• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 222
  • Last Modified:

Active Directory Setup between 2 remote locations

I have two buildings that i want to connect together and use a single Active Directory Domain, I need to no weather i need to setup PDC in the first building and a BDC at the second or if i need to setup 2 domains and have a trust relationship setup between the two. And how would i go about doing this.

Thanks in Advance
  • 3
  • 2
1 Solution
AD doesn't use PDCs or BDCs. It is always good to have more than one DCs in your domain, as your Active Directory is then redundant. Only setup one Domain.
bluntTonyHead of ICTCommented:
Yes, you only need one domain. In 2003, you do have a PDC emulator for backwards compatibility with NT4, but no BDCs. Domain controllers are multi-master in 2003.
How are the two buildings linked? If you have a fast reliable connection then you could just configure the one domain with a single site. If the connection is slower then you should consider configuring two sites, one for each building, and have a DC in each building.
Configuring seperate sites controls replication between the two by conserving the bandwidth used on the link between them, and you can specify when and how often replication occurs. Normal replication between DCs in the same site is quick but more bandwidth hungry, and is event driven. By configuring the two buildings as seperate sites you reduce the strain on the link. Configuring two sites also means that users in each site authenticate with their local DC, and not over the link.
kieran_stoneyAuthor Commented:
One building has a 4MB ADSL connection and the other has a 8MB ADSL.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

bluntTonyHead of ICTCommented:
Right, if they're connecting over the internet, then I would configure two sites. You *could* configure them as seperate domains in the same tree/forest, but bear in mind this doubles your admin duties as you have two seperate domains to look after. The general rule is - keep it simple. Only create new domains when you really have to.
In a nutshell -
Install promote the first server. Make it a DNS server as well (AD integrated).
I'll assume you're using ADSL NAT routers connecting them to the internet. For connectivity between the two sites, you'll need to set up a VPN, and ensure that the two buildings use different IP subnets. For example, if building1 is using, make sure that the other building isn't. This can mess up the VPN connection. Once the VPN is up and you have comms between the two buildings through the VPN...
Now, you can either promote the second server locally and ship it out to the second site, or you can run the promotion in the second site. As long as it's a brand new AD install the database size isn't going to be huge so it might be simpler for you to just run the promotion in the second site. Sometimes you wouldn't do this because a promotion requires the entire DB to be replicated across the WAN link.
Again, make sure that the server is a DNS and GC, and that it's looking to itself for DNS (you'll have to point it at the first DC during the promotion, but afterwards you can point it to itself).
Once you have both servers as DCs and sitting in their buildings...
In AD Sites and Services:
1. Create a new site to represent the other building (you can also rename the default first name site to something more descriptive). Move your second server so it sits under your new site.
2. You then need to create subnet objects to represent the different IP subnets in each site. So, as above, if building1 is using then create a subnet object for this and link it to the appropriate site. Do this for all the physical subnets you have. The reason you do this is to ensure users log in to local domain controllers.
3. AD will automatically create the appropriate connections between the servers to allow replication. It checks once every 15 mins so once you have configured the sites/subnets, leave it be for a while.
You'll notice in 'Inter-site Transports\IP' there is a DEFAULTIPSITELINK. This is the deafult link that the two sites will be using to replicate. The site link is a representation of the physical link. You can configure the replication interval (how often, in minutes, replication occurs), and the cost (with two sites this is irrelevant). You can also define when the link is available or not (you can turn replication on/off for periods of time).
This is a very brief overview but I think the major points are covered. Have a look here for more info: http://technet.microsoft.com/en-us/library/bb727051.aspx#ENAA
kieran_stoneyAuthor Commented:
Can i host the VPN off the servers.
bluntTonyHead of ICTCommented:
You can use RRAS to implement the VPN at either end. You just then need to configure your two routers to allow VPN passthrough.
One thing you'll have to watch out for is that once a VPN connection is made, a virtual interface is created. Your DC will then register this interface's IP with DNS, causing duplicate host records for the DC. Have a look at this for preventative measures : http://support.microsoft.com/kb/289735
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now