branch office, you can work with central switching and central authentication using the Access Points in the remote office.
  In this situation you can show the SSIDs in the branch office and the users will connect and will receive the same policies and IP address from the Head office and the traffic will be tunneled from the AP in the branch office to the WLC in the Head office and the client who need to access only internet (SSID BYOD) and corporate network (SSID Corporate) transparently receiveing the same policies as if was in the central site.
  The Cisco ISE will apply the policies to both Corporate and BYOD transparently.
  However if you lost communication with head office, the clients will be disconnect and it will be a problem and if you are thinking about 40-50 users using the wireless network in a MPLS link it can be a problem too thinking about the traffic passing inside this link. You can use a bandwidht control in the SSID configuration to help in this situation.
  Implementation 02 :
  Central Authentication and Local Switching
  If you have a MPLS LINK, you can communicate AP in the branch office to the WLC in the head office and the AP will get the configurations and will make Local Switching and you need to have VLANs mappped and a network segmentation in the branch office to separate both SSIDs ( BYOD and Corporate ) and the Cisco ISE will authenticate the users and apply the policies to Local Switching APs.
  Your traffic will be locally and you will not  have a MPLS link passing all traffic (inclusive internet access) using only this link to communicate AP --> WLC --> Cisco ISE and your authentication will be centrally and in this situation if you lose communication with the central site you can't authenticate any new users.
  Implementation 03 :
  Local Switching and Local Authentication
  The APs will communicate with the head office WLC, but will direct the authentications to Cisco ISE in the branch office and the authentications will be direct to this one to authenticate and validate the users, similar to the head office scenario.
  If you lose WLC communication you will not have any problem because the AP is directing the authentication to the local ISE in the branch office.

• Recommended Design for WAAS in both Data center and Branch Offices

  Hi All,
  I need to purchase different appliances for WAAS, but before I decide what to purchase, I need to know exactly how I am going to put these devices so that I can know which one to purchase and how the designs will be.
  My environment is as follows:
  I have two core routers (ASR 1000 series) at Data center, two 6509 switches (expecting to insert the ACE module, and FW module) and the I have access switches which connects servers.
  At the branch offices, I am expecting to place ASR1000 series also.
  Now, I need to know the recommended designs for these WAAS appliances so that, I can know in advance what to purchase(i.e. how many WAAS CM, Core WAE, and Edge WAE).
  Any input will highly be appreciated.
  Thanks,

  If you purchase the Standard Edition, your license supports:
  One installation of Cisco Security Manager on one Windows-based server.
  The configuration or management of 5 devices (in the Standard-5 option) or 25 devices (in the Standard-25 option). This excludes Catalyst 6500 and 7600 Series devices and their associated service modules.
  If you purchase either the Standard-5 or Standard-25 license, you cannot purchase an incremental device license. Your license is fixed at either 5 or 25 devices.

• Branch Office VOIPs do not register.

  Hi:
  I've been breaking my head on this for a few weeks and nothing seems to be working.
  I have three PIX 515e, one at each office.
  ALL VOIPs are Polycom 300IP phones.
  We have a main office (called PB) with 15 VOIP phones.
  We have a branch office (called JAX) with 2 VOIP phones.
  We have a branch office (called JADE) with 2 VOIP phones.
  All site VOIPs must register with a hosted PBX outside of all three offices (called TN).
  All 15 VOIPs at PB are registering and working with TN.
  Only one of two VOIPs at JAX is registering with TN.
  No VOIPs at JADE are registering with TN.
  VPN Tunnels are up and functioning between PB and JAX and PB and JADE. Able to ping both ways and users in both branch sites are able to map folders to our servers.
  I have opened UDP 5060 (SIP) on all interfaces. It seems there is initial conversation between TN and JAX and JADE but receiving following errors at both branches.
  Pre-allocate SIP for secondary channel blah blah blah and followed immediately with a
  Teardown UDP connection blah blah blah
  I have attached configs for all three PIX 515e boxes (edited for security).
  Could somebody take a gander at this and help me out. I'm at a complete loss.
  Thank you so much in advance and have a great day!

