DrPcKen
asked on
I need to add a remote domain controller in our international office
We have our main office here in the US. It's on a Windows Server 2003 active directory (also our DNS box). I need to put a replicant (is that the correct term?) domain controller in our Colombia office so they are on our domain and replication happens between our DC here and the one there. The LAN there will be connected to our LAN here via a site-to-site vpn, but they will use their own gateway there of course.
I've looked but I can't seem to find a step for step list on how I would need to set this up. I'm thinking the DC there will need to be their DNS as well correct?
Any advice and a step in the right direction will be greatly appreciated!
I've looked but I can't seem to find a step for step list on how I would need to set this up. I'm thinking the DC there will need to be their DNS as well correct?
Any advice and a step in the right direction will be greatly appreciated!
ASKER
Ok thats very helpful, but would it be easier to configure the server here at the local office, or do it there after I configure the site-to-site vpn?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok I'm about to configure the dc today, do I need to setup the site first? Or setup the dc and then configure the site?
I'm assuming I configure the site first so it will replicate to the other DC after I set it up.
I'm assuming I configure the site first so it will replicate to the other DC after I set it up.
Setup the site first, then after you promote the box to a DC you move it into that site.
ASKER
Ok everything looks good I think, I see the sites and new subnet on both controllers. Is there anything else I need to check for?
Thanks everyone!
Thanks everyone!
Did you move the new DC into your new site?
ASKER
in active directory YES i did, but not the physical site yet. Will be shipping today.
ok then when your DC gets to the site and you verify connectivity make sure replication is working ok; check the logs.
Then have a few clients logon and run "set L" make sure they are using the new DC in their new site for authentication
Then have a few clients logon and run "set L" make sure they are using the new DC in their new site for authentication
ASKER
Great! I Never knew about the set L command, very helpful!
Thank you!
Thank you!
ASKER
FYI I'll be travellign to setup this remote server next week. I'll keep you guys posted! Thanks!
ok good luck, let us know how it goes
Thanks
Mike
Thanks
Mike
ASKER
Ok I have everything configured! I have the new domain controller on location. I have the lan-to-lan vpn configured. The only thing I am not sure of now is DNS... Do I need to configure the remote DC as a DNS Server as well? Or can I point my lan-to-lan vpn router to my DNS at headquarters?
Right now I can ping everything from my remote lan to my host lan via IP address, not by FQDN, which is what I need.
Right now I can ping everything from my remote lan to my host lan via IP address, not by FQDN, which is what I need.
Are you currently using Active Directory Integrated DNS on your HQ box.
Nice work on getting everything setup!!
Nice work on getting everything setup!!
ASKER
Wow you are fast :) I'm not sure how to answer your question... what I have is this.
My primary domain controller at HQ is also my DNS server (same server). Does that answer your question?
Also is there a way to force replication? I ran dcdiag on remote dc and got alot of errors, mostly something about tombstone lifecycle? I'm guessing it is because I replicated them both on the same network, and the remote dc was off the network for about 2 months while it was going through customs to get delivered.
My primary domain controller at HQ is also my DNS server (same server). Does that answer your question?
Also is there a way to force replication? I ran dcdiag on remote dc and got alot of errors, mostly something about tombstone lifecycle? I'm guessing it is because I replicated them both on the same network, and the remote dc was off the network for about 2 months while it was going through customs to get delivered.
Ok it should be AD-integrated but just to check right click on your zone and go to properties then look at the general tab
Look for Type -- it will tell you there.
Was it possible that the server has been off the network for more than 60 days?
Thanks
Mike
Look for Type -- it will tell you there.
Was it possible that the server has been off the network for more than 60 days?
Thanks
Mike
ASKER
Yes its been way more than 30 days...
ASKER
Yes way more than 30 days and YES it is AD-integrated.
ASKER
Ok I configured my dns properly and both lans can ping everything by fqdn on the other end. Now I seem to have some other errors though in the event log:
I'm having 1865, 1311, and 1566 back to back every 15 minutes.
I'm also seeing two events warning 53258 last night at around 6pm. One is:
Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 3/26/2009
Time: 6:47:21 PM
User: N/A
Computer: DCHOSTNAME
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1
The other is:
Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 3/26/2009
Time: 6:47:21 PM
User: N/A
Computer: DCHOSTNAME
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 07 80 ...€
I'm having 1865, 1311, and 1566 back to back every 15 minutes.
I'm also seeing two events warning 53258 last night at around 6pm. One is:
Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 3/26/2009
Time: 6:47:21 PM
User: N/A
Computer: DCHOSTNAME
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1
The other is:
Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 3/26/2009
Time: 6:47:21 PM
User: N/A
Computer: DCHOSTNAME
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 07 80 ...€
ASKER
Ok I'm also having another issue... all the machines on my remote domain are trying to authenticate with my pdc, not the dc server that is on the same network as them.
In fact when I try to logon with my Vista laptop, it says 'The trust relationship between this workstation and the primary domain failed."
I'm not sure if this is an issue with the laptop itself (long story) or if it is because i'm on the remote network.
Also when one of the other laptops login, they login just fine, can ping my pdc on my host lan, but when they open exchange it keeps asking for credentials, even when connected to VPN. They can ping the mail server fine, and the pdc, and the remote dc on the same network. When I check the 'set l' command it shows them using the logonserver on the host network, not the dc server on the site with them...
Any ideas?
In fact when I try to logon with my Vista laptop, it says 'The trust relationship between this workstation and the primary domain failed."
I'm not sure if this is an issue with the laptop itself (long story) or if it is because i'm on the remote network.
Also when one of the other laptops login, they login just fine, can ping my pdc on my host lan, but when they open exchange it keeps asking for credentials, even when connected to VPN. They can ping the mail server fine, and the pdc, and the remote dc on the same network. When I check the 'set l' command it shows them using the logonserver on the host network, not the dc server on the site with them...
Any ideas?
ASKER
Ok I got most of these problems solved. I was able to get rid of all the error messages in event viewer and have a successful replication between domain controllers.
First of all on each domain controller I stopped and disabled Windows Firewall and ICSec services. Then I had to check my network adapters and one of them had the Provider Order incorrect (had a Symantec provider above everything else). Once I fixed those I was able to replicate successfully! This also seemed to fix my Vista laptop with the trust relationship error.
I'm going to wait to see if any other event errors occur on the domain controllers.
Thanks for your help!.
First of all on each domain controller I stopped and disabled Windows Firewall and ICSec services. Then I had to check my network adapters and one of them had the Provider Order incorrect (had a Symantec provider above everything else). Once I fixed those I was able to replicate successfully! This also seemed to fix my Vista laptop with the trust relationship error.
I'm going to wait to see if any other event errors occur on the domain controllers.
Thanks for your help!.
https://www.experts-exchange.com/questions/23819028/Setting-up-Second-AD-DC-at-Remote-Office.html