Guy_Adams
asked on
Active Directory Replication over hardware VPN
We have 2 servers in two different sites. The sites are connected via a hardware VPN which as available all the time.
Both servers have two NIC's, WAN and LAN.
I want to replicate active directory over this VPN but the problem is the servers will be communicating via their WAN NIC's. i.e;
SERVER 1
- WAN - 192.168.110.x
- LAN - 192.168.0.x
SERVER 2
- WAN - 192.168.120.x
- LAN - 192.168.0.x
Both servers are 2003 standard and both use have the basic firewall enabled. The WAN of each server connected to a hardware firewall/vpn device which connects them to the internet. These devices also maintain the VPN.
Firstly, is it possible to replicate over such a network via the servers WAN cards?
Secondly, any advice on configuration or documentation that relates to my situation would be much appreciated.
I have another question which relates to this subject which you also may be interested in answering. Both questions are worth 500 points each.
https://www.experts-exchange.com/questions/21795223/2-Sites-2-Servers-1-WAN-and-DNS.html
Thanks
Guy_Adams
Both servers have two NIC's, WAN and LAN.
I want to replicate active directory over this VPN but the problem is the servers will be communicating via their WAN NIC's. i.e;
SERVER 1
- WAN - 192.168.110.x
- LAN - 192.168.0.x
SERVER 2
- WAN - 192.168.120.x
- LAN - 192.168.0.x
Both servers are 2003 standard and both use have the basic firewall enabled. The WAN of each server connected to a hardware firewall/vpn device which connects them to the internet. These devices also maintain the VPN.
Firstly, is it possible to replicate over such a network via the servers WAN cards?
Secondly, any advice on configuration or documentation that relates to my situation would be much appreciated.
I have another question which relates to this subject which you also may be interested in answering. Both questions are worth 500 points each.
https://www.experts-exchange.com/questions/21795223/2-Sites-2-Servers-1-WAN-and-DNS.html
Thanks
Guy_Adams
ASKER
Thank you for the excellent documentation.
Given the configuration of our network, with hardware VPN/firewall devices do you think it would be wise to remove the second network adaptor from each of the servers?
Would this aid the situation or would it just leave the network vulnerable to attack?
Regards
Guy_Adams
Given the configuration of our network, with hardware VPN/firewall devices do you think it would be wise to remove the second network adaptor from each of the servers?
Would this aid the situation or would it just leave the network vulnerable to attack?
Regards
Guy_Adams
ASKER
Just to add to my initial question,
my first thoughts were to simply forward the following ports in RRAS from WAN to LAN on each server:
LDAP
udp 389
tcp 389
LDAP (SSL)
udp 636
tcp 636
Kerberos
udp 88
tcp 88
DNS
udp 53
tcp 53
SMB over IP
udp 445
tcp 445
Global Catalog Server
tcp 3269
tcp 3268
my first thoughts were to simply forward the following ports in RRAS from WAN to LAN on each server:
LDAP
udp 389
tcp 389
LDAP (SSL)
udp 636
tcp 636
Kerberos
udp 88
tcp 88
DNS
udp 53
tcp 53
SMB over IP
udp 445
tcp 445
Global Catalog Server
tcp 3269
tcp 3268
are you running RRAS on the DCs also? Not recommended on a DC
You said hardware VPN, I'm thinking Cisco devices etc. How does RRAS play into this?
You said hardware VPN, I'm thinking Cisco devices etc. How does RRAS play into this?
ASKER
Well originally it was a SBS 2003 server but we purchased the transition pack to convert it to standard Windows 2003. So it hosts everything, its the dns server and gateway for the network, exchange server and WSUS server. There are only 35 users at anyone time.
RRAS has never been disabled I suppose, it was originally put in place to govern remote users and for an added layer of security against external attack.
I now realise the issue with replication and multihomed. The DNS address for OURSERVER.LOCAL is the internal network adaptor.
What do you suggest with only a hardware firewall/vpn device as protection? I'm open to all suggestions as this is still a young network.
