Solved

Windows 2003 replication, sites and services, IP Changeover, etc!

Posted on 2006-06-19
14
237 Views
Last Modified: 2010-04-18
Hi folks,

Okay here's the deal... we have 4 geographic sites for our company. Let's say site A, B, C, and D. A is primary, where the master domain controller is. All sites will haev IPSEC tunnels to location A. Site A is a datacenter and B,C,D are all office sites.

I have gotten this much done so far... I got the domain up and running at Site A. There are two domain controllers there, one primary, one backup.

I got Site B running (and I imagine it will be the same for C and D so I'll leave them out). I got the IPSEC tunnel working, the computer joined the domain, and that's it. Now... we are currently running a 192.168.0.x IP scheme in the internal domain that's up and running -- that's going to be migrated.

So, Site B has a domain on it already -- let's say it's domain OLD. The new domain will be domain NEW. What I did was configure multiple IPs on the NIC to have one on the network of the OLD domain, and one on the network of the NEW domain. I can ping the main DC (at site A), the OLD domain controller, and obviously the 'new' network isn't active yet.

Okay so here's my problem... I got the domain controller at site B to join the NEW domain at site A. There is connectivity via IPSEC on all the right ports, so the computer joined the domain without a problem. Now I rebooted the DC at Site B, and I can log in, and still can ping the Site A DC. Now I know I need to set up an internal DNS so we aren't routing DNS queries across the IPSEC tunnel every time somebody logs in -- it would take forever. So I installed DNS, have it listen on only the 192.168.30.x IP (I assigned this server 192.168.30.10). I have that DNS forwarding to the Site A DNS, incase there is a need for it.

Now when I go into Active Directory Users and Computers -- I can't connect to the domain. Even though I can still ping it!

This project is close to rolling out and I'm just in the 'testing' phase right now, but any help would be appreciated greatly. HUGE points for it too!

Realistically what I need to know is a FULL breakdown on what steps to take for the Sites and Services to work.. I followed the documentation online on MS's site but it's limited... I don't know about the site links, and how to set them up -- should I add all the sites into it? Just one site to the main site? Additionally, why would it be that I can't access AD Users and Computers on the new DC at site B, even though I can ping the DC at Site A? I am thinking to demote the DC again and try it again.... but I feel I'm missing something.

Please, would be a BIG help!

EDIT: Do I need to assign SUBNETS to IPs that are NATTED? I mean, Site B is going to have DHCP for itself, and Site A will have DHCP there... the external IP I don't know yet... Much obliged.

EDIT #2: Got the internal DNS working and now I can see ADU&C. However now I'm trying to create the trust, and I can't "see" the other domain. Any ideas on this? The IP address is in the same range... the OLD domain runs on 192.168.0.10 (that's the DC) and I made a secondary IP of the NEW domain 192.168.0.14 (temporarily).
0
Comment
Question by:overworkedops
  • 7
  • 7
14 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
OK - here goes nothing...

1)  Remove DNS from Site B.  
2)  Make sure all zones in Site A are AD Integrated.
3)  Wait about 30 minutes then reinstall DNS on Site B's DC.  Do nothing else.  If replication is working, your zones will create and populate themselves.
4)  Forwarding should be directly to the ISP from each DNS server.  Don't forward to each other - bad..
5)  In AD Sites and Services, Site A will be left alone as Default-First-Site-Name - rename that if you want, but do not take the original root server out of there.
6)  Create and associate Site A's subnet to that original site.
7)  Create new Sites for each remote location.
8)  Create and associate the proper subnets to these sites.
9)  Move the servers for each Site from the main site to the proper remote site.

Now..it is imperative that your IP addressing take into account that every site (physical) must be on a different, unique network.  If not, you will have topology issues.

Once a server is moved into a site, make it a Global Catalog.  It will take some time to build up over the link, but it's worth it.

KCC will do the rest.  No need to create any site links at all unless you have very specific needs.

Repeat this for each site.

Hope this helps.
NM
0
 

Author Comment

by:overworkedops
Comment Utility
Is there any reason to add a forward to the DNS at Site A? I only ask because, if I want to ping a device name, I obviously can't do it... but I suppose you're right that it really doesn't make any sense to do it either.

I will do this tomorrow when I get back to work and give you a progress report.... seems like a lot of good information there.

Thanks!
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You should have Forwarding in all DNS servers - to the ISP.  Otherwise, you'll have a hard time resolving Internet requests.

0
 

Author Comment

by:overworkedops
Comment Utility
So there's no need for fowarding to the Site A DNS?

Thanks :)
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Correct.  No need.

0
 

Author Comment

by:overworkedops
Comment Utility
How about site links? Do I have to create new ones, or can I just go with the default one that's there?

Thanks!
0
 

Author Comment

by:overworkedops
Comment Utility
Also, if the subnet is natted behind a firewall, should I still add it?

Thanks :)
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Do you VPN between sites?  Does the tunnel terminate on the internal side of the firewall?

0
 

Author Comment

by:overworkedops
Comment Utility
we have IPSEC set up between sites... the only ports that are open are the ones specified in the MS docs to enable replication.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Is the IPSEC terminated at the server, inside interface of the firewall or the outside interface of the firewall?

If it's the server or the inside interface of the firewall then you are good to go with using the proper subnets (private).

If the tunnel terminates at the outside interface, then you will need to setup a one-to-one NAT mapping to the inside interface so that the internal network range can be seen.  If this is the case, make sure to configure this so that the tunnel hides the mapping.

0
 

Author Comment

by:overworkedops
Comment Utility
Nevermind, we aren't natting :)

Thanks... I got my domain trust completed, but I can't raise the functional level of the old domain to 2003 -- ADMT won't function properly otherwise. I'm working on it now and will let you know... if you ahve any insight then I'd appreciate it.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
What errors?

What functional level - domain or forest?

0
 

Author Comment

by:overworkedops
Comment Utility
Nevermind... got the trust built, and I'm migrating users! You've been a GREAT HELP!

Thanks!
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
No problem - thanks!

NM
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now