Simulating small branch office in lab network

Similar Messages

• Small branch office network

  We have a small branch office (7 users) that will be moving to a building that has a Wireless Residential Gateway (Model: DPC3829).  This device provides wifi for 2 other tenants on the same floor.  Can we connect another wireless router to this wireless residential gateway device and create our own SSID so that we don't have to use the wifi settings that the other 2 tenants connect to?  
  I've attached a picture of what the back of the DPC3829 currently looks like.  I am thinking I can plug that yellow network cable into another wireless router and create our own wireless network (obviously off of their internet connection) for our 7 users. 
  Thank you for your help.

  u may but any plane wireless device and run it in bridge mode (shouldd run by default i beleive). Then connect one of its lan port to any one of the lan ports available on the DPC3829 thing.
  you are correct in what you want to do, and it can be done no problem.
  Regards
  Please mark answer as correct if it helps.

• SPA8800 and SRST for small branch office?

  Hi All,
  Need some help. I have a central site that will be running Cisco BE 5000. I have a small branch office I would like to place IP phones in so we can just dial an extension to call each other. The branch will have its own connection to the PSTN with a couple of POTS lines from the phone company.
  So I am wondering how I can connect branch and HQ for intra-office calling and let the branch office use their PSTN connection for their local calls. I would think I could place a gateway such as the SPA8800 in the branch and connect the PSTN lines to it.
  My concern is, what happens if I lose the WAN connection between HQ and branch? Then the branch could not make any calls right? I know a little about SRST and how that solves the issue of losing WAN connection with the central Call Manager site, but I what I don't understand is SRST something that can run on a device like the SPA8800 or do I need an ISR router in the branch that can run SRST if I want the branch to be able to make phone calls without a connection to HQ?
  Thanks for any help!                  

  u may but any plane wireless device and run it in bridge mode (shouldd run by default i beleive). Then connect one of its lan port to any one of the lan ports available on the DPC3829 thing.
  you are correct in what you want to do, and it can be done no problem.
  Regards
  Please mark answer as correct if it helps.

• Branch office setup with L3 switch and router with IOS security

  Hello,
  I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
  I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
  Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
  I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
  If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
  Any input would be appreciated.
  Thanks,
  Austin

  Thanks for the input.
  1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
  2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
  3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
  Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

• Branch office dial backup design

  I'm having more trouble with this than I think I should.
  I have 10 small branch offices connected to the home office via frame-relay -- it's purely hub-and-spoke, with no PVC's between branch offices, everything goes to the central office. I'm trying to set up a POTS dial scenario to replicate this. Each branch has a 26xx with a two-port serial card, two analog modems and two POTS lines. The central office has an ISDN PRI terminating in a 3725 with MICA modems.
  I can get a branch router to dial on one or both lines (multilink ppp), and the 3725 receives the call. CHAP negotiation works. Where I'm having trouble is in the IP routing. I've tried countless combinations of numbered and unnumbered interfaces, dialer-based ip pool on the 3725, EIGRP and/or floating static routes, etc., etc. Nevertheless, I can't get correct ip routes established, and I feel like I'm banging my head against the wall now. None of the edsign docs I can find on the Web site directly address my scenario in a way I can understand. Any suggestions?

  This is my config for our 3640.
  interface Group-Async1
  ip unnumbered Serial1/0:23
  encapsulation ppp
  no ip mroute-cache
  dialer in-band
  dialer idle-timeout 1200
  dialer map ip 170.1.1.16 name bri01rt01ec
  dialer-group 1
  async mode interactive
  peer default ip address pool default
  ppp authentication pap chap ca
  ip route 192.168.16.0 255.255.255.0 172.17.1.6-----our PIX
  ip route 192.168.16.0 255.255.255.0 170.1.1.16 200---Ip address of modem that dials in from 1750.
  This config looks fine to me..what does everyone think?