  Thank you for the feedback and suggestion GTG! I went ahead and posted it on the "security" bb and I'm going to look into SIP inspection.
  Can you please MOVE this thread to the Security section and delete the duplicate post you've created?
  Here's the link to your duplicate post:  https://supportforums.cisco.com/thread/2260989

• Branch office WDS still pullinh image from main site

  Hi,
  I'm trying to configure a WDS on our branch site.
  what i did was open a new folder named DeployFilesFromMaster on the branch office server and replicate the DeploymentShare from main to branch office using DFS.
  then i installed WDS services on the branch office and add a Boot Image (taken from DeployFilesFromMaster)
  next i configured, under Scope Option on the DHCP server, options 66 (giving the ip address of the branch WDS), and option 67 (giving the path \Boot\x64\wdsnbp.com).
  now when I'm booting a computer into PXE it start working, but when pressing F8 and use the netstat command i see it has a session to my main office deploy server instead to the branch office.
  what do i need to change?
  when looking in the branch office server, there is ofcourse the DeployFilesFromMaster folder and there is another folder named DeploymentShare that was made while installiing the WDS server, and there is a wdsnbp.com file as well. how do I know, when DHCP
  direct me to the boot file name, that it direct me to the right file, or it doesnt matter.
  thanks for your help

  The variable WDSSERVER is a variable that is figured out by MDT when booting a machine using the boot image created by Microsoft Deployment Toolkit. Therefore it is not available in Windows.
  If you want different WSUS servers depending on location of the client you can use for instance this technique in CustomSettings.ini. This will point clients on a specific subnet to a specific WSUS server.
  [Settings]
  Priority=DefaultGateway,Default
  [DefaultGateway]
  10.0.0.1=HQ
  10.0.1.1=BranchOffice
  [HQ]
  WSUSServer=http://wsus-hq:8530
   [BranchOffice]
  WSUSServer=http://wsus-branch:8530
  Blogging about Windows for IT pros at
  www.theexperienceblog.com

• Branch office web-to-go is not starting

  Hi,
  I have downloaded and installed the Oracle Lite Branch Office setup from server's webtogo/setup. But the webtogo in branch office PC is not starting. The htttp://localhost/webtogo and listener are not started even after executing the executables manually.
  The PATH variable is set correctly. The branch office PC has Windows XP.
  Regards,
  Aneesh

  Hi,
  webtogo -d option is giving following error.
  E:\mobileclient\bin>webtogo -d
  log9: [LOADING wtgos.dll BOAdminToolNative]
  log9: [BOAdminToolNative wtgos Loaded Successfully]
  log9: MODE_BRANCH CONNECT_STRING =jdbc:polite@:1160:
  log1: Translated JDK:'Cp1252' to IANA: 'WINDOWS-1252'
  log1: Mount point jdbc:polite@:1160:WEBTOGO oracle.lite.web.ifs.OMFS@145d068
  log9: java.sql.SQLException: [ODBC 08001] unable to connect to data source
  log9: at oracle.lite.poljdbc.LiteEmbJDBCConnection.jniDriverConnect(Native Met
  hod)
  log9: at oracle.lite.poljdbc.LiteEmbJDBCConnection.connect(Unknown Source)
  log9: at oracle.lite.poljdbc.LiteType2JDBCFactory.createConnection(Unknown Sou
  rce)
  log9: at oracle.lite.poljdbc.POLJDBCConnection.<init>(Unknown Source)
  log9: at oracle.lite.poljdbc.OracleConnection.<init>(Unknown Source)
  log9: at oracle.lite.poljdbc.POLJDBCDriver.connect(Unknown Source)
  log9: at java.sql.DriverManager.getConnection(Unknown Source)
  log9: at java.sql.DriverManager.getConnection(Unknown Source)
  log9: at oracle.lite.web.JupConnection.<init>(Unknown Source)
  log9: at oracle.lite.web.JupConfig.createConnection(Unknown Source)
  log9: at oracle.lite.web.JupConfig.getConnection(Unknown Source)
  log9: at oracle.lite.web.JupConfig.getStatement(Unknown Source)
  log9: at oracle.lite.web.JupServer.loadMimes(Unknown Source)
  log9: at oracle.lite.web.JupConfig.reload(Unknown Source)
  log9: at oracle.lite.web.JupConfig.initializeRM(Unknown Source)
  log9: at oracle.lite.web.JupConfig.initializeRM(Unknown Source)
  log9: at oracle.lite.web.JupServer.initialize(Unknown Source)
  log9: at oracle.lite.web.JupServer.listen(Unknown Source)
  log9: at oracle.lite.web.JupServer.main(Unknown Source)
  log-1: ============== Server Exception - Begin ==================
  java.sql.SQLException: [ODBC 08001] unable to connect to data source
  at oracle.lite.poljdbc.LiteEmbJDBCConnection.jniDriverConnect(Native Met
  hod)
  at oracle.lite.poljdbc.LiteEmbJDBCConnection.connect(Unknown Source)
  at oracle.lite.poljdbc.LiteType2JDBCFactory.createConnection(Unknown Sou
  rce)
  at oracle.lite.poljdbc.POLJDBCConnection.<init>(Unknown Source)
  at oracle.lite.poljdbc.OracleConnection.<init>(Unknown Source)
  at oracle.lite.poljdbc.POLJDBCDriver.connect(Unknown Source)
  at java.sql.DriverManager.getConnection(Unknown Source)
  at java.sql.DriverManager.getConnection(Unknown Source)
  at oracle.lite.web.JupConnection.<init>(Unknown Source)
  at oracle.lite.web.JupConfig.createConnection(Unknown Source)
  at oracle.lite.web.JupConfig.getConnection(Unknown Source)
  at oracle.lite.web.FileHandlerUtil.<init>(Unknown Source)
  at oracle.mobile.job.Scheduler.<init>(Unknown Source)
  at oracle.lite.web.JupConfig.initializeRM(Unknown Source)
  at oracle.lite.web.JupConfig.initializeRM(Unknown Source)
  at oracle.lite.web.JupServer.initialize(Unknown Source)
  at oracle.lite.web.JupServer.listen(Unknown Source)
  at oracle.lite.web.JupServer.main(Unknown Source)
  ================== Server Exception - End ====================
  Noticed that listener is not getting started,
  E:\mobileclient\bin>olsv2040 /start
  OliteService reports the following error:
  OliteService failed, Error Code: (0x5), Message: Access is denied.
  Internal message: StartService failed in CmdStartService function.
  Forgot to mention earlier,
  During installation of branch office client, I recieved following Warnings,
  1. Operating system message: Password doesnot meet minimum security requirements. Check the password length, complexity and history.
  2. No mapping between accounts and security ID was done.
  Thanks,
  Regards,
  Aneesh

