[Last Call] Learn how to a build a cloud-first strategyRegister Now


Data center hosted domain

Posted on 2006-05-03
Medium Priority
Last Modified: 2011-04-14
I have two systems in a data center.  both are running 2003 server.  I have no Active Direcotry setup yet and exchange server waiting to be installed.

GOAL = domain AD replication across both boxes and domain logon for 5 remote offices.  The probelm is that i always set these servers up on site and VPN between the offices.  all is fine in that config but this is different

[What is the suggested order of installing active directory and exchange in a public IP environment without hardware VPN's]

[does a .local domain still work as it is on a public IP (do i need a fqdn ie. somecompany.com & box1.somecompany.com & box2.somecompany.com)]

[to create a SDC what i do have to do above just joining to the Domain... Join and then promote?

[How do the offices log onto the domain?]

thank you for all the help...

Question by:edmallory
  • 4
  • 3

Accepted Solution

SkUllbloCk earned 1000 total points
ID: 16607032
This is not a good idea, if the only domains are sitting in an off site datacenter, and no local domain contorller is at each site, the amount of trafic over the wan (VPN) will be extremely high, every request for a local resource (printers, file servers) is sent over the wan.

If you need to have the primary domain controllers located offsite, then you should atleast have a local domain controller to process all logon and authentication requests, then the only trafic outbound over the wan will be replication, and that can be scheduled to run at a time when network trafiic will be the least.

Author Comment

ID: 16611740
so, obviously not a good idea if we only had one dc, but in the case of having sdc's in large offices (at least where there are ~10+ personell in each office)

is that the gist of it.


Expert Comment

ID: 16655920
Yes that is the fondation principles.

What i suggest you do is, create a tree structure in active ditrectory so that each office's authentication requests can be done locally.
A suggested way to do this would be to use your datacenter as the primary (or top level) domain controller.
Then create seccondry domain controllers for sub trees (or sometimes reffered to as leaf servers).

primary domain controller:   domainname.com
secondary domain controller:  office1.domainname.com

The question regarding the .local domain i am not sure about, i think i read somewhere that the .local domain wont be routed properly. anyway, it is not a good idea to assign a "live" (public IP) system to a .local domain. Rather register your domain name, and use it throughout your directory structure.

Establish VPN connections (software is fine) and allow only replication to occure at schedlued intervals. usually when the traffic over the lan would be at its lowest.

In this setup join the client (office workstations) to the SDC domain (office1.domainname.com), this way the SDC will process the authentication (logon) requests, and all requests for access on the office1 domain. During replication, only the global catalog and other changes (DNS).

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments


Author Comment

ID: 16656512
primary domain controller: datacenter.domainname.com
secondary domain controller: office1.domainname.com

What is the significance of leaving the computer name off the Primary domain controller int he example...?

Expert Comment

ID: 16657034
office1 was not intended to be the computer name, it is the sub domain name

if you want the FQDN it would be

office1 refers to the first office in your organization.
server1 referes to the sdc in that office
datacenter refers to the datacenter PDC

The reason for sub domains is to keep authentication on the office LAN, and not using up bandwidth on the WAN Link (which is slower then the LAN link, and more cost effective)
If a request comes from office2.domainname.com to access a resource on office1.domainname.com then the authentication is passed to the PDC (domainname.com) and then pushed back down to the office1.domainname.com

Author Comment

ID: 16657156
alright... makes sense... you dont just want member servers... you want sub domains (leafs... child domain in an existing tree) for the on-site domain controllers and then to do the replication off-peak....

how would you setup a sever to be a leaf server...

join domain
promote to DC, create 'child domain in an existing domain tree"
? when would you create a new domain tree as opposed to a new leaf?

Thank you for all the help... how much do you know about RAS on 2003 (new question thread)

Expert Comment

ID: 16657246
If you wanted to create a new tree, then you would select the option that says something like: new tree in existing forrest.

The only time you would really need to create a new tree, would be if you needed the catalog servers to de different. I have never personally used this option, but it might be needed in an environment where you need certain settings in the catalog to be different.

I know a bit about RAS. whats the question?

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question