• Windows 2008 R2 RODC + Branch Office

  I'm looking at utilising a new RODC in a small branch office but I have a copuple of queries that hopefully someone can point in the right direction.
  Is it possible to move a RODC to a new Site / Subnet like you can with a normal DC. I plan to build the rodc and then move it to the new office once the sites / subnets have been created.
  I think I need to run ADPREP / rodcprep to install this server. I currently have 2 windows 2008 rc domain controllers and 1 windows 2003 (soon to be retired).
  Plan:
  Adprep the domain
  Build Windows server and promote to RODC
  Create new site and subnet
  POwer down RODC
  Move RODC to the new site within AD and physcially move to site
  Does this sound feasible?
  Many thanks

  I'm looking at utilising a new RODC in a small branch office but I have a copuple of queries that hopefully someone can point in the right direction.
  Is it possible to move a RODC to a new Site / Subnet like you can with a normal DC. I plan to build the rodc and then move it to the new office once the sites / subnets have been created.
  I think I need to run ADPREP / rodcprep to install this server. I currently have 2 windows 2008 rc domain controllers and 1 windows 2003 (soon to be retired).
  Greetings!
  Promote your RODC and let it replicate the content from RWDC, after that move RODC within new site and then move the server to new location with yourself.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Branch Office without network

  Hi!
  We have been trying to use a branch office install on a single computer for concurrent access from multiple (local) clients.
  This works like a charm as long as the computer is on a network (dial-up up or LAN). When we disconnect from the network, new connections to the BO database tends to take several seconds.
  The BO machine OS is Windows NT or 2K
  I suspect this delay has something to do with the network connection. We have tried to install Microsft Loopback Adapter to remedy this. The result is that it is a little bit faster than before, but the delay is still there.
  Is the Branch Office multiuser listener bound to a specific network interface? If so can it be changed? Or does anyone have any other ideas...

  It is possible that a PC responds slowly when connecting to the a MU listener when the PC is not on the network. Check how the DSN is defined. Defining it as a localhost may speed up.
  MU Listener uses Windows sockets to open the connection.

• ASA5505 I cannot reach to an outside network from a branch office

  My customer has a HQ office and many Branch offices. In the HQ there is an ASA5510 configured as a default gateway, From HQ customer must access to internet (everythig works fine), from Inside LAN should reach to anyway including special services like Credit Card service provider and others (it works fine). From Branch offices must reach Inside LAN hosts (it works fine), from Branch Offices must reach DMZ (it works fine), from branch offices should reach CC Service provider and here's the point of this Q, From almost all branch offices they reach CCSP fine but branch offices where an ASA5505 is installed (Offices that reach CCSP have a RV042 installed or a TPlink ER6120 installed) but offices with ASA just can ping to LAN side of CCSP's router.
  I think ASA5505 conf is an opened door configuration. Here's the 5505 configuration and also attached the network diagram. Some one can help please

  Hi,
  Are the branch offices connected to the HQ through some ISP MPLS network since I do not see any L2L VPN configurations on the ASA5505?
  I presume this is the case. Since you say that the connections between Branch Office (with ASA5505) and HQ LAN work fine it should tell us that there should be no routing problems between those networks.
  The diagram possibly also suggests that all the Branch Office connections come to your HQ network through the same Router at the edge so if other Branc Offices connections CCSP work then there should be no routing problem between the Branch Offices and the CCSP (atleast regarding your part of the network)
  Now, some questions.
  Does the ISR Router forward traffic destined to CCSP directly to the Router at 192.168.2.249 ?
  Does the Router with the connection to the CCSP use the Internet to reach the CCSP or is there somekind of dedicated connection between these networks?
  If the Router towards CCSP uses Internet then does it lack some NAT configurations for the source network 192.168.27.0/24? Does it perhaps lack a route towards the network 192.168.27.0/24? Or is there any possible errors in the configurations (wrong gateway IP or network mask somewhere?)
  Is there any ACLs configured on the Router that has the connection to the CCSP that might block traffic?
  Does the CCSP have all the required routing information to pass traffic towards the network 192.168.27.0/24? (If were talking about a dedicated connection and not traffic through the Internet) Have they allowed traffic from the mentioned network 192.168.27.0/24 to their servers/network?
  Have you taken "packet-tracer" output from the ASA5505 to confirm that the ASA configurations allow the traffic and dont drop it for some reason?
  For example
  packet-tracer input inside tcp 192.168.27.100 12345 193.168.1.100 80
  You can modify the IP addresses (source/destination) and the used destination port and protocol to match the connections that are actually attempted.
  Have you monitored the connections on the ASA when users attempt them? This should atleast tell you why they are failing or give a hint. You could also configure traffic capture on the ASA5505 if you wanted to make sure if any traffic was coming from the CCSP towards this ASA (return traffic for connection attempt)
  Hope this helps :)
  Let me know if I missunderstood the situation wrong somehow.
  - Jouni

• To make a new site or not? (for branch office with small number of people)

  We have a main office, with our DC (DC01) and a single site (SiteHO), and we are about to open up a new branch office in another city.  This branch office is connected to the head office via a 5 Mbps MPLS network.  The branch office will have around
  5-7 domain joined workstations, and the people there will require access to the existing file and exchange servers in the head office. 
  I was thinking about not adding a RODC in the branch office and not creating another site in AD for the branch office either.  My thinking is that since the number of users is relatively low, it doesn't warrant having a new RODC and site.  The
  traffic generated by the 5-7 user logon activities will be minimal, and the local profiles are stored on the workstations (no roaming profiles), so there shouldn't be much WAN link impact.  Obviously I would have to add the subnet from the branch office
  to the SiteHO site. 
  Can anybody think of something wrong with my reasoning?