• Branch office Exchange 2010 Role base administration control for branch site administrator

  Dear sir,
       Customer has a Exchange 2010 Main and Branch office environment:
  - Main office Exchange 2010 CAS x2 +HTS & Mailbox x2  (Server1,2 & Server 3,4)
    (Main office administrator:domain1\administrator) - DAG1
  - Branch office Exchange 2010 CAS+HTS x2 & Mailbox with DAG x2 (Server5,6 & Server7,8
     (Branch Administrator: domain1\badmin) - DAG2
       Customer would like to know what is the role which permission should grant / delegate for ID: badmin in order to manage Exchange server 5,6,7,8 ?  (with manage user account and performance in DAG2 failover & branch exchange server)
  Regards,
  Joe Tam

  Dear Brian,
     I have try in my lab to scale down into 2 x Server in 1 AD Single Domain And Single Forest.  It still have many unexpected behaviour, can you please suggest whether it is a design or bug of Exchagne 2010 SP1?
  Procedure:
  ============================================================================
  Exchange 2010 Role Delegation Problem: (Single AD, Single Site)
  Environment:
  Server: Windows 2008 R2 AD x1 + (CAS+HTS+Mailbox) Server x1
  AD Server: AD1
  Exchange2010 Server : EX2010 (with SP1) – Member Server Joined to testdomain1.net
  Domain Name: testdomain1.net (NETBIOS: TESTDOMAIN1)
  In AD,
  Login as domain administrator: Testdomain1\administrator
  1. Create an Organization Unit OU1.
  2. Create User User1 under OU1
  3. Delegate User1 to allow create user in OU1
  Select all item in “Delegate the following common tasks:
  In Exchange 2010 Server,
  Login as domain administrator: Testdomain1\administrator
  1. Rename existing database name to HKDB1
  2. Create a new database AUDB1 in EX2010 Server:
  AUDB1 Create Done.
  Assign testdomain1\User1 as Exchange 2010 local administrators group.
  Logoff Testdomain1\administrator and Login Testdomain1\User1
  Open Exchange EMC: (Failed, because no user management roles is grant).
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange 2010 PowerShell:
  Delegate User1 to allow perform recipient management in HKDB1 only:
  ====================================================================
  New-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Eq 'HKDB*' }
  $RoleGroup = Get-RoleGroup "Recipient Management"
  New-RoleGroup "HKDBRecipientManagement" -Roles $RoleGroup.Roles -CustomConfigWriteScope "HKDBSCOPE"
  Add-RoleGroupMember “HKDBRecipientMANAGEMENT” -Member User1
  ====================================================================
  Result:
  In Exchange 2010 Server, logon as domain user: Testdomain1\User1
  Open Exchange Management Console: (User1 able to open EMC now)
  Perform Create User User2 in OU1 with Mailbox located in HKDB1
  Mailbox Creation Failed because it cannot match the Database name = HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  In Exchange Management Shell, enter:
  Set-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Like 'HKDB*' }
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Open Exchange Mangement Shell and Create User2 again.
  Create user successfully.
  Perform create User User3 in OU1 with Mailbox located in AUDB1
  User3 Creation Failed because it is not meet the Database restriction of User1 – Like HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange Management Console, create User3 in AUDB1
  Create User3 in Users Container, by administrator ID.
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Perform mailbox remove of User2
  User2 mailbox remove successfully.
  Perform deletion of User3
  Mailbox User3 Remove Successfully.
  Why User3 is allowed to deleted mailbox which is located in by using delegated of User1?
  Moreover, it found that User3 properties can also be changed by using User1. Why?
  Does it mean delegation cannot handle delete operation?
  In Active Directory User and Computer: User2 is deleted successfully by using User1 ID.
  In Active Directory User and Computer: User3 is also deleted successfully by using User1 ID.