Thank you so much for your help so far.
Kind Regards
Guy_Adams
RRAS has never been disabled I suppose, it was originally put in place to govern remote users and for an added layer of security against external attack.
I now realise the issue with replication and multihomed. The DNS address for OURSERVER.LOCAL is the internal network adaptor.
What do you suggest with only a hardware firewall/vpn device as protection? I'm open to all suggestions as this is still a young network.
Thank you so much for your help so far.
Kind Regards
Guy_Adams
a firewall on each side of the wan that supports building a VPN tunnel between sites is an option
then configure the network routing/DNS so one DC can find the other and visa versa.
once you can resolve DNS through the tunnel replication should work just disable the extra NICs you don't need
then configure the network routing/DNS so one DC can find the other and visa versa.
once you can resolve DNS through the tunnel replication should work just disable the extra NICs you don't need
ASKER
Ok so single NIC either side of the VPN.
What firewall do you recommend? I fancy ISA but its expensive, my company has a limited budget hence only one DC per site.
In a ideal world what would you suggest for this setup;
Site 1, 35 WinXP clients, exchange, WSUS, file & application server.
Site 2, 5 WinXP clients, WSUS, file & application server.
To be honest i'm used to administering SBS servers, one server looks after all! but is not great when trying to connect multiple sites.
We actually have 12 sites, all of which eventually will need to replicate.
Kind regards,
Guy_Adams
What firewall do you recommend? I fancy ISA but its expensive, my company has a limited budget hence only one DC per site.
In a ideal world what would you suggest for this setup;
Site 1, 35 WinXP clients, exchange, WSUS, file & application server.
Site 2, 5 WinXP clients, WSUS, file & application server.
To be honest i'm used to administering SBS servers, one server looks after all! but is not great when trying to connect multiple sites.
We actually have 12 sites, all of which eventually will need to replicate.
Kind regards,
Guy_Adams
like you said it depends on your budget
cisco pix firewalls would be good, but then you have to learn the IOS then
if the budget is really tight, look at Netgear they make some that you can configure the ports you need to open for email
and you can set up a VPN tunnel between the two devices at each site also
and they are not too expensive
cisco pix firewalls would be good, but then you have to learn the IOS then
if the budget is really tight, look at Netgear they make some that you can configure the ports you need to open for email
and you can set up a VPN tunnel between the two devices at each site also
and they are not too expensive
ASKER
Do you think a business class hardware firewall is enough protection?
We use all Netgear products for the hardware VPN.
FVS338 & FVS318's
http://www.netgear.co.uk/wired_vpn_router_fvs318.php?type=b
http://www.netgear.co.uk/wired_vpnfirewall_router_fvs338.php?type=b
So to summerise, ditch RRAS and second NIC in both servers?
With the setup of active directory sites and services, do you have to setup both DC's in order to replicate?
Thank you again for your help so far.
Regards
Guy_Adams
We use all Netgear products for the hardware VPN.
FVS338 & FVS318's
http://www.netgear.co.uk/wired_vpn_router_fvs318.php?type=b
http://www.netgear.co.uk/wired_vpnfirewall_router_fvs338.php?type=b
So to summerise, ditch RRAS and second NIC in both servers?
With the setup of active directory sites and services, do you have to setup both DC's in order to replicate?
Thank you again for your help so far.
Regards
Guy_Adams
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK I will try this on Tuesday.
One last question if you dont mind, is there any special DNS setup for either of the DC's?
I presume once ADSS have the sites setup with the subnets, DNS will be ok?
You've been a fantastic help itforall.
Thank you
Guy_Adams
One last question if you dont mind, is there any special DNS setup for either of the DC's?
I presume once ADSS have the sites setup with the subnets, DNS will be ok?
You've been a fantastic help itforall.