  I think the dedicated line has a little to do with AD since its used both to authenticate the users and move the data.
  I am not sure what bandwith you get from an internet provider in your location, but for example you might get a 100Mb internet connection from an ISP. A VPN tunnel over a 100Mb internet connection I am guessing is faster then a 5Mb guaranteed MPLS link.
  The advantage of MPLS is that you can have QoS policies for voice and video traffic.
  If users move 'very large files' perhaps a local file server might be an good option. DFS replication can save a lot of bandwidth in that case. And then you would have 'local resources' in the branch and in case of wan failure the users will not be able
  to access the local file server resource. So you would need a secondary DC in that location.
  And if they are moving the files think (and check) the impact on the MPLS, because authentication requests go through that link, Exchange traffic (RPC MAPI) goes through that link so these might be affected. For example, lets say you have 2GB mailboxes.
  All Outlook users use OST files. One user's profile gets corrupted and needs to be rebuilt. The Outlook client sets up a fresh OST copy of the mailbox so now its downloading a 2GB mailbox copy over a 5Mb MPLS while some other user is moving a 'large file'.
  By local resources I am referring to file servers, printers, applications in the branch location that require AD authentication. Authentication works with both VPN and MPLS and in case the wan/vpn is down users can even log in with
  cached credentials.
  Hope it helps.
  http://mariusene.wordpress.com/

• Branch Office setup

  Hello All.
  I have a problem with a branch office setup, and I can't for the life of me think of what the problem is.
  I have a remote office setup, using an ASA 5505 that is set up to establish an easy vpn connection to the central network.  The connection at the branch office is a 20/5 cable modem, the central network has a 25/25 fiber connection.
  The issue I have is this.  Wired clients work fine at this branch office, at least 95% of the time.  I have a lightweight AP there that can come up and join the controllers at the central network, no problem.  I haven't done anything with H-REAP because there are really no resources locally they need that would allow them to do their work, so all traffic is tunneled back to the WLC.
  Wireless clients can authenticate to the AP, and I can get 15-20ms ping responses from them all day.  Latency never comes close to the 600ms proposed limit with CAPWAP.  Yet, for some reason the performance of the clients is problematic.  Webpages will frequently not load correctly, they experience some freezing, and with one application we use - it refuses to load completely.
  If we bring these same computers to an AP connected to our central network, on the same SSID, they work flawlessly.
  Something about this particular location is causing a lot of grief for our users.
  For what it's worth, we are running WCS 7.0.230.0 and the WLCs are on 7.0.116.0.  The ASA is running a pretty basic configuration, pretty much out of the box with the easy vpn configuration entered.
  Any help on this would be appreciated, I am at my wit's end with this setup.

  Yes, 20/5 Download/Upload. 
  So I did as you suggested, here are the results with a 1400 byte packet:
  Ping statistics for 172.16.253.50:
      Packets: Sent = 100, Received = 99, Lost = 1 (1% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 17ms, Maximum = 2208ms, Average = 42ms
  That 2208ms response was an anomaly.  I ran it again and got this:
  Ping statistics for 172.16.253.50:
      Packets: Sent = 100, Received = 100, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 16ms, Maximum = 93ms, Average = 21ms
  With this one specific application we're testing with - it stops loading at a predictable point, every time.  However, I can remain VNC'd to this machine the entire time, and do anything else on the machine, but the application will fail to load at the same point every time.  But like I said, if I bring that client back to our main network, it works just fine, so it's not the application itself causing the problem, and we have other, smaller issues with other applications we have.  It's really bizarre.
  It's really not acting like interference.  I just set up a new site with an identical configuration - but with a 3502i AP, and I can replicate the behavior at that location too.  Unfortunately at this time we don't have anything to study the traffic with - I actually have a call on a solution for that this afternoon.

