Deploying Windows domain controllers to remote locations
We have a rather large international domain that at the moment is a flat domain structure, everything is part of Globaldomain.net. We do have sites setup for each location with different subnets and everything is connected VIA CISCO equipment, and we are constantly adding new locations and closing old ones (closing old ones is not a problem)
Our current procedure for a new site is to setup the DC in our server room at HQ allow full replication and install other required software such as AV and mail server. We then ship the server to where ever it is going (drives shipped separately or hand carried later). And that is the problem. Often a server will get tied up in shipping or customs somewhere and may not make it to the final destination for up to two months, and then once it is there a tech has to go out and setup the VPN tunnel and connect the DC to the network, but by then replication will no longer work due to tombstone, expired kerberos password, lingering objects, and anything else you want to throw out there.
Most of the techs know how to handle these problems but it can cause significant delays in setting up a site, and in my case I got to a site that had a DC that was built and shipped before I was hired so my account did not exist on it (no replication) and I could not fix any of the problems. We are looking at a few options to implement in the future including; promoting the server to a DC once it is in the field using a backup copy of AD (to prevent massive replication over the WAN), and going to a parent/ child domain structure. Unfortunately both options, while mine to research, document, and prepare are at least a year down the line so we need a solution for now.
Does anyone know of any steps that we can do to help prevent things like expired kerberos passwords for a DC that has been off line for long periods of time and the other problems I mentioned above.
Our current procedure for a new site is to setup the DC in our server room at HQ allow full replication and install other required software such as AV and mail server. We then ship the server to where ever it is going (drives shipped separately or hand carried later). And that is the problem. Often a server will get tied up in shipping or customs somewhere and may not make it to the final destination for up to two months, and then once it is there a tech has to go out and setup the VPN tunnel and connect the DC to the network, but by then replication will no longer work due to tombstone, expired kerberos password, lingering objects, and anything else you want to throw out there.
Most of the techs know how to handle these problems but it can cause significant delays in setting up a site, and in my case I got to a site that had a DC that was built and shipped before I was hired so my account did not exist on it (no replication) and I could not fix any of the problems. We are looking at a few options to implement in the future including; promoting the server to a DC once it is in the field using a backup copy of AD (to prevent massive replication over the WAN), and going to a parent/ child domain structure. Unfortunately both options, while mine to research, document, and prepare are at least a year down the line so we need a solution for now.
Does anyone know of any steps that we can do to help prevent things like expired kerberos passwords for a DC that has been off line for long periods of time and the other problems I mentioned above.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks kadadi and Rob for the comments I agree with both of you about promoting in the field and we are working towards that using replication from a backup. The problem is the method has to be approved before we can do anything and that can take time where I work... so I'm looking for an interim solution for the 5 DC that we currently have in the air or sitting in customs half way around the world.
Rob thanks for the docs on changing to parent child domain I will review them when I have time.
I'm going to leave this open for a few more days to see if anyone else bights and then split the points.
eb
Rob thanks for the docs on changing to parent child domain I will review them when I have time.
I'm going to leave this open for a few more days to see if anyone else bights and then split the points.
eb
Thanks for the update ebjers. Good luck with the project.
--Rob
--Rob
ASKER
Thanks everyone for the support on this one, now all I need to do is get the company implement the changes
Thanks ebjers ....:)
Regards,
Vijay Kadadi
Regards,
Vijay Kadadi
ASKER
eb