m0bov
asked on
Router security between sites
Hi, quick question. We have a single root DC, with child DC at various sites all connected via a WAN. The Root DC can see down to the child, and the child and see "up" to the Root DC BUT child DCs cannot look "across" to other child DCs at other sites because of the router setup.
Will this cause issues? Does child DC need to be able to ping and access other sites?
Thanks.
James
Will this cause issues? Does child DC need to be able to ping and access other sites?
Thanks.
James
ASKER
Hi, JamesDS, reason I asked is I am having lots of problems with going to 2003 on our Root DC. You may have seen my Q in 2003 topics about this.
I have just ghost back to 2000 to see what occures and everything seems to work as it did before so I don't think any of the child DCs ever "talked" to the new 2003 server.
Currrently all child DCs are displaying:
Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: 03/08/2004
Time: 13:30:02
User: N/A
Computer: GROVESCH
Description:
The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration
Source DSA DN: CN=NTDS Settings,CN=3500C,CN=Serve
Source DSA Address: a3013ad8-087e-4823-a355-bc
Inter-site Transport (if any):
failed with the following status:
The RPC server is unavailable.
The record data is the status code. This operation will be retried.
Data:
0000: ba 06 00 00 º...
This happends appears for each server it tries to link to. I havenever configured anything in Sites and Services.
What do I need to do? I have restarted DNS and netlogon and even zapped the various folders in Forward Look up zones
Any ideas??!!!
I have just ghost back to 2000 to see what occures and everything seems to work as it did before so I don't think any of the child DCs ever "talked" to the new 2003 server.
Currrently all child DCs are displaying:
Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: 03/08/2004
Time: 13:30:02
User: N/A
Computer: GROVESCH
Description:
The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration
Source DSA DN: CN=NTDS Settings,CN=3500C,CN=Serve
Source DSA Address: a3013ad8-087e-4823-a355-bc
Inter-site Transport (if any):
failed with the following status:
The RPC server is unavailable.
The record data is the status code. This operation will be retried.
Data:
0000: ba 06 00 00 º...
This happends appears for each server it tries to link to. I havenever configured anything in Sites and Services.
What do I need to do? I have restarted DNS and netlogon and even zapped the various folders in Forward Look up zones
Any ideas??!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi JamesDS, thanks for that, no, there are non setup. I have just tried it but the only site listed in Default first site name. Should I not be able to pick out a server from a list or something?
Sorry to be a pain!
Sorry to be a pain!
ASKER
Hi, just created a site and done the subnet for it, also slected licening computer. I done this on the Root DC, should it appear on the console on the child DC? Should I have done the config for Sites and Services on the child DC in the first place or will it replicate?
Thanks.
Thanks.
m0bov
ok, staying in AD Sites and Services...
create a new site for each location that has it's own subnet - in the same place as "default first site name"
Create new subnets corresponding to your network and assign them to the sites
Create site links from the hub to each remote site (IP links NOT SMTP ones)
What you have just created is a Replication Topology. The KCC will use this to create replication connection objects and replicate your AD.
Cheers
JamesDS
ok, staying in AD Sites and Services...
create a new site for each location that has it's own subnet - in the same place as "default first site name"
Create new subnets corresponding to your network and assign them to the sites
Create site links from the hub to each remote site (IP links NOT SMTP ones)
What you have just created is a Replication Topology. The KCC will use this to create replication connection objects and replicate your AD.
Cheers
JamesDS
m0bov
Create everthing on the root DC, it will replicate, if replication is functioning
Cheers
JamesDS
Create everthing on the root DC, it will replicate, if replication is functioning
Cheers
JamesDS
ASKER
Hi, I right clicked on Sites and done new site, it showes me a box with Link name and says DEFAULTIPSITELINK then transport is IP. Is that correct?
ASKER
Hi I now have two sites, DEFAULT First site and Groveprimary. Under Groveprimary I have moved my domain server to, added a subnet and selected the groveprimary dc as a licensing server. I also created a link under IP so I have the DEFAULT link and GROVESCHOOL link. Set rep to 15 minutes. Set the groveprimary server to a GC.
Does this sound correct?
Does this sound correct?
ASKER
Hi JamesDS, I am increasing the points for you.
Regarding Bridging, I have Bridge all sites ticked, should I untick? Don't forget get the Child DCs can only see the Root DC.
Thanks
Regarding Bridging, I have Bridge all sites ticked, should I untick? Don't forget get the Child DCs can only see the Root DC.