• Branch Office Access

  I use TMG as our companies Proxy as well as default gateway. I have recently installed 2 sonicwall tz105 devices, one located at our branch office and one located in our main office where the TMG server is located. The branch office uses this device for
  internet access and a vpn tunnel to our main office. (At one time I had a ISA server at the branch location and it was the vpn tunnel to our main but this is a small 2 man office and keeping the isa server up to date was becoming a pain.) The branch office
  has no problems accessing the main office. My problem is getting the main office to access the branch office. Right now if a client computer on the main network wants to access a server on the branch office the only way to accomplish this is to change the
  client computers gateway from the tmg server ip to the sonicwall ip. This was not a problem in the past when I had 2 isa or tmg servers at both locations because the rules would pass the traffic to the branch office. I have tried putting rules in the TMG server
  for traffic bound to the branch office network but nothing seems to work.
  Should I be using tmg rules to accomplish this or do I need to go a different route such as dns or routing.
  Thanks,

  HI Gray,
  Belwo are my suggestations.
  Ensure all the client Default gateway is pointing to TMG, If you have any L3 Switch Devices before TMG Internal Interface then on L3 point Default gateway to TMG Internal Interface and on all client make Gateway as L3 Switch.
  Create a network Subnet Set of Branch Office in TMG
  In TMG Networking, You need to have a route relationship
  Go to Networking, Create a new network Rule, From Branch Office Subnet to Internal as Route ( Not NAT). As route is bidirectional it will automatically route Internal to Branch Office
  On Access Rule, Create Two Rules, Internal to Office Subnet and Office to Internal and allow all outbound Ports
  Ensure, Your SonicWALL is Routing Traffic to Internal network to TMG External interface.

• Windows 8.1 laptop not connecting to domain in branch office

  We have a problem with a laptop. 
  It is installed in our Head office (The Netherlands), just like all other laptops by using an image.
  Tested and working on the domain.
  The user had to go to one of our branch offices (China) and when he connected there, the laptop just won't connect to the domain.
  When he plugged in the laptop, it keeps trying to connect it's directaccess.
  Other laptops (same image) immediately recognize the domain network, but this laptop just won't.
  I am able to ping everything on the local network (MPLS connection), from HQ to all Branch offices but not access them.
  I've tried changing the DNS settings, but without any result.
  Any suggestions?

  Hi,
  According to this tool's description, I think it should be helpful to check system current enviroment, such as network, certificates, etc. problem. Actually according to your description, I doubt it probably network enviroment of ISP problem, but we should
  find a way to verify our suspect. Then this tool would be convenient, it also would generate a trace log and it would be helpful with troubleshooting.
  The DirectAccess Client Troubleshooting Tool is a graphical application, based on the .NET Framework, which checks the health of a DirectAccess client by running various tests.  Built-in health tests: The following tests are currently implemented:
  Network interfaces Network location (NLS and NRPT DNS) IP connectivity (6to4, Teredo, IPHTTPS, entry point in a multisite setup, DNS) Windows Firewall (applied profile, Firewall outbound rules) Certificates (EKU Client Authentication, trust chain for AIA and
  CRL) IPsec infrastructure tunnel (Domain SysVol share) IPsec intranet tunnel (PING and HTTP probes) Additional features Run post-check script (PowerShell, VBScript, BAT or CMD file)
  Roger Lu
  TechNet Community Support

• Branch Office Connectivity

  hi
  we have firewall setup in our main office with following setup:
  we are running DC on Windows 2008 Servers with MS Exchange 2010, lync 2010 and ip phone as well.
  planning to setup AD replication to our branch offices for network drive access and group policy update; kindly advice on this.
  Best Regards,
  Ramesh TP

  Hi
   i think you mean about best practice topology.
  First of all,you will add Additional Domain Controllers on your branch offices.Also This ADC will have DNS,DHCP role based.And will deploy a File server.
  Important point is structure you want to build.
  This is a detailed article about domain topologies, So please check this article about your questions;
  https://msdn.microsoft.com/en-us/library/cc749945.aspx?=255&MSPPError=-2147217396

• Branch Office Mail Server?

