• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

Windows 2003 replication, sites and services, IP Changeover, etc!

Hi folks,

Okay here's the deal... we have 4 geographic sites for our company. Let's say site A, B, C, and D. A is primary, where the master domain controller is. All sites will haev IPSEC tunnels to location A. Site A is a datacenter and B,C,D are all office sites.

I have gotten this much done so far... I got the domain up and running at Site A. There are two domain controllers there, one primary, one backup.

I got Site B running (and I imagine it will be the same for C and D so I'll leave them out). I got the IPSEC tunnel working, the computer joined the domain, and that's it. Now... we are currently running a 192.168.0.x IP scheme in the internal domain that's up and running -- that's going to be migrated.

So, Site B has a domain on it already -- let's say it's domain OLD. The new domain will be domain NEW. What I did was configure multiple IPs on the NIC to have one on the network of the OLD domain, and one on the network of the NEW domain. I can ping the main DC (at site A), the OLD domain controller, and obviously the 'new' network isn't active yet.

Okay so here's my problem... I got the domain controller at site B to join the NEW domain at site A. There is connectivity via IPSEC on all the right ports, so the computer joined the domain without a problem. Now I rebooted the DC at Site B, and I can log in, and still can ping the Site A DC. Now I know I need to set up an internal DNS so we aren't routing DNS queries across the IPSEC tunnel every time somebody logs in -- it would take forever. So I installed DNS, have it listen on only the 192.168.30.x IP (I assigned this server 192.168.30.10). I have that DNS forwarding to the Site A DNS, incase there is a need for it.

Now when I go into Active Directory Users and Computers -- I can't connect to the domain. Even though I can still ping it!

This project is close to rolling out and I'm just in the 'testing' phase right now, but any help would be appreciated greatly. HUGE points for it too!

Realistically what I need to know is a FULL breakdown on what steps to take for the Sites and Services to work.. I followed the documentation online on MS's site but it's limited... I don't know about the site links, and how to set them up -- should I add all the sites into it? Just one site to the main site? Additionally, why would it be that I can't access AD Users and Computers on the new DC at site B, even though I can ping the DC at Site A? I am thinking to demote the DC again and try it again.... but I feel I'm missing something.

Please, would be a BIG help!

EDIT: Do I need to assign SUBNETS to IPs that are NATTED? I mean, Site B is going to have DHCP for itself, and Site A will have DHCP there... the external IP I don't know yet... Much obliged.

EDIT #2: Got the internal DNS working and now I can see ADU&C. However now I'm trying to create the trust, and I can't "see" the other domain. Any ideas on this? The IP address is in the same range... the OLD domain runs on 192.168.0.10 (that's the DC) and I made a secondary IP of the NEW domain 192.168.0.14 (temporarily).
0
overworkedops
Asked:
overworkedops
  • 7
  • 7
1 Solution
 
Netman66Commented:
OK - here goes nothing...

1)  Remove DNS from Site B.  
2)  Make sure all zones in Site A are AD Integrated.
3)  Wait about 30 minutes then reinstall DNS on Site B's DC.  Do nothing else.  If replication is working, your zones will create and populate themselves.
4)  Forwarding should be directly to the ISP from each DNS server.  Don't forward to each other - bad..
5)  In AD Sites and Services, Site A will be left alone as Default-First-Site-Name - rename that if you want, but do not take the original root server out of there.
6)  Create and associate Site A's subnet to that original site.
7)  Create new Sites for each remote location.
8)  Create and associate the proper subnets to these sites.
9)  Move the servers for each Site from the main site to the proper remote site.

Now..it is imperative that your IP addressing take into account that every site (physical) must be on a different, unique network.  If not, you will have topology issues.

Once a server is moved into a site, make it a Global Catalog.  It will take some time to build up over the link, but it's worth it.

KCC will do the rest.  No need to create any site links at all unless you have very specific needs.

Repeat this for each site.

Hope this helps.
NM
0
 
overworkedopsAuthor Commented:
Is there any reason to add a forward to the DNS at Site A? I only ask because, if I want to ping a device name, I obviously can't do it... but I suppose you're right that it really doesn't make any sense to do it either.

I will do this tomorrow when I get back to work and give you a progress report.... seems like a lot of good information there.

Thanks!
0
 
Netman66Commented:
You should have Forwarding in all DNS servers - to the ISP.  Otherwise, you'll have a hard time resolving Internet requests.

0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
overworkedopsAuthor Commented:
So there's no need for fowarding to the Site A DNS?

Thanks :)
0
 
Netman66Commented:
Correct.  No need.

0
 
overworkedopsAuthor Commented:
How about site links? Do I have to create new ones, or can I just go with the default one that's there?

Thanks!
0
 
overworkedopsAuthor Commented:
Also, if the subnet is natted behind a firewall, should I still add it?

Thanks :)
0
 
Netman66Commented:
Do you VPN between sites?  Does the tunnel terminate on the internal side of the firewall?

0
 
overworkedopsAuthor Commented:
we have IPSEC set up between sites... the only ports that are open are the ones specified in the MS docs to enable replication.
0
 
Netman66Commented:
Is the IPSEC terminated at the server, inside interface of the firewall or the outside interface of the firewall?

If it's the server or the inside interface of the firewall then you are good to go with using the proper subnets (private).

If the tunnel terminates at the outside interface, then you will need to setup a one-to-one NAT mapping to the inside interface so that the internal network range can be seen.  If this is the case, make sure to configure this so that the tunnel hides the mapping.

0
 
overworkedopsAuthor Commented:
Nevermind, we aren't natting :)

Thanks... I got my domain trust completed, but I can't raise the functional level of the old domain to 2003 -- ADMT won't function properly otherwise. I'm working on it now and will let you know... if you ahve any insight then I'd appreciate it.
0
 
Netman66Commented:
What errors?

What functional level - domain or forest?

0
 
overworkedopsAuthor Commented:
Nevermind... got the trust built, and I'm migrating users! You've been a GREAT HELP!

Thanks!
0
 
Netman66Commented:
No problem - thanks!

NM
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now