• Branch Office CME design Verification

  Hi All,
  Please refer to the attached network diagram.
  I need to verify this can be implemented and would work.
  We have a branch office moving to a new location and they intend to keep their existing CME (for business reasons),  provided by their local service provider with ISDN line for calls to the PSTN. This is managed by the service provider and we have no access to it. However we would like to grant them connectivity to the existing corporate voice network via an IP VPN connection, which shall be put in place soon. This will enable  the branch make site to site calls within the corporate network
  With a SIP trunk between the internal and external CME, I intend to make all the phones register with the Call Manager, however on the call manager , set a route pattern for calls going out to the PSTN from this branch back to the internal CME and this will then be matched by a SIP dial peer  directing the call to the external CME out to the PSTN.
  My worry is with the delay  that might be introduced when making a PSTN call as the internal CME has to first contact the call manager in order to know where to send the call.
  So my questions are as follows,
  1. Is this solution feasible especially in terms of delay? If not,
  2. Are there any other ways to achieve the same scenario
  Thanks,
  Yomi

  Are the phones at the branch office going to register to the Internal CME? If so, all configuration for outbound dialing will be done on the Internal CME, not on UCM. ie. dial-peer on the Internal CME for outbound dialing. For phone connectivity back to UCM, you will have a SIP trunk between UCM and internal CME and that is perfectly acceptable. You "might" see some quality degradation but that is to be expected from Internet based WAN connectivity. If your RTT delay is greater than 150ms, then you might see some quality issues.

• Branch Office DC Demand Dial VPN connection keeps failing

  here is me issue
  Our Branch Office DC is connected to Main Office DC with a Demand Dial Connection in RRAS Everything is connected fine for a little bit then its like the connection just gives out, it stays connected but i cannot ping the branch office DC with the local
  IP from the Main Office or access any network shares on it. When this happens i have to disconnect the server at the remote office and wait for it to reconnect im currently baffled as there are no Error LOGS to help me along and there doesnt seem to be anything
  that would be causing the issue for now until i get some answers as to what is going on i opened a command prompt on the DC here at the main office and i typed "ping 10.141.70.25 -t100" to monitor the connection more or less and when i see it timeout
  i reconnect it, i also have the networking tab open in task manager to monitor the LAN and RAS (Dial-In) Interface  the LAN doesnt seem too active but the RAS Interface does its got a constant network utilization of 0.28% and the Demand Dial interface
  on the remote office DC has a Utilization of 0.38% (Server Just disconnected as i was typing this and the utilization on the VPN connections on both servers went through the roof) heres the troubleshooting i have tried so far
  1. Rebooted both office DC`s at the same time
  2. Rebooted the branch office DC alone (this helped a little because the connection is staying active longer without fail)
  3. looked through all RRAS configuration on both servers to see if theres any mistakes by any other administrators (None Were Found)
  4. Used wireshark to see if there was anything interfering or that would cause this to happen (Nothing found)
  5. manually connected to the server in multiple ways like accessing network shares and remote management via MMC and manually making the servers replicate to see if any of that was causing issues and it wasnt
  My thoughts: im starting to think it may be a switch or something causing the connection issue at the branch office because the main office has all new routers and switches and just recently got a 100.00MBPS connection but nothing was affected for a good
  month so im not thinking it is the new connection or anything at the main office if theres something im overlooking here please let me know if some ipconfig /all results are needed i can provide them
  Viper Technologies Computer Repair Putting The Venomus Bite Back In Your Computer We Are Located In Antigonish ,NS Canada Check Us Out HTTP://WWW.VIPERTECHNOLOGIES.TK

  Hi,
  Are there any error messages on the event log ?
  Meanwhile, it is more network issue, i think you may ask in network forums:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverNIS
  Regards.
  Vivian Wang