Solved

Setting up 2 domain controllers at sites linked over internet connection

Posted on 2008-06-22
8
178 Views
Last Modified: 2011-10-19
I've got a setup with a Win 2k3 DC acting as the primary DC for our network. We've recently acquired another company, and am in the process of building up a network infrastructure on their site. We have 2 Draytek 2800 VPN ADSL routers handling the VPN connection. This connection is on full time, and is connecting 2 different class C subnets together via the tunnel (192.168.1.x/24 and 192.168.2.x/24). I am able to ping the far end using the 192.168 addresses and can access resources on the far side by ipaddress as if they were sitting here on my LAN.

Now, the question is this:

I want to setup a server on the far end, and hopefully use it as a DC for our domain on their LAN with both DS's replicating. From what I've read, VPN should be transparent as far as the DCs go, but when it comes to configuring the new server, is there a specific way I need to set it up (Backup DC, Child DC, just promote it to another full fledged DC, etc), and do I need to wait until I'm actually sitting at the far site to do the promotion and DC configuration, or can it all be configured on the main site and get the services I want on it (DNS, etc), and then once I know it's solid, move it to the far side, change the IP address for the local LAN on their end, and then go from there?

I'm a little hesitant about the best way to go about doing this, but due to the fact that it's a relatively small office (2 dozen users or so tops), it's both small enough that a VPN tunnel should handle the traffic between here and there, and yet large enough that they need some form of server presence to facilitate smooth operation on their end.

Any and all help/opinions would be appreciated.

Regards,
0
Comment
Question by:itslnet
  • 4
  • 3
8 Comments
 
LVL 5

Expert Comment

by:Probity
ID: 21842391
You can configure it in house, for the most part, it would be another full fledged DC.  Ensure replication is happening between the new server and your original server (most importantly DNS replication, since the server's IP is going to change) -- Install all your services, but make sure not to activate the DHCP server on the new DC until its moved to the new office, you don't want IP conflicts.

Once it goes to the new office, change its ip address, activate DHCP, ensure that DNS has been updated with its new IP address, and double-check other services for the new ip address (DHCP scope comes to mind) - After that it should be good to go.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21843202
Personally I always recommend setting up at the remote site. You can do it in house but doing so requires quite a bit of tweaking such as mentioned about disabling DHCP, you will want to add your second site and subnet in AD sites and services which will not be correct, you will wind up with a lot of incorrect DNS entries that have to be flushed, and the real test is if you can promote it at the remote site and have it function and replicate properly chances are you don't have any routing or DNS problems. Sometimes configuring in house it replicates properly but when moved it may not and you have trouble finding the problem because all steps are effectively done at once.
On the "full fledged DC" yes agreed, and when installing AD and DNS make it "integrated".
0
 

Author Comment

by:itslnet
ID: 21848650
Because the second site is currently peer to peer and I can only access our network via an ipaddress how will the second server find our existing server over the vpn. Do I need to put an entry for the existing server in lmhosts?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 21848929
>>"Do I need to put an entry for the existing server in lmhosts?"
No.
Very important that you point the server to the existing DNS server's LAN IP for DNS, and only that server. Just configure the NIC with that IP address for DNS. It's a good test that the network is properly configured.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:itslnet
ID: 21868333
Thanks guys, I have setup the server on the remote site and it has joined the domain successfully. I have installed DNS as Active Directory-Intergrated and the only error in the event logs is the following

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

The link it gives is of no help, is this something I should be worried about. Active directory seems to be ok and users have replicated ok.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21871328
>>"is this something I should be worried about"
"critical error " would imply yes :-)

Try running NetDiag on the machine with the error to see if it shows any connection or DNS errors. Might also be worth running DCDiag.
http://www.computerperformance.co.uk/w2k3/utilities/windows_netdiag.htm
http://www.computerperformance.co.uk/w2k3/utilities/windows_dcdiag.htm
0
 

Author Comment

by:itslnet
ID: 21873009
I ran the tests on the new server, seemed to pass ok. Below is the DNS part from netdiag.

I have attached the log files from both netdiag and dcdiag if they are any help.

DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.2.2' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '192.168.1.2' and other DCs also have some of the names registered.
dcdiag.log
NetDiag.log
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21944184
Sorry itslnet. I somehow did not see this last post. Looks like everything is OK now?
Thanks & Cheers !
--Rob
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now