  I have Mac OS X providing mail services to about 100 users at a main office. We are opening a branch office with 20-30 users. I'm wondering if it is possible to setup another mail server for the branch office using the same domain. The users at the branch office are moderately heavy users who will often deal with lots of attachments. I would like them to have an IMAP server that is local to them for better performance and to reduce traffic on the main office network.
  I thought I'd give it a try. There's a field called "Mail Server" on the mail tab of WGM for each user. I put the address of the branch office server in that field. However, the main office server keeps the messages in its own mailstore. So, what's this field for? It doesn't seem to do anything.
  I see a way to accomplish this by editing the postfix alias file for each user and adding a line for each branch office user like branchofficeuser: [email protected] but that wouldn't be so nice if I ever have to turn over administration of these servers to someone else.
  Is there any way to distribute mail for users of the same domain across more than one IMAP server without resorting to entering aliases to subdomains for each user?

  x

• Branch office Exchange 2010 Role base administration control for branch site administrator

  Dear sir,
       Customer has a Exchange 2010 Main and Branch office environment:
  - Main office Exchange 2010 CAS x2 +HTS & Mailbox x2  (Server1,2 & Server 3,4)
    (Main office administrator:domain1\administrator) - DAG1
  - Branch office Exchange 2010 CAS+HTS x2 & Mailbox with DAG x2 (Server5,6 & Server7,8
     (Branch Administrator: domain1\badmin) - DAG2
       Customer would like to know what is the role which permission should grant / delegate for ID: badmin in order to manage Exchange server 5,6,7,8 ?  (with manage user account and performance in DAG2 failover & branch exchange server)
  Regards,
  Joe Tam

  Dear Brian,
     I have try in my lab to scale down into 2 x Server in 1 AD Single Domain And Single Forest.  It still have many unexpected behaviour, can you please suggest whether it is a design or bug of Exchagne 2010 SP1?
  Procedure:
  ============================================================================
  Exchange 2010 Role Delegation Problem: (Single AD, Single Site)
  Environment:
  Server: Windows 2008 R2 AD x1 + (CAS+HTS+Mailbox) Server x1
  AD Server: AD1
  Exchange2010 Server : EX2010 (with SP1) – Member Server Joined to testdomain1.net
  Domain Name: testdomain1.net (NETBIOS: TESTDOMAIN1)
  In AD,
  Login as domain administrator: Testdomain1\administrator
  1. Create an Organization Unit OU1.
  2. Create User User1 under OU1
  3. Delegate User1 to allow create user in OU1
  Select all item in “Delegate the following common tasks:
  In Exchange 2010 Server,
  Login as domain administrator: Testdomain1\administrator
  1. Rename existing database name to HKDB1
  2. Create a new database AUDB1 in EX2010 Server:
  AUDB1 Create Done.
  Assign testdomain1\User1 as Exchange 2010 local administrators group.
  Logoff Testdomain1\administrator and Login Testdomain1\User1
  Open Exchange EMC: (Failed, because no user management roles is grant).
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange 2010 PowerShell:
  Delegate User1 to allow perform recipient management in HKDB1 only:
  ====================================================================
  New-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Eq 'HKDB*' }
  $RoleGroup = Get-RoleGroup "Recipient Management"
  New-RoleGroup "HKDBRecipientManagement" -Roles $RoleGroup.Roles -CustomConfigWriteScope "HKDBSCOPE"
  Add-RoleGroupMember “HKDBRecipientMANAGEMENT” -Member User1
  ====================================================================
  Result:
  In Exchange 2010 Server, logon as domain user: Testdomain1\User1
  Open Exchange Management Console: (User1 able to open EMC now)
  Perform Create User User2 in OU1 with Mailbox located in HKDB1
  Mailbox Creation Failed because it cannot match the Database name = HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  In Exchange Management Shell, enter:
  Set-ManagementScope "HKDBSCOPE" -DatabaseRestrictionFilter {Name -Like 'HKDB*' }
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Open Exchange Mangement Shell and Create User2 again.
  Create user successfully.
  Perform create User User3 in OU1 with Mailbox located in AUDB1
  User3 Creation Failed because it is not meet the Database restriction of User1 – Like HKDB*
  Logoff Testdomain1\User1, Login Testdomain1\Administrator
  Open Exchange Management Console, create User3 in AUDB1
  Create User3 in Users Container, by administrator ID.
  Logoff Testdomain1\administrator, Login Testdomain1\User1
  Perform mailbox remove of User2
  User2 mailbox remove successfully.
  Perform deletion of User3
  Mailbox User3 Remove Successfully.
  Why User3 is allowed to deleted mailbox which is located in by using delegated of User1?
  Moreover, it found that User3 properties can also be changed by using User1. Why?
  Does it mean delegation cannot handle delete operation?
  In Active Directory User and Computer: User2 is deleted successfully by using User1 ID.
  In Active Directory User and Computer: User3 is also deleted successfully by using User1 ID.