Solved

Windows 2003 replication, sites and services, IP Changeover, etc!

Posted on 2006-06-19
14
243 Views
Last Modified: 2010-04-18
Hi folks,

Okay here's the deal... we have 4 geographic sites for our company. Let's say site A, B, C, and D. A is primary, where the master domain controller is. All sites will haev IPSEC tunnels to location A. Site A is a datacenter and B,C,D are all office sites.

I have gotten this much done so far... I got the domain up and running at Site A. There are two domain controllers there, one primary, one backup.

I got Site B running (and I imagine it will be the same for C and D so I'll leave them out). I got the IPSEC tunnel working, the computer joined the domain, and that's it. Now... we are currently running a 192.168.0.x IP scheme in the internal domain that's up and running -- that's going to be migrated.

So, Site B has a domain on it already -- let's say it's domain OLD. The new domain will be domain NEW. What I did was configure multiple IPs on the NIC to have one on the network of the OLD domain, and one on the network of the NEW domain. I can ping the main DC (at site A), the OLD domain controller, and obviously the 'new' network isn't active yet.

Okay so here's my problem... I got the domain controller at site B to join the NEW domain at site A. There is connectivity via IPSEC on all the right ports, so the computer joined the domain without a problem. Now I rebooted the DC at Site B, and I can log in, and still can ping the Site A DC. Now I know I need to set up an internal DNS so we aren't routing DNS queries across the IPSEC tunnel every time somebody logs in -- it would take forever. So I installed DNS, have it listen on only the 192.168.30.x IP (I assigned this server 192.168.30.10). I have that DNS forwarding to the Site A DNS, incase there is a need for it.

Now when I go into Active Directory Users and Computers -- I can't connect to the domain. Even though I can still ping it!

This project is close to rolling out and I'm just in the 'testing' phase right now, but any help would be appreciated greatly. HUGE points for it too!

Realistically what I need to know is a FULL breakdown on what steps to take for the Sites and Services to work.. I followed the documentation online on MS's site but it's limited... I don't know about the site links, and how to set them up -- should I add all the sites into it? Just one site to the main site? Additionally, why would it be that I can't access AD Users and Computers on the new DC at site B, even though I can ping the DC at Site A? I am thinking to demote the DC again and try it again.... but I feel I'm missing something.

Please, would be a BIG help!

EDIT: Do I need to assign SUBNETS to IPs that are NATTED? I mean, Site B is going to have DHCP for itself, and Site A will have DHCP there... the external IP I don't know yet... Much obliged.

EDIT #2: Got the internal DNS working and now I can see ADU&C. However now I'm trying to create the trust, and I can't "see" the other domain. Any ideas on this? The IP address is in the same range... the OLD domain runs on 192.168.0.10 (that's the DC) and I made a secondary IP of the NEW domain 192.168.0.14 (temporarily).
0
Comment
Question by:overworkedops
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 16938674
OK - here goes nothing...

1)  Remove DNS from Site B.  
2)  Make sure all zones in Site A are AD Integrated.
3)  Wait about 30 minutes then reinstall DNS on Site B's DC.  Do nothing else.  If replication is working, your zones will create and populate themselves.
4)  Forwarding should be directly to the ISP from each DNS server.  Don't forward to each other - bad..
5)  In AD Sites and Services, Site A will be left alone as Default-First-Site-Name - rename that if you want, but do not take the original root server out of there.
6)  Create and associate Site A's subnet to that original site.
7)  Create new Sites for each remote location.
8)  Create and associate the proper subnets to these sites.
9)  Move the servers for each Site from the main site to the proper remote site.

Now..it is imperative that your IP addressing take into account that every site (physical) must be on a different, unique network.  If not, you will have topology issues.

Once a server is moved into a site, make it a Global Catalog.  It will take some time to build up over the link, but it's worth it.

KCC will do the rest.  No need to create any site links at all unless you have very specific needs.

Repeat this for each site.

Hope this helps.
NM
0
 

Author Comment

by:overworkedops
ID: 16939019
Is there any reason to add a forward to the DNS at Site A? I only ask because, if I want to ping a device name, I obviously can't do it... but I suppose you're right that it really doesn't make any sense to do it either.

I will do this tomorrow when I get back to work and give you a progress report.... seems like a lot of good information there.

Thanks!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16941152
You should have Forwarding in all DNS servers - to the ISP.  Otherwise, you'll have a hard time resolving Internet requests.

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:overworkedops
ID: 16941845
So there's no need for fowarding to the Site A DNS?

Thanks :)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16942458
Correct.  No need.

0
 

Author Comment

by:overworkedops
ID: 16942695
How about site links? Do I have to create new ones, or can I just go with the default one that's there?

Thanks!
0
 

Author Comment

by:overworkedops
ID: 16942742
Also, if the subnet is natted behind a firewall, should I still add it?

Thanks :)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16943046
Do you VPN between sites?  Does the tunnel terminate on the internal side of the firewall?

0
 

Author Comment

by:overworkedops
ID: 16943064
we have IPSEC set up between sites... the only ports that are open are the ones specified in the MS docs to enable replication.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16943828
Is the IPSEC terminated at the server, inside interface of the firewall or the outside interface of the firewall?

If it's the server or the inside interface of the firewall then you are good to go with using the proper subnets (private).

If the tunnel terminates at the outside interface, then you will need to setup a one-to-one NAT mapping to the inside interface so that the internal network range can be seen.  If this is the case, make sure to configure this so that the tunnel hides the mapping.

0
 

Author Comment

by:overworkedops
ID: 16944035
Nevermind, we aren't natting :)

Thanks... I got my domain trust completed, but I can't raise the functional level of the old domain to 2003 -- ADMT won't function properly otherwise. I'm working on it now and will let you know... if you ahve any insight then I'd appreciate it.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16945294
What errors?

What functional level - domain or forest?

0
 

Author Comment

by:overworkedops
ID: 16945311
Nevermind... got the trust built, and I'm migrating users! You've been a GREAT HELP!

Thanks!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16946684
No problem - thanks!

NM
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question