[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


AD DNS Design Sanity check

Posted on 2004-08-16
Medium Priority
Last Modified: 2012-05-05
My company has 70 sites. 50 are small (upto 30 users) remote sites, connected via 256k to 1mb links to ISP  cloud. All have ISDN backup and local file/print servers.  
6 larger sites have 100 to 250 users with 1 to 3 local file/print with 1 to 4MB connection ISP cloud.
Several Large LONDON and Romford buldings with 4500 users on a gigabit LAN and connected to ISP via 34MB link.
We also have two data centers which will house all application servers and connected to ISP via 34MB link.

We have worked hard to shrink everything to a single NT4 domain so far.  We are designing a single AD domain in a single AD forest to keep things single.  Currently all sites have an NT4 BDC in case of WAN loss.

In our AD design, We have considered London (3000 users) as the main site with 4 DC. Rmford has Gigabit connectivity and 1500 users but considered as another site with one DC.  The 6 larger site have one DC each. the other 50 small sites are devided as follows:  20 have no DC and are grouped into one site with their DC in one data center. Another 20 sites with no DC and are grouped into the other data centre. the last 10 have no DC and grouped together to consider London as their primary site with 5 DCs to choose for logon.

ALL DCs will be GC and AD Secure integrated DNS servers. There will be seperate DHCP servers for security reasons.  The London users will have two London DNS servers as primary and secondary.  The 6 larger sites will have their own DC and primary DNS and London as Secondary DNS.  The remote small sites will have the data centre DC as primary and one London DC as secondary DNS.  ALL to achieve logon and DNS load balancing.  
To achieve further logon load balancing we will probably disect the London sites to 5 London sites to ensure certain buildings will have a primary logon DC, eventhough there is gigabit connection across London and Romford.

1) Is there anything else we need to consider in this design? ie: Did we miss anything?
2) Do we setup each DC as the Licensing server for that site?
3) Do we setup DDNS so client A-record does not get replicated to other DNS servers for reduced replication or in our case it does not matter.  So far we have set DHCP server to register the client and lease time is 7 days which matches DNS scavenging.

ps: The client is worried about remote sites with no DC.  If the link and backup ISDN link dies then there is no LOGON or connection to FAP possible.  Any way to work roug Kerberos authentication???  MS articles have come up with bizzar ways of doing this like Local accounts and ACLs or Terminal services...

I really appreciate a second opinion on this design...  



Question by:mbecmba1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

dgroscost earned 600 total points
ID: 11816842
Note - don't make your infrastructure a GC.  

Also, if you are worried about not  being able to log in due to not having a GC, see below:

Interactive logon: Number of previous logons to cache (in case domain controller is not available).

This policy setting is found under:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

It is set to 10 by default in the Local Security Policy of Windows 2000 or later machines. But security-conscious administrators will set it to 0 to prevent situations such as when you have to disable a user's account when they're suddenly fired from their job. In such a situation, if the user finds out and simply disconnects his laptop from the LAN before he tries to log on, he still has his cached credentials on his machine. This means that if he can sneak into the building later he may still be able to gain some limited access to the network's resources and do damage.

Or you could upgrade to 2003 and use Universal Group caching :)

Author Comment

ID: 11818043
Thanks for the info.  

I am hoping to run 2003 only mode and trying to avoid win2k & win2k3 mixed.  We are running win2k PCs with a few win95 old pcs that are being replaced now.

Are you saying that if the DC is not available then we can allow a number of cached logons in mixed mode?  
The logon seems to happen OK but when we try to map to a win2k File server we get access denied. The file server that we mapped was still in the old NT4 domain and we tried to cross mapped using SID history or specifying credentials.

I have to add that we used Aelita Domain Migration Wizard to migrate the test userid and workstation to the new AD domain.  We also migrated with SID history and turned off SID filtering.  We do get access denied.

If I go to Win2k3 mode ONLY (no turning back) then GC is not required, but I assume I will have the same problem.  

I am not sure if this will fix it, but I try anything once.  I will test this today.   I am sure the logon was OK but mapping failed.   I thought the Kerberos authentication changed everything in AD.  This works a dream in NT4 domains but not AD domains.  

Any other ideas???


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question