jmarenghi
asked on
Domain controllers in remote sites
I'm attempting to replace a DC running windows 2000 server in a remote site to windows 2003. I am uncovering a bit of mess in AD (orphaned child domains, directory service log messages etc...) and I'm trying to get everything cleaned up before I add this new DC.
Using ntdsutil I have successfuly done a thorough metadata cleanup of old child domains and servers.
Now here is the overview.
HQDC1 - windows 2003 (currently holds all 5 FSMO roles & is a Global Catalog) DNS
HQDC2 - windows 2000 Global Catalog
Site1DC - windows 2003 Global Catalog, DNS, DHCP
Site2DC - windows 2000 Global Catalog, DNS DHCP
Site3DC - windows 2000 Global Catalog, DNS, DHCP
Site4DC - windows 2000 Global Catalog, DNS, DHCP (upgrading to 2003)
There are site to site VPN tunnels set up between Site1 thru Site4 to HQ.
There is no connectivity between any of the remote sites. (ex: site1 does not access site4's subnet)
I went through AD sites and services and expanded all the ntds settings for each site and cleaned out all of the replication settings referencing DC's in sites that they can't reach.
Meaning, now HQDC1 and HQDC2 have replication settings between themselves and all the DC's in the remote sites, whereas the remote sites have only replication settings for the DC's at HQ.
I did this in hopes to get rid of the meriad of KCC messages in the directory service event logs on all of the DC's.
After doing this I left the DC's for a while to allow them to do their thing.
When I returned I found that Site1DC (which is the only 2003 server in a remote site) auto recreated the ntds settings for the DC's in the remote sites and the event logs are filling up again.
Before I add another 2003 dc in a site I would like to find out what I'm doing wrong.
I need each site's DC to be a GC in case the VPN to headquarters dies.
Do I need to configure my routers to allow access from remote site to remote site?
If it is not neccessary to have inter site connectivity, how do I set up AD?
How come the ntds settings keep auto-generating on Site4's DC?
Any help is much appreciated
JDM
Using ntdsutil I have successfuly done a thorough metadata cleanup of old child domains and servers.
Now here is the overview.
HQDC1 - windows 2003 (currently holds all 5 FSMO roles & is a Global Catalog) DNS
HQDC2 - windows 2000 Global Catalog
Site1DC - windows 2003 Global Catalog, DNS, DHCP
Site2DC - windows 2000 Global Catalog, DNS DHCP
Site3DC - windows 2000 Global Catalog, DNS, DHCP
Site4DC - windows 2000 Global Catalog, DNS, DHCP (upgrading to 2003)
There are site to site VPN tunnels set up between Site1 thru Site4 to HQ.
There is no connectivity between any of the remote sites. (ex: site1 does not access site4's subnet)
I went through AD sites and services and expanded all the ntds settings for each site and cleaned out all of the replication settings referencing DC's in sites that they can't reach.
Meaning, now HQDC1 and HQDC2 have replication settings between themselves and all the DC's in the remote sites, whereas the remote sites have only replication settings for the DC's at HQ.
I did this in hopes to get rid of the meriad of KCC messages in the directory service event logs on all of the DC's.
After doing this I left the DC's for a while to allow them to do their thing.
When I returned I found that Site1DC (which is the only 2003 server in a remote site) auto recreated the ntds settings for the DC's in the remote sites and the event logs are filling up again.
Before I add another 2003 dc in a site I would like to find out what I'm doing wrong.
I need each site's DC to be a GC in case the VPN to headquarters dies.
Do I need to configure my routers to allow access from remote site to remote site?
If it is not neccessary to have inter site connectivity, how do I set up AD?
How come the ntds settings keep auto-generating on Site4's DC?
Any help is much appreciated
JDM
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Porperties of the IP container do not have bridge all sites checked, but under SMTP it is.
Do I even need this protocol in here?
Thanks
JDM