Thanks
m0bov
ok, it all sounds pretty good.
You can delete default first site and default site ip link, if you are no longer using them
There should be a site link for each of the remote sites to the hub, IE HUB to Site 1, Hub to Site 2, etc
With this setup you will not need bridge all site links enabled
Thanks for the extra points :)
How are we doing now??
Cheers
JamesDS
ok, it all sounds pretty good.
You can delete default first site and default site ip link, if you are no longer using them
There should be a site link for each of the remote sites to the hub, IE HUB to Site 1, Hub to Site 2, etc
With this setup you will not need bridge all site links enabled
Thanks for the extra points :)
How are we doing now??
Cheers
JamesDS
ASKER
Hi, still getting the event log errors but it was useful to know about the Sites thing. The company that setup the server never configured them, even though our AD spans up to 50 sites. We also have problems with licening, servers at various sites "grab" CALs from other servers and they pick random servers as the "licensing server". Assume this is all linked to not having Site configued.
Also, the Site I created has not rep'ed to the child domain. :-( Think the AD is now broken.
Also, the Site I created has not rep'ed to the child domain. :-( Think the AD is now broken.
m0bov
Getting random servers as licensing server is due to the lack of sites.
Not setting up sites is extremely bad practice and rather amateurish - it shows a lack of understanding about how AD works.
You mention child domains, can you tell me exactly what you have domain-wise?
Cheers
JamesDS
Getting random servers as licensing server is due to the lack of sites.
Not setting up sites is extremely bad practice and rather amateurish - it shows a lack of understanding about how AD works.
You mention child domains, can you tell me exactly what you have domain-wise?
Cheers
JamesDS
ASKER
Hi, agreed, not having any MS training I was'nt to know, annoyed tha the comany did'nt do this. All of my learning comes from on the job so if yor not aware of something you don't do it. Of course I know about it now! I have arranged for a consultant to visit us later this week to install a 2003 root DC with me. Should get it all done proper and I should learn a thing or two along the way.
Domain wise, each site (school) has a DC which is a child domain, they ar'nt GCs and of course no sites are defined (until now!). I setup delegated DNS zone on the Root DC and after the child domain server is installed the server then looks to itself with a forwarder. NSlookup and that all seem to be fine and don't report problems.
Cheers.
Domain wise, each site (school) has a DC which is a child domain, they ar'nt GCs and of course no sites are defined (until now!). I setup delegated DNS zone on the Root DC and after the child domain server is installed the server then looks to itself with a forwarder. NSlookup and that all seem to be fine and don't report problems.
Cheers.
m0bov
so you have a domain for each school? that makes for a large domain structure!
You should make each DC a GC, so that the WAN isn't hit each time a global or universal group is enumerated.
Make sure you really pick the brains of your consultant, to get the best out of them :)
Glad I was able to help
Cheers
JamesDS
so you have a domain for each school? that makes for a large domain structure!
You should make each DC a GC, so that the WAN isn't hit each time a global or universal group is enumerated.
Make sure you really pick the brains of your consultant, to get the best out of them :)
Glad I was able to help
Cheers
JamesDS
ASKER
Hi James, its not too bad, we have swand.local as the root then oneinf.swanad.localm, anotherinf.swanad.local, someotherschool.swanad.loc
At some schools they want another server attached for admin use so we also have admin.someotherschool.swan
Cheers.
At some schools they want another server attached for admin use so we also have admin.someotherschool.swan
Cheers.
m0bov
Gotcha, still, larger than the average and I've done some biggies!
Right then, is there anything I can help with?
Cheers
JamesDS
Gotcha, still, larger than the average and I've done some biggies!
Right then, is there anything I can help with?
Cheers
JamesDS
ASKER
Nope, I think thats everything, points on their way!
m0bov
Thanks for the points and good luck :)
Cheers
JamesDS
Thanks for the points and good luck :)
Cheers
JamesDS
Active Directory "generally prefers" all systems to be able to see each other freely - which is one of the reasons why firewalls never used to be supported between AD sites. However, so long as all machines can see the FSMO roles and Global Catalogs, there will not be a problem.
Make sure you check your site links are correct to your topology and the Replication Connection Objects (in AD Sites and Services, under each server) to ensure that the KCC has not tried to create connections between servers that cannot see each other.
If properly configured, this is a perfectly acceptable solution.
Cheers
JamesDS