tgrizzel
asked on
Creating a new Active Directory Site
My question is this:
Do I need to create a new AD site or not?
My scenario:
I have 2 DC's at our home office that are both GC's. I also have an Exchange server which is in our Office that is routed to send email in and out through our T1 that links to our data center. Additionally I have a VPN server at the data center which uses AD for authentication. I need to move our Email server to the data center (other side of the T1) as the link has been somewhat unreliable and users can neither VPN in, nor send or recieve email when the link goes down. I have purchased and installed a new DC that I wish to place at the data center (behind the DMZ) so that our VPN server can authenticate to it, and in addition we plan to move the email server (Exchange 2007) out to the data center and have this authenticate to the new DC to be placed out there. What is the best practice here? These are different subnets, and they do have a few Firewalls in between.... I can open the firewall to allow specific IP's and ports to redirect to our main office through the T1, however I believe that I would still need to setup a new site to place the new DC in...is this correct? Is there any other suggestions to this topology, or doest this sound as though it shall work? Further, I have never added a new Site to AD, and honestly do not know where to start...is there any suggested articles or a quick run through that anyone can help with?
Thanks for your help, please let me know if you need more details.
Do I need to create a new AD site or not?
My scenario:
I have 2 DC's at our home office that are both GC's. I also have an Exchange server which is in our Office that is routed to send email in and out through our T1 that links to our data center. Additionally I have a VPN server at the data center which uses AD for authentication. I need to move our Email server to the data center (other side of the T1) as the link has been somewhat unreliable and users can neither VPN in, nor send or recieve email when the link goes down. I have purchased and installed a new DC that I wish to place at the data center (behind the DMZ) so that our VPN server can authenticate to it, and in addition we plan to move the email server (Exchange 2007) out to the data center and have this authenticate to the new DC to be placed out there. What is the best practice here? These are different subnets, and they do have a few Firewalls in between.... I can open the firewall to allow specific IP's and ports to redirect to our main office through the T1, however I believe that I would still need to setup a new site to place the new DC in...is this correct? Is there any other suggestions to this topology, or doest this sound as though it shall work? Further, I have never added a new Site to AD, and honestly do not know where to start...is there any suggested articles or a quick run through that anyone can help with?
Thanks for your help, please let me know if you need more details.
ASKER
Thank you Chris, I need to wait for the firewall changes before fully testing, however I will move forward with creating a new site and moving this DC into the new site. I have found this article that describes which ports to open:
http://www.pbbergs.com/windows/articles/FirewallReplication.html
When I move my Exchange server to the new site, what will I need to do with this to point it to use the DC at the new site? -is this as simple as dropping the exchange server into a new computer group that will be created when I create the new site?
Thanks again Chris.
http://www.pbbergs.com/windows/articles/FirewallReplication.html
When I move my Exchange server to the new site, what will I need to do with this to point it to use the DC at the new site? -is this as simple as dropping the exchange server into a new computer group that will be created when I create the new site?
Thanks again Chris.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
excellent advise. I have created my new site and just need to wait for Firewall changes. Ill update when this is done, however I expect this to go very smoothly.
Thanks.
Thanks.
ASKER
Thanks a lot for your help. My only issue is that replication seems fairly slow... however ill look into this separately.
> need to setup a new site to place the new DC in...is this correct?
Yes, that's right. Sites are used to control who can authenticate where as well as replication topology.
As you want to ensure that users connected to the data-centre authenticate there, and that users in the office authenticate locally you will have to ensure you have distinct sites for each.
Adding the site is pretty easy.
Add the new site, just as a name. Then select the main "Subnets" folder and create a new one (matching the network address and subnet mask of your remote site). On creation it'll ask you for a site to link it to, select the new site name.
Then you can move systems into that site with right click / Move with a DC selected.
That's about all there is to it. It's still a very basic setup so you won't need to worry about replication topologies, only that it can happen. The Firewall is perhaps the most problematic, it'll need to talk on a lot of ports and while RPC can be limited by default it selects any port greater than 1024 to make the connection.
Chris