Same domain, different geographic location...Best practices setup of different subnets.

Hello all,
I have a question about sites and subnetting under a single domain (windows 2003/windows 2000).  I am going to be bringing up a new DC on an existing network at a different physical location.  The two locations will be connected through a Sonicwall VPN (already up and working).  The existing location has two DCs and around 20 clients.  The new location will eventually have two DCs and around 10 clients.  The existing location is on the 192.168.0.x subnet, and the new location will be on the 192.168.1.x subnet.  What are the steps neccessary to get the new site up and working properly?  I think I would like it all on the same domain, and have each location handle it's own DHCP, DNS, and Logon.  How do I make sure the clients at the new location use the new DC and not the existing one?  Will the two sites show up separately in My Network Places?  Can I configure it so they do?   Will all of the clients be able to use DCs on either end of the tunnel if for some reason there is no available DC at their location?  Do I need to use Sites-and-Services to set this up, or is it done by bringing up the first DC in the new location with an IP address on the new subnet?  Sorry, I know there are a lot of detail questions and a very broad original question, so I will make the points high for this.  Thanks.  
NewbieAdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dmitri FarafontovLinux Systems AdminCommented:
You need to use Active Directory Sites and Services. To create:
1) Subnet Links for each site
2) Move each DC to their respective site
3) Configure Replication Schedulles/Transport Methods

DHCP will be fine as long as there are appropriate scopes to hand out. DNS is multi-master replicated if runing in AD-integrated zones. Local logon will be surely possible provided DNS is configured properly and global catalog present in each site. However it is a good idea to separate domains for delegation reasons later on the deployment. Sites never show up in My Network Places. Those are physical entities configurable by you as a System ADmin. If you have a tree of multiple domains, you can enable cross-forest trust in Windows 2003 Functional Level. If you are in mutiple child domains, (which are transitive) users will walk the trust-path. Thats why it is crucial to have a Global Catalog once per site plus Enable Universal Group caching. It will help users to logon.

Cheers, let me know if you need further explanation
NewbieAdminAuthor Commented:
What is involved in creating the subnet links?  What is Universal Group caching and how do I enable it?  

Also, when I bring up the new DC I will be installing at the old location and shipping the server to the new location.  I will give it a static IP in the 192.168.1.x subnet.  Is it then as simple as plugging it in to the new network, or is there something else to consider when bringing the server online at the new location.  When all of the computers are added to the domain in the new location, how do they know to use the new server rather than the servers available over the VPN connection for DHCP?  I guess I'm just a little confused as to how the separate subnet is defined.  If the networks were separate domains, then I would understand the boundary that would keep them separate.  But with a single domain, I don't quite understand where that separation is.  Hopefully I am asking the question properly.  How does each computer know which Server to use for DHCP?  

Thanks!
Dmitri FarafontovLinux Systems AdminCommented:
Creating subnet links is a very easy process. Youw ill need go to AD Sites and services. On the Subnet Links container right click press new subnet link. Universal group caching allows to logon without Global Catalog being present. For that you will need to open Your Site >> Expand >> Find your Computer >> NTDS >> Properties (Check: Enable Universal Group Caching if not already enabled). Computers rely on an SRV record from your DNS server to find the nearest domain controller. I assume that new DC is also a DNS server. What you will need to do is point your clients back to the new DNS server manually or via DHCP. Subnet links are the proccess of seprating them. There should be a router present, to route between subnets. When a subnet link is defines it separates the DC's physically or locally (when a site is created). Iter-site Topolgy Generator in conjuction with Knowledge Consitency Checker will dedicate a bridge head server on each side. They will replicate together, than pass the changes along to another DCs. You can configure replication traffic between sites. There is no way to configure a default DHCP server. When a client requests an IP adress the network is flooded with a broadcast to 255.255.255.255. A DHCP server is than picks up the request and hands out the IP adress from the appropriate scope. You will need a relay agent also if you dont have a DHCP present on that subnet already
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

NewbieAdminAuthor Commented:
The new DC will also be a DNS servver.  My thought is to run DHCP for each subnet on the server located on that subnet.  So, the DC in each Site will be responsible for the DHCP, DNS, and Logon responsibilities within that site.  I'm assuming that in my setup, the subnets are separated by the boundaries created with the Sonicwalls that I use to create the VPN tunnel.  So, a computer on this side of the VPN will check for a DHCP server on this side before trying to go through the tunnel to look for one.  The Sonicwall (firewall appliance) will perform the routing (among other things) required for the subnetting, correct?  Also, since I will have a DHCP server on both ends of the tunnel, I'm assuming that the relay agent will not be neccessary.  
Dmitri FarafontovLinux Systems AdminCommented:
No relay agent is required provided since there is a DCHP on each subnet. Just make sure you have proper subnet masks and scopes defines. Cheers let me know if you need anything else
NewbieAdminAuthor Commented:
So, bear with me for a moment to see if I understand all of this correctly...
The subnet will be physically separated by the two Sonicwalls that I have set up for the VPN between the two different geographic locations.  Logically, the subnet will be created by the individual DHCP servers behind either firewall.  Functionally within Windows 2003 Server/Windows 2000 Server, I will define a "Site" for each geographic location, then set up a "Site Link" to connect the two locations, and then move (within Sites and Services) the individual servers into the respective "Sites".  I should have a DHCP scope set up for each site/subnet; and a DNS server, global catalog, and Universal Group Caching should also run at each site.   Then I should set up replication between the two "Sites".   Is there anything that I am missing there?  What did you mean by "Transport methods" in your first post?  Also, how does one DNS server update the other one?  Are separate DNS zones set up for each "Site"?  

Thanks for all of your help!
Dmitri FarafontovLinux Systems AdminCommented:
Transport methods are defined after you create the subnet links. Because they are on a different subhet the DC's will replicate via RPC/over IP using intersite replication. You will need to create a global catalog on each site to fasilitate logons as well. It is in the same place as Universal Group caching. Once thats done a bridge-head server will be dedicated by both KCC and ISTG on each site. They will replicate between each other across the VPN. Then sync the other remaning DC's with the new updates. If you are runing AD-Integrated Zones the updates will be a part of Active Directory replication proccess. It uses muti-master replication, which means any DC's contains a writable copy, where changes can be made. No additional config is needed if that is the zone type you are using.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NewbieAdminAuthor Commented:
Sorry, last follow up on this question and then I will close it out.  The question is in regards to the set up of DNS on the new server...The original server has an AD-Integrated zone.  You state the following:

>If you are runing AD-Integrated Zones the updates will be a part of Active Directory replication proccess. It uses muti-master replication, which means any DC's contains a writable copy, where changes can be made. No additional config is needed if that is the zone type you are using.

Does this mean that I should install DNS but not configure any zones?  If not, how do I add the zones from the original server to the new one?  Can I force the replication and if so, how long should it take?  At this point, I have brought up the server in the new location, started DHCP, set up the sites/site-links, made the server a GC and enabled Universal Group caching.  All that is left is the configuration of DNS.  How do I install DNS so that it uses the AD Integrated zone from the other server?  

Thanks again.
Dmitri FarafontovLinux Systems AdminCommented:
Hello,

Please finalize your question or ask for more clarfication :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.