2nd Server, Setup as Domain or Workgroup?

August 2, 2011 at 15:06:49
Specs: Windows 7
2 Different Companies, 2 Different Servers One Network Connection....

I have 2 separate companies in the same building with one network/internet/switch connection. Company 1 is running Server 2008 as Domain and has its own files and AD. Company 2, is a different company and I want to add Server 2003 to serve out our Access Database, file sharing and print sharing along with WAN. Both companies share the same network infrastructure.

I want to keep them separate....do I setup Company 2 Server 2003 as a Separate Domain or Workgroup? If I setup it up as a workgroup, can I setup a separate WAN or VPN for working from home on Company 2 Server 2003? Do I need any additional hardware?

Can you guide in the best direction for setting up my Server 2003 machine in this scenario?


See More: 2nd Server, Setup as Domain or Workgroup?

Report •


#1
August 3, 2011 at 07:25:17
Both companies share the same network infrastructure.

Very bad idea! This would make it all too easy for someone with a clue to access information they shouldn't have any access to. Which is to say, someone from company A could access the data from company B and vice versa

I want to keep them separate

Then you should begin by putting them on completely different subnets. This would separate them and help a lot to prevent access to data from unauthorized people.

I would recommend each company have it's own internet connection. If this isn't possible for some odd reason then you could achieve complete separation of the two networks using 3 SOHO Routers.

Example:

router1 (connected to internet)
LAN IP: 192.168.1.1
Subnet Mask: 255.255.255.0
DHCP Enabled = No

router2 (Company A)
WAN IP: 192.168.1.2
LAN IP: 192.168.2.1
SM: 255.255.255.0
DHCP Enabled = Yes

router3 (Company B)
WAN IP: 192.168.1.3
LAN IP: 192.168.3.1
SM: 255.255.255.0
DHCP Enabled = Yes

You would physicall connect them as follows (using crossover cables):

router1 LAN porst to router2 & router3WAN ports

Then you would need to configure static routes on 2 and 3 that go from their subnets to the 192.168.1.0/24 subnet on router1.

Done correctly the two subnets would not be able to access each other's networks but would still access the internet through the single connection (router1)

This is convoluted though and takes more setup and means more troubleshooting steps should something break. Logic says have each company have it's own internet connection........this simplifies everything (KISS Principle).

Having said that,

do I setup Company 2 Server 2003 as a Separate Domain or Workgroup?

You set it up as a domain of course. An active directory (AD) domain has many advantages over a workgroup scenario.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
August 3, 2011 at 11:39:23
Thank you so much for the response....this is great...Regarding the Companies....they are 2 separate companies with the same owner and doesn't understand why we need 2 separate systems.

Should I setup a WAN for remote workers or VPN on Server 2003? I'm assuming VPN since we have an ACCESS Database we use for CRM, Inventory, Quoting, PO etc.

I have a long road ahead of me and lot of planning and documenting to say the least. Thanks again...


Report •

#3
August 3, 2011 at 12:07:53
Regarding the Companies....they are 2 separate companies with the same owner and doesn't understand why we need 2 separate systems.

I would sit the owner down and have a long discussion about this situation. You, as the technician, need to make the owner understand just how important this is.

Here are some reasons to go with a second, separate internet connection for the company that doesn't have one right now:
- Security - a separate internet connection keeps the two domains separated also. This would prevent anybody from one accessing information on the other.
- Cost - The cost of the second internet connection would be the same (more or less) as the first. This is not a great expense and being a business expense, is tax deductible. Also, going this route means not having to buy a third router
- Complexity - When it comes to computing, always, always, always apply the KISS principle. I don't know if the owner is familiar with it but if not, just stick to one S (ie: keep it simple) so he isn't insulted. The point being, doing it the other way adds complexity to an otherwise simple thing. It requires more setup time, more time for management, and should something go wrong (and it always does) then you also spend more time troubleshooting the issue.

As for remote connectivity a VPN is always the best solution. A fully encrypted VPN prevents intrusion while allowing clients to remotely access necessary data. There are many VPN solutions available. I would go with one that suits your needs, budget and knowledge level.

Again, I would try VERY hard to convince him to go with a separate internet connection. It's in his own best interest as well as the best interest of the two companies he owns. Should someone (say a disgruntled employ with more computer skills than sense) from one company hack into the private client data on the other, it could lead to some very negative responses from clients.

It could also lead to a court case (or cases....plural) he'd be likely to use since it's a simple enough thing for him to do to separate the two networks and render such hacking impossible. Clients have an expectation for privacy regarding their private info such as credit card numbers etc. If one doesn't take reasonable steps to ensure the privacy and security of said data, then you become liable in the case of that data being accessed and used for nefarious purpose.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

Related Solutions

#4
August 3, 2011 at 13:38:22
Domain=security
Workgroup = no security
So you would do a domain

I would suggest a different route for dividing the companies securely with only one wan link.

Keep a single subnet but divide it.
Company1 gets .51-150
Company2 gets .151-254
.1-50 are for network devices like the router/printers etc.

You then map mac address to ip address for each company's pcs. This way each device gets the same ip address each time.

Next you engage each company's set of pcs firewalls to NOT trust the other subnet. This ends any company to company connection.

But would allow for shared devices like printers to be used by both companies [they are in the range not blocked]

For the remote users you could either setup rdp connections to their workstations.
If you want to do it at the server level that is more expensive since you have to have TS/RDP licenses to remote to server.

You would only need the existing router. It would not do dhcp. The servers would.

You will need bandwidth to support this.

Though in retrospect, you may want to consider bringing both company's into the same fold so to speak.

Consider an Active Directory scheme of OwnersName [PR:-) as root domain and then two Child Domains for each company. Or consider just the ownersname and OUs for each company. Set sub OUs for the departments.

Either way you manage the whole thing from one place.

Certainly something to consider.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •


Ask Question