Solved

Router security between sites

Posted on 2004-08-03
19
141 Views
Last Modified: 2010-04-13
Hi, quick question. We have a single root DC, with child DC at various sites all connected via a WAN. The Root DC can see down to the child, and the child and see "up" to the Root DC BUT child DCs cannot look "across" to other child DCs at other sites because of the router setup.

Will this cause issues? Does child DC need to be able to ping and access other sites?

Thanks.

James
0
Comment
Question by:m0bov
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
19 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 11703601
m0bov
Active Directory "generally prefers" all systems to be able to see each other freely - which is one of the reasons why firewalls never used to be supported between AD sites. However, so long as all machines can see the FSMO roles and Global Catalogs, there will not be a problem.

Make sure you check your site links are correct to your topology and the Replication Connection Objects (in AD Sites and Services, under each server) to ensure that the KCC has not tried to create connections between servers that cannot see each other.

If properly configured, this is a perfectly acceptable solution.

Cheers

JamesDS
0
 

Author Comment

by:m0bov
ID: 11703727
Hi, JamesDS, reason I asked is I am having lots of problems with going to 2003 on our Root DC. You may have seen my Q in 2003 topics about this.

I have just ghost back to 2000 to see what occures and everything seems to work as it did before so I don't think any of the child DCs ever "talked" to the new 2003 server.

Currrently all child DCs are displaying:

Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      (1)
Event ID:      1265
Date:            03/08/2004
Time:            13:30:02
User:            N/A
Computer:      GROVESCH
Description:
The attempt to establish a replication link with parameters
 
 Partition: CN=Schema,CN=Configuration,DC=swanad,DC=local
 Source DSA DN: CN=NTDS Settings,CN=3500C,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=swanad,DC=local
 Source DSA Address: a3013ad8-087e-4823-a355-bcd389f0cd11._msdcs.swanad.local
 Inter-site Transport (if any):
 
 failed with the following status:
 
 The RPC server is unavailable.
 
 The record data is the status code.  This operation will be retried.
Data:
0000: ba 06 00 00               º...    

This happends appears for each server it tries to link to. I havenever configured anything in Sites and Services.

What do I need to do? I have restarted DNS and netlogon and even zapped the various folders in Forward Look up zones

Any ideas??!!!
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 11703807
m0bov
If your other DCs are on different subnets then you should have configured each site and subnet in AD Sites and services - that's what it's for!

It sounds like you have some ports blocked between the hub and the outlying office subnets.


Cheers

JamesDS
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 

Author Comment

by:m0bov
ID: 11703891
Hi JamesDS, thanks for that, no, there are non setup. I have just tried it but the only site listed in Default first site name. Should I not be able to pick out a server from a list or something?

Sorry to be a pain!
0
 

Author Comment

by:m0bov
ID: 11703973
Hi, just created a site and done the subnet for it, also slected licening computer. I done this on the Root DC, should it appear on the console on the child DC? Should I have done the config for Sites and Services on the child DC in the first place or will it replicate?

Thanks.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11704003
m0bov
ok, staying in AD Sites and Services...

create a new site for each location that has it's own subnet - in the same place as "default first site name"

Create new subnets corresponding to your network and assign them to the sites

Create site links from the hub to each remote site (IP links NOT SMTP ones)

What you have just created is a Replication Topology. The KCC will use this to create replication connection objects and replicate your AD.


Cheers

JamesDS
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11704024
m0bov
Create everthing on the root DC, it will replicate, if replication is functioning

Cheers

JamesDS
0
 

Author Comment

by:m0bov
ID: 11704101
Hi, I right clicked on Sites and done new site, it showes me a box with Link name and says DEFAULTIPSITELINK then transport is IP. Is that correct?
0
 

Author Comment

by:m0bov
ID: 11704205
Hi I now have two sites, DEFAULT First site and Groveprimary. Under Groveprimary I have moved my domain server to, added a subnet and selected the groveprimary dc as a licensing server. I also created a link under IP so I have the DEFAULT link and GROVESCHOOL link. Set rep to 15 minutes. Set the groveprimary server to a GC.

Does this sound correct?
0
 

Author Comment

by:m0bov
ID: 11704411
Hi JamesDS, I am increasing the points for you.

Regarding Bridging, I have Bridge all sites ticked, should I untick? Don't forget get the Child DCs can only see the Root DC.

Thanks
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11707504
m0bov
ok, it all sounds pretty good.
You can delete default first site and default site ip link, if you are no longer using them

There should be a site link for each of the remote sites to the hub, IE HUB to Site 1, Hub to Site 2, etc

With this setup you will not need bridge all site links enabled

Thanks for the extra points :)

How are we doing now??

Cheers

JamesDS
0
 

Author Comment

by:m0bov
ID: 11712976
Hi, still getting the event log errors but it was useful to know about the Sites thing. The company that setup the server never configured them, even though our AD spans up to 50 sites. We also have problems with licening, servers at various sites "grab" CALs from other servers and they pick random servers as the "licensing server". Assume this is all linked to not having Site configued.

Also, the Site I created has not rep'ed to the child domain. :-( Think the AD is now broken.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11713053
m0bov
Getting random servers as licensing server is due to the lack of sites.

Not setting up sites is extremely bad practice and rather amateurish - it shows a lack of understanding about how AD works.

You mention child domains, can you tell me exactly what you have domain-wise?

Cheers

JamesDS
0
 

Author Comment

by:m0bov
ID: 11713224
Hi, agreed, not having any MS training I was'nt to know, annoyed tha the comany did'nt do this. All of my learning comes from on the job so if yor not aware of something you don't do it. Of course I know about it now! I have arranged for a consultant to visit us later this week to install a 2003 root DC with me. Should get it all done proper and I should learn a thing or two along the way.

Domain wise, each site (school) has a DC  which is a child domain, they ar'nt GCs and of course no sites are defined (until now!). I setup delegated DNS zone on the Root DC and after the child domain server is installed the server then looks to itself with a forwarder. NSlookup and that all seem to be fine and don't report problems.

Cheers.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11714393
m0bov
so you have a domain for each school? that makes for a large domain structure!

You should make each DC a GC, so that the WAN isn't hit each time a global or universal group is enumerated.

Make sure you really pick the brains of your consultant, to get the best out of them :)

Glad I was able to help

Cheers

JamesDS
0
 

Author Comment

by:m0bov
ID: 11714764
Hi James, its not too bad, we have swand.local as the root then oneinf.swanad.localm, anotherinf.swanad.local, someotherschool.swanad.local etc..

At some schools they want another server attached for admin use so we also have admin.someotherschool.swanad.loca !

Cheers.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11714862
m0bov

Gotcha, still, larger than the average and I've done some biggies!

Right then, is there anything I can help with?

Cheers

JamesDS
0
 

Author Comment

by:m0bov
ID: 11715054
Nope, I think thats everything, points on their way!
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11717845
m0bov
Thanks for the points and good luck :)

Cheers

JamesDS
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate DHCP from server 2000 to 2008 1 640
unable to search  data in SQL 2000 server 10 314
Old Schema existing from Windows 2000 DC that is no longer available 14 137
OLD CPUs 12 108
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Read  the original post  on Monitis Blog. Hi.  My name is Erik Dietrich, and this is the first time I’ve posted on the Monitis blog.  By way of introduction, I thought it would make sense to talk about my initial experience with Monitis.   Befo…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question