?
Solved

Active Directory Replication over hardware VPN

Posted on 2006-03-31
16
Medium Priority
?
469 Views
Last Modified: 2010-04-18
We have 2 servers in two different sites. The sites are connected via a hardware VPN which as available all the time.

Both servers have two NIC's, WAN and LAN.

I want to replicate active directory over this VPN but the problem is the servers will be communicating via their WAN NIC's. i.e;

SERVER 1
- WAN - 192.168.110.x
- LAN - 192.168.0.x

SERVER 2
- WAN - 192.168.120.x
- LAN - 192.168.0.x

Both servers are 2003 standard and both use have the basic firewall enabled. The WAN of each server connected to a hardware firewall/vpn device which connects them to the internet. These devices also maintain the VPN.

Firstly, is it possible to replicate over such a network via the servers WAN cards?
Secondly, any advice on configuration or documentation that relates to my situation would be much appreciated.

I have another question which relates to this subject which you also may be interested in answering. Both questions are worth 500 points each.

http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21795223.html

Thanks

Guy_Adams

0
Comment
Question by:Guy_Adams
  • 9
  • 7
16 Comments
 
LVL 4

Expert Comment

by:itforall
ID: 16343359
First multihomed DCs are never a good idea

Here is something that may help you work around that
Active Directory communication fails on multihomed domain controllers
http://support.microsoft.com/kb/272294/?sd=RMVP&fr=1

For SRV records
How to enable or disable DNS updates in Windows 2000 and in Windows Server 2003
http://support.microsoft.com/kb/246804/EN-US/?FR=1
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 16343488
Thank you for the excellent documentation.

Given the configuration of our network, with hardware VPN/firewall devices do you think it would be wise to remove the second network adaptor from each of the servers?

Would this aid the situation or would it just leave the network vulnerable to attack?

Regards

Guy_Adams
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 16343632
Just to add to my initial question,

my first thoughts were to simply forward the following ports in RRAS from WAN to LAN on each server:

LDAP
udp 389
tcp 389
 
LDAP (SSL)
udp 636
tcp 636
 
Kerberos
udp 88
tcp 88
 
DNS
udp 53
tcp 53
 
SMB over IP
udp 445
tcp 445
 
Global Catalog Server
tcp 3269
tcp 3268
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 4

Expert Comment

by:itforall
ID: 16343789
are you running RRAS on the DCs also? Not recommended on a DC

You said hardware VPN, I'm thinking Cisco devices etc. How does RRAS play into this?
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 16344414
Well originally it was a SBS 2003 server but we purchased the transition pack to convert it to standard Windows 2003. So it hosts everything, its the dns server and gateway for the network, exchange server and WSUS server. There are only 35 users at anyone time.

RRAS has never been disabled I suppose, it was originally put in place to govern remote users and for an added layer of security against external attack.

I now realise the issue with replication and multihomed. The DNS address for OURSERVER.LOCAL is the internal network adaptor.

What do you suggest with only a hardware firewall/vpn device as protection? I'm open to all suggestions as this is still a young network.

Thank you so much for your help so far.

Kind Regards

Guy_Adams
0
 
LVL 4

Expert Comment

by:itforall
ID: 16345673
a firewall on each side of the wan that supports building a VPN tunnel between sites is an option

then configure the network routing/DNS so one DC can find the other and visa versa.

once you can resolve DNS through the tunnel replication should work just disable the extra NICs you don't need


0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 16346321
Ok so single NIC either side of the VPN.

What firewall do you recommend? I fancy ISA but its expensive, my company has a limited budget hence only one DC per site.

In a ideal world what would you suggest for this setup;

Site 1, 35 WinXP clients, exchange, WSUS, file & application server.

Site 2, 5 WinXP clients, WSUS, file & application server.

To be honest i'm used to administering SBS servers, one server looks after all! but is not great when trying to connect multiple sites.

We actually have 12 sites, all of which eventually will need to replicate.

Kind regards,

Guy_Adams
0
 
LVL 4

Expert Comment

by:itforall
ID: 16348291
like you said it depends on your budget

cisco pix firewalls would be good, but then you have to learn the IOS then

if the budget is really tight, look at Netgear they make some that you can configure the ports you need to open for email
and you can set up a VPN tunnel between the two devices at each site also
and they are not too expensive

0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 16348706
Do you think a business class hardware firewall is enough protection?

We use all Netgear products for the hardware VPN.

FVS338 & FVS318's

http://www.netgear.co.uk/wired_vpn_router_fvs318.php?type=b

http://www.netgear.co.uk/wired_vpnfirewall_router_fvs338.php?type=b

So to summerise, ditch RRAS and second NIC in both servers?

With the setup of active directory sites and services, do you have to setup both DC's in order to replicate?

Thank you again for your help so far.

Regards

Guy_Adams
0
 
LVL 4

Accepted Solution

by:
itforall earned 2000 total points
ID: 16350006
If you want to avoid replication issues brought on by
multiple NICs and RRAS, yes ditch them

if both DCs are in the same site it will replicate based on time or changes
5 minutes is the default time--DON'T change it
Example
IN  ADSS create two sites A and B
put a DC in each site and create a site link between them
set the replication interval to a value that matches your bandwidth
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 16350421
OK I will try this on Tuesday.

One last question if you dont mind, is there any special DNS setup for either of the DC's?

I presume once ADSS have the sites setup with the subnets, DNS will be ok?

You've been a fantastic help itforall.

Thank you

Guy_Adams
0
 
LVL 4

Expert Comment

by:itforall
ID: 16351530
are these machines already domain controllers?

if so, point them both to the same DNS server, preferably one of these two machines running DNS and AD
run the following to reregister all SRV records
net stop netlogon
ipconfig /flushdns
net start netlogon
ipconfig /registerdns

go to ADSS and try to force a replication
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 16355224
Well the current 2003 server is a DC, the new one going in will be too.

Will pointing the new DC to the current one for DNS over a slow WAN connection slow down DNS requests for the remote clients?

The WAN connection runs at a max 256 Kbps but the real world throughput figure is actually more like 128 Kbps.

You've actually answered another question i have here:

http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21795223.html

Post a response and I will accept your answer.

Regards

Guy_Adams
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 16370349
I would just like to say,

Thank you very much.

I disabled the WAN adaptor and RRAS, setup a 2000 server and pointed the DNS to the Global Catalog. Replication worked perfectly and fully automatically.

I configured the sites and move the server into the site and still replication is working perfectly.

I have accepted your answer. If you would like the points from the other question please post a response as you have also answered that one too. If not I will request a delete and refund next week.

Thanks again.

Kind Regards

Guy_Adams
0
 
LVL 4

Expert Comment

by:itforall
ID: 16370941
Guy,
I posted to the other question too.

Now that it is working correctly. Point each DC to itself for DNS to avoid saturating the WAN.
Have each DC/DNS server handle the clients in each respective site. IN ADSS configure subnets for each site

Since these are both 2003, DNS islanding issue is not a problem like 2000 was

If name resolution ever becomes an issue or replication stops, drop back to one DNS to troubleshoot.
and run the steps to reregister the SRV and A records
ipconfig /flushdns
net stop netlogon
net start netlogon
ipconfig /registerdns


good luck
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 16371219
Fantastic, I will remember that.

You've been a massive help itforall.

When I first started investigating replication I thought it looked like a minefield, now ive been through a few things with you I have the confidence to administer a complex replica setup.

Thanks again, its much appreciated.

Regards

Guy_Adams
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Screencast - Getting to Know the Pipeline

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question