Thank you
Guy_Adams
are these machines already domain controllers?
if so, point them both to the same DNS server, preferably one of these two machines running DNS and AD
run the following to reregister all SRV records
net stop netlogon
ipconfig /flushdns
net start netlogon
ipconfig /registerdns
go to ADSS and try to force a replication
if so, point them both to the same DNS server, preferably one of these two machines running DNS and AD
run the following to reregister all SRV records
net stop netlogon
ipconfig /flushdns
net start netlogon
ipconfig /registerdns
go to ADSS and try to force a replication
ASKER
Well the current 2003 server is a DC, the new one going in will be too.
Will pointing the new DC to the current one for DNS over a slow WAN connection slow down DNS requests for the remote clients?
The WAN connection runs at a max 256 Kbps but the real world throughput figure is actually more like 128 Kbps.
You've actually answered another question i have here:
https://www.experts-exchange.com/questions/21795223/2-Sites-2-Servers-1-WAN-and-DNS.html
Post a response and I will accept your answer.
Regards
Guy_Adams
Will pointing the new DC to the current one for DNS over a slow WAN connection slow down DNS requests for the remote clients?
The WAN connection runs at a max 256 Kbps but the real world throughput figure is actually more like 128 Kbps.
You've actually answered another question i have here:
https://www.experts-exchange.com/questions/21795223/2-Sites-2-Servers-1-WAN-and-DNS.html
Post a response and I will accept your answer.
Regards
Guy_Adams
ASKER
I would just like to say,
Thank you very much.
I disabled the WAN adaptor and RRAS, setup a 2000 server and pointed the DNS to the Global Catalog. Replication worked perfectly and fully automatically.
I configured the sites and move the server into the site and still replication is working perfectly.
I have accepted your answer. If you would like the points from the other question please post a response as you have also answered that one too. If not I will request a delete and refund next week.
Thanks again.
Kind Regards
Guy_Adams
Thank you very much.
I disabled the WAN adaptor and RRAS, setup a 2000 server and pointed the DNS to the Global Catalog. Replication worked perfectly and fully automatically.
I configured the sites and move the server into the site and still replication is working perfectly.
I have accepted your answer. If you would like the points from the other question please post a response as you have also answered that one too. If not I will request a delete and refund next week.
Thanks again.
Kind Regards
Guy_Adams
Guy,
I posted to the other question too.
Now that it is working correctly. Point each DC to itself for DNS to avoid saturating the WAN.
Have each DC/DNS server handle the clients in each respective site. IN ADSS configure subnets for each site
Since these are both 2003, DNS islanding issue is not a problem like 2000 was
If name resolution ever becomes an issue or replication stops, drop back to one DNS to troubleshoot.
and run the steps to reregister the SRV and A records
ipconfig /flushdns
net stop netlogon
net start netlogon
ipconfig /registerdns
good luck
I posted to the other question too.
Now that it is working correctly. Point each DC to itself for DNS to avoid saturating the WAN.
Have each DC/DNS server handle the clients in each respective site. IN ADSS configure subnets for each site
Since these are both 2003, DNS islanding issue is not a problem like 2000 was
If name resolution ever becomes an issue or replication stops, drop back to one DNS to troubleshoot.
and run the steps to reregister the SRV and A records
ipconfig /flushdns
net stop netlogon
net start netlogon
ipconfig /registerdns
good luck
ASKER
Fantastic, I will remember that.
You've been a massive help itforall.
When I first started investigating replication I thought it looked like a minefield, now ive been through a few things with you I have the confidence to administer a complex replica setup.
Thanks again, its much appreciated.
Regards
Guy_Adams
You've been a massive help itforall.
When I first started investigating replication I thought it looked like a minefield, now ive been through a few things with you I have the confidence to administer a complex replica setup.
Thanks again, its much appreciated.
Regards
Guy_Adams
Here is something that may help you work around that
Active Directory communication fails on multihomed domain controllers
http://support.microsoft.com/kb/272294/?sd=RMVP&fr=1
For SRV records
How to enable or disable DNS updates in Windows 2000 and in Windows Server 2003
http://support.microsoft.com/kb/246804/EN-US/?FR=1