• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 156
  • Last Modified:

Router security between sites

Hi, quick question. We have a single root DC, with child DC at various sites all connected via a WAN. The Root DC can see down to the child, and the child and see "up" to the Root DC BUT child DCs cannot look "across" to other child DCs at other sites because of the router setup.

Will this cause issues? Does child DC need to be able to ping and access other sites?

Thanks.

James
0
m0bov
Asked:
m0bov
  • 10
  • 9
1 Solution
 
JamesDSCommented:
m0bov
Active Directory "generally prefers" all systems to be able to see each other freely - which is one of the reasons why firewalls never used to be supported between AD sites. However, so long as all machines can see the FSMO roles and Global Catalogs, there will not be a problem.

Make sure you check your site links are correct to your topology and the Replication Connection Objects (in AD Sites and Services, under each server) to ensure that the KCC has not tried to create connections between servers that cannot see each other.

If properly configured, this is a perfectly acceptable solution.

Cheers

JamesDS
0
 
m0bovAuthor Commented:
Hi, JamesDS, reason I asked is I am having lots of problems with going to 2003 on our Root DC. You may have seen my Q in 2003 topics about this.

I have just ghost back to 2000 to see what occures and everything seems to work as it did before so I don't think any of the child DCs ever "talked" to the new 2003 server.

Currrently all child DCs are displaying:

Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      (1)
Event ID:      1265
Date:            03/08/2004
Time:            13:30:02
User:            N/A
Computer:      GROVESCH
Description:
The attempt to establish a replication link with parameters
 
 Partition: CN=Schema,CN=Configuration,DC=swanad,DC=local
 Source DSA DN: CN=NTDS Settings,CN=3500C,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=swanad,DC=local
 Source DSA Address: a3013ad8-087e-4823-a355-bcd389f0cd11._msdcs.swanad.local
 Inter-site Transport (if any):
 
 failed with the following status:
 
 The RPC server is unavailable.
 
 The record data is the status code.  This operation will be retried.
Data:
0000: ba 06 00 00               º...    

This happends appears for each server it tries to link to. I havenever configured anything in Sites and Services.

What do I need to do? I have restarted DNS and netlogon and even zapped the various folders in Forward Look up zones

Any ideas??!!!
0
 
JamesDSCommented:
m0bov
If your other DCs are on different subnets then you should have configured each site and subnet in AD Sites and services - that's what it's for!

It sounds like you have some ports blocked between the hub and the outlying office subnets.


Cheers

JamesDS
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 
m0bovAuthor Commented:
Hi JamesDS, thanks for that, no, there are non setup. I have just tried it but the only site listed in Default first site name. Should I not be able to pick out a server from a list or something?

Sorry to be a pain!
0
 
m0bovAuthor Commented:
Hi, just created a site and done the subnet for it, also slected licening computer. I done this on the Root DC, should it appear on the console on the child DC? Should I have done the config for Sites and Services on the child DC in the first place or will it replicate?

Thanks.
0
 
JamesDSCommented:
m0bov
ok, staying in AD Sites and Services...

create a new site for each location that has it's own subnet - in the same place as "default first site name"

Create new subnets corresponding to your network and assign them to the sites

Create site links from the hub to each remote site (IP links NOT SMTP ones)

What you have just created is a Replication Topology. The KCC will use this to create replication connection objects and replicate your AD.


Cheers

JamesDS
0
 
JamesDSCommented:
m0bov
Create everthing on the root DC, it will replicate, if replication is functioning

Cheers

JamesDS
0
 
m0bovAuthor Commented:
Hi, I right clicked on Sites and done new site, it showes me a box with Link name and says DEFAULTIPSITELINK then transport is IP. Is that correct?
0
 
m0bovAuthor Commented:
Hi I now have two sites, DEFAULT First site and Groveprimary. Under Groveprimary I have moved my domain server to, added a subnet and selected the groveprimary dc as a licensing server. I also created a link under IP so I have the DEFAULT link and GROVESCHOOL link. Set rep to 15 minutes. Set the groveprimary server to a GC.

Does this sound correct?
0
 
m0bovAuthor Commented:
Hi JamesDS, I am increasing the points for you.

Regarding Bridging, I have Bridge all sites ticked, should I untick? Don't forget get the Child DCs can only see the Root DC.

Thanks
0
 
JamesDSCommented:
m0bov
ok, it all sounds pretty good.
You can delete default first site and default site ip link, if you are no longer using them

There should be a site link for each of the remote sites to the hub, IE HUB to Site 1, Hub to Site 2, etc

With this setup you will not need bridge all site links enabled

Thanks for the extra points :)

How are we doing now??

Cheers

JamesDS
0
 
m0bovAuthor Commented:
Hi, still getting the event log errors but it was useful to know about the Sites thing. The company that setup the server never configured them, even though our AD spans up to 50 sites. We also have problems with licening, servers at various sites "grab" CALs from other servers and they pick random servers as the "licensing server". Assume this is all linked to not having Site configued.

Also, the Site I created has not rep'ed to the child domain. :-( Think the AD is now broken.
0
 
JamesDSCommented:
m0bov
Getting random servers as licensing server is due to the lack of sites.

Not setting up sites is extremely bad practice and rather amateurish - it shows a lack of understanding about how AD works.

You mention child domains, can you tell me exactly what you have domain-wise?

Cheers

JamesDS
0
 
m0bovAuthor Commented:
Hi, agreed, not having any MS training I was'nt to know, annoyed tha the comany did'nt do this. All of my learning comes from on the job so if yor not aware of something you don't do it. Of course I know about it now! I have arranged for a consultant to visit us later this week to install a 2003 root DC with me. Should get it all done proper and I should learn a thing or two along the way.

Domain wise, each site (school) has a DC  which is a child domain, they ar'nt GCs and of course no sites are defined (until now!). I setup delegated DNS zone on the Root DC and after the child domain server is installed the server then looks to itself with a forwarder. NSlookup and that all seem to be fine and don't report problems.

Cheers.
0
 
JamesDSCommented:
m0bov
so you have a domain for each school? that makes for a large domain structure!

You should make each DC a GC, so that the WAN isn't hit each time a global or universal group is enumerated.

Make sure you really pick the brains of your consultant, to get the best out of them :)

Glad I was able to help

Cheers

JamesDS
0
 
m0bovAuthor Commented:
Hi James, its not too bad, we have swand.local as the root then oneinf.swanad.localm, anotherinf.swanad.local, someotherschool.swanad.local etc..

At some schools they want another server attached for admin use so we also have admin.someotherschool.swanad.loca !

Cheers.
0
 
JamesDSCommented:
m0bov

Gotcha, still, larger than the average and I've done some biggies!

Right then, is there anything I can help with?

Cheers

JamesDS
0
 
m0bovAuthor Commented:
Nope, I think thats everything, points on their way!
0
 
JamesDSCommented:
m0bov
Thanks for the points and good luck :)

Cheers

JamesDS
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now