Active Directory Setup between 2 remote locations

Posted on 2009-04-26
Last Modified: 2012-05-06
I have two buildings that i want to connect together and use a single Active Directory Domain, I need to no weather i need to setup PDC in the first building and a BDC at the second or if i need to setup 2 domains and have a trust relationship setup between the two. And how would i go about doing this.

Thanks in Advance
Question by:kieran_stoney
    LVL 87

    Expert Comment

    AD doesn't use PDCs or BDCs. It is always good to have more than one DCs in your domain, as your Active Directory is then redundant. Only setup one Domain.
    LVL 27

    Expert Comment

    Yes, you only need one domain. In 2003, you do have a PDC emulator for backwards compatibility with NT4, but no BDCs. Domain controllers are multi-master in 2003.
    How are the two buildings linked? If you have a fast reliable connection then you could just configure the one domain with a single site. If the connection is slower then you should consider configuring two sites, one for each building, and have a DC in each building.
    Configuring seperate sites controls replication between the two by conserving the bandwidth used on the link between them, and you can specify when and how often replication occurs. Normal replication between DCs in the same site is quick but more bandwidth hungry, and is event driven. By configuring the two buildings as seperate sites you reduce the strain on the link. Configuring two sites also means that users in each site authenticate with their local DC, and not over the link.
    LVL 1

    Author Comment

    One building has a 4MB ADSL connection and the other has a 8MB ADSL.
    LVL 27

    Accepted Solution

    Right, if they're connecting over the internet, then I would configure two sites. You *could* configure them as seperate domains in the same tree/forest, but bear in mind this doubles your admin duties as you have two seperate domains to look after. The general rule is - keep it simple. Only create new domains when you really have to.
    In a nutshell -
    Install promote the first server. Make it a DNS server as well (AD integrated).
    I'll assume you're using ADSL NAT routers connecting them to the internet. For connectivity between the two sites, you'll need to set up a VPN, and ensure that the two buildings use different IP subnets. For example, if building1 is using, make sure that the other building isn't. This can mess up the VPN connection. Once the VPN is up and you have comms between the two buildings through the VPN...
    Now, you can either promote the second server locally and ship it out to the second site, or you can run the promotion in the second site. As long as it's a brand new AD install the database size isn't going to be huge so it might be simpler for you to just run the promotion in the second site. Sometimes you wouldn't do this because a promotion requires the entire DB to be replicated across the WAN link.
    Again, make sure that the server is a DNS and GC, and that it's looking to itself for DNS (you'll have to point it at the first DC during the promotion, but afterwards you can point it to itself).
    Once you have both servers as DCs and sitting in their buildings...
    In AD Sites and Services:
    1. Create a new site to represent the other building (you can also rename the default first name site to something more descriptive). Move your second server so it sits under your new site.
    2. You then need to create subnet objects to represent the different IP subnets in each site. So, as above, if building1 is using then create a subnet object for this and link it to the appropriate site. Do this for all the physical subnets you have. The reason you do this is to ensure users log in to local domain controllers.
    3. AD will automatically create the appropriate connections between the servers to allow replication. It checks once every 15 mins so once you have configured the sites/subnets, leave it be for a while.
    You'll notice in 'Inter-site Transports\IP' there is a DEFAULTIPSITELINK. This is the deafult link that the two sites will be using to replicate. The site link is a representation of the physical link. You can configure the replication interval (how often, in minutes, replication occurs), and the cost (with two sites this is irrelevant). You can also define when the link is available or not (you can turn replication on/off for periods of time).
    This is a very brief overview but I think the major points are covered. Have a look here for more info:
    LVL 1

    Author Comment

    Can i host the VPN off the servers.
    LVL 27

    Expert Comment

    You can use RRAS to implement the VPN at either end. You just then need to configure your two routers to allow VPN passthrough.
    One thing you'll have to watch out for is that once a VPN connection is made, a virtual interface is created. Your DC will then register this interface's IP with DNS, causing duplicate host records for the DC. Have a look at this for preventative measures :

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Title # Comments Views Activity
    Bombarded with 45000+ event ID from the same computer ? 10 47
    exchange 8 31
    deny local logon 12 34
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now