Solved

Windows 2003 replication, sites and services, IP Changeover, etc!

Posted on 2006-06-19
14
238 Views
Last Modified: 2010-04-18
Hi folks,

Okay here's the deal... we have 4 geographic sites for our company. Let's say site A, B, C, and D. A is primary, where the master domain controller is. All sites will haev IPSEC tunnels to location A. Site A is a datacenter and B,C,D are all office sites.

I have gotten this much done so far... I got the domain up and running at Site A. There are two domain controllers there, one primary, one backup.

I got Site B running (and I imagine it will be the same for C and D so I'll leave them out). I got the IPSEC tunnel working, the computer joined the domain, and that's it. Now... we are currently running a 192.168.0.x IP scheme in the internal domain that's up and running -- that's going to be migrated.

So, Site B has a domain on it already -- let's say it's domain OLD. The new domain will be domain NEW. What I did was configure multiple IPs on the NIC to have one on the network of the OLD domain, and one on the network of the NEW domain. I can ping the main DC (at site A), the OLD domain controller, and obviously the 'new' network isn't active yet.

Okay so here's my problem... I got the domain controller at site B to join the NEW domain at site A. There is connectivity via IPSEC on all the right ports, so the computer joined the domain without a problem. Now I rebooted the DC at Site B, and I can log in, and still can ping the Site A DC. Now I know I need to set up an internal DNS so we aren't routing DNS queries across the IPSEC tunnel every time somebody logs in -- it would take forever. So I installed DNS, have it listen on only the 192.168.30.x IP (I assigned this server 192.168.30.10). I have that DNS forwarding to the Site A DNS, incase there is a need for it.

Now when I go into Active Directory Users and Computers -- I can't connect to the domain. Even though I can still ping it!

This project is close to rolling out and I'm just in the 'testing' phase right now, but any help would be appreciated greatly. HUGE points for it too!

Realistically what I need to know is a FULL breakdown on what steps to take for the Sites and Services to work.. I followed the documentation online on MS's site but it's limited... I don't know about the site links, and how to set them up -- should I add all the sites into it? Just one site to the main site? Additionally, why would it be that I can't access AD Users and Computers on the new DC at site B, even though I can ping the DC at Site A? I am thinking to demote the DC again and try it again.... but I feel I'm missing something.

Please, would be a BIG help!

EDIT: Do I need to assign SUBNETS to IPs that are NATTED? I mean, Site B is going to have DHCP for itself, and Site A will have DHCP there... the external IP I don't know yet... Much obliged.

EDIT #2: Got the internal DNS working and now I can see ADU&C. However now I'm trying to create the trust, and I can't "see" the other domain. Any ideas on this? The IP address is in the same range... the OLD domain runs on 192.168.0.10 (that's the DC) and I made a secondary IP of the NEW domain 192.168.0.14 (temporarily).
0
Comment
Question by:overworkedops
  • 7
  • 7
14 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 16938674
OK - here goes nothing...

1)  Remove DNS from Site B.  
2)  Make sure all zones in Site A are AD Integrated.
3)  Wait about 30 minutes then reinstall DNS on Site B's DC.  Do nothing else.  If replication is working, your zones will create and populate themselves.
4)  Forwarding should be directly to the ISP from each DNS server.  Don't forward to each other - bad..
5)  In AD Sites and Services, Site A will be left alone as Default-First-Site-Name - rename that if you want, but do not take the original root server out of there.
6)  Create and associate Site A's subnet to that original site.
7)  Create new Sites for each remote location.
8)  Create and associate the proper subnets to these sites.
9)  Move the servers for each Site from the main site to the proper remote site.

Now..it is imperative that your IP addressing take into account that every site (physical) must be on a different, unique network.  If not, you will have topology issues.

Once a server is moved into a site, make it a Global Catalog.  It will take some time to build up over the link, but it's worth it.

KCC will do the rest.  No need to create any site links at all unless you have very specific needs.

Repeat this for each site.

Hope this helps.
NM
0
 

Author Comment

by:overworkedops
ID: 16939019
Is there any reason to add a forward to the DNS at Site A? I only ask because, if I want to ping a device name, I obviously can't do it... but I suppose you're right that it really doesn't make any sense to do it either.

I will do this tomorrow when I get back to work and give you a progress report.... seems like a lot of good information there.

Thanks!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16941152
You should have Forwarding in all DNS servers - to the ISP.  Otherwise, you'll have a hard time resolving Internet requests.

0
 

Author Comment

by:overworkedops
ID: 16941845
So there's no need for fowarding to the Site A DNS?

Thanks :)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16942458
Correct.  No need.

0
 

Author Comment

by:overworkedops
ID: 16942695
How about site links? Do I have to create new ones, or can I just go with the default one that's there?

Thanks!
0
 

Author Comment

by:overworkedops
ID: 16942742
Also, if the subnet is natted behind a firewall, should I still add it?

Thanks :)
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 51

Expert Comment

by:Netman66
ID: 16943046
Do you VPN between sites?  Does the tunnel terminate on the internal side of the firewall?

0
 

Author Comment

by:overworkedops
ID: 16943064
we have IPSEC set up between sites... the only ports that are open are the ones specified in the MS docs to enable replication.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16943828
Is the IPSEC terminated at the server, inside interface of the firewall or the outside interface of the firewall?

If it's the server or the inside interface of the firewall then you are good to go with using the proper subnets (private).

If the tunnel terminates at the outside interface, then you will need to setup a one-to-one NAT mapping to the inside interface so that the internal network range can be seen.  If this is the case, make sure to configure this so that the tunnel hides the mapping.

0
 

Author Comment

by:overworkedops
ID: 16944035
Nevermind, we aren't natting :)

Thanks... I got my domain trust completed, but I can't raise the functional level of the old domain to 2003 -- ADMT won't function properly otherwise. I'm working on it now and will let you know... if you ahve any insight then I'd appreciate it.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16945294
What errors?

What functional level - domain or forest?

0
 

Author Comment

by:overworkedops
ID: 16945311
Nevermind... got the trust built, and I'm migrating users! You've been a GREAT HELP!

Thanks!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16946684
No problem - thanks!

NM
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server 2008 SBS is losing disk space 4 88
Independent domain networks for setup 6 110
server DNS address could not be found 22 131
SBS 2003 RWW Login 3 20
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now