Solved

Adding an additional Domain Controller at a remote location

Posted on 2009-05-11
22
465 Views
Last Modified: 2012-05-07
I've seen a lot of discussion and even step-by-step walkthroughs of how to add an additional DC at a remote location.  However, I can't get past Step 1 of the Active Directory installation because the DC-to-be isn't logged into the domain.  That is, after all, exactly what I'm trying to setup-- the ability for computers at this office to actually log into the domain at our main office.  Is it possible to promote this machine to DC from here, or will I need to physically move it to the main office first (which would be a literal pain in my back)?

Both the existing DC and this DC-to-be are Dell PowerEdge servers running Windows Server 2003 R2 (sp2).  The existing DC is Enterprise Edition, this new one is Standard.

They're both also running SQL Server 2005, and I when I get this DC issue worked out, I want to setup transactional replication (but if I have problems with that after this issue is resolved, I promise I'll post it in a separate question!).

0
Comment
Question by:Bobaran98
  • 13
  • 7
  • 2
22 Comments
 
LVL 18

Expert Comment

by:Don S.
ID: 24355638
Is the server at the remote location a member server?  Meaning has it been joined to the domain?
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24356104
This machine is not a member of the domain.  I have tried adding the machine to the domain using the Computer Name Change dialog in System Properties, but I get the following error:

A domain controller for the domain xxxxx.com could not be contacted.

Additional details include that the error was "DNS name does not exist" and mention that the problem may lie in the DNS SRV records or the fact that the zone doesn't include delegation to its child zone.  But all of that is quite figuratively Greek to me. :-)

Our network has VPN setup, and I have no problem signing in via VPN... but even then, I've had no success in attempts to join the domain or install Active Directory.

...

At risk of confusing things (which is why I didn't offer this info in my initial question), I will say that this machine used to be both a member and a domain controller on the domain in question.  However, we were having major DNS issues (major=I couldn't figure it out) resulting in 2.5 hour boot up and inability to edit MS SQL replication subscriptions (even though the replication itself continued).

My solution (which I hope hasn't complicated things) was to demote this machine, the remote DC, then re-promote to DC and make sure the DNS was setup properly this time.  Although it was setup as a DC, there are no other machines in operation at this site at the moment (it's a disaster recovery site).  Unfortunately, when I demoted the machine, it also got removed from domain membership... and that's where we are now.

...

Hope all this helps you help me! :-)  Thank you!
0
 
LVL 18

Expert Comment

by:Don S.
ID: 24356177
You need to have the primary DNS address in the remote server set to be the internal IP address of the DNS server for your interanl domain.  If you don't it wil not be able to find the DC in order to join the domain which is what the error mesage you're getting says.

What do you mean "no problems signing in via VPN"?  Is the vpn setup as a site to site VPN that is always connected? or a remote client VPN? - it needs to be a Site to Site VPN.
0
 
LVL 26

Expert Comment

by:Pber
ID: 24356187

I'll presume your WAN between your main office and this branch location is good.  

The reason some to make a DC at the main office before deploying it to a branch office is because of replication that takes place to the new DC during the initial install of a DC.  If the WAN link is slow, or you pay for the traffic bandwidth, you may want to build at the main site first as most of the replication will take place locally and only changes will be made after it is placed at the remote site.

The DC to be must already be a member of the domain.  It should have its client TCP/IP DNS settings pointing to the new DC (hopefully your DC is a DNS server).  Then DCPromo should work.  If your WAN link is firewalled and has limited ports open, you may not be able to do this without opening ports or using an IPsec tunnel.
I typed most of this then you added more info.  So my hunch is since it used to be a DC, the DC to be is pointing to itself for DNS.  Point it to the DC at the other office and DCPromo and install AD integrated DNS the DC to be, then re-point DNS client settings back to itself once done.
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24356411
dons6718 - I've tried changing the primary DNS on the DC-to-be to 10.0.0.1, which is the internal IP for our primary DC, which would have to be our DNS server since it's the only server at our main site... right?  I'm pretty sure that's correct, but I've never done any DNS administration myself and wouldn't know how to start.  I left the secondary DNS blank.

Regardless, I'm still getting error messages.  Of course, that server has no Internet connectivity now either, presumably because I changed the DNS settings to an internal address.  Perhaps I misunderstood what you wanted me to do with the DNS settings?

We've actually been having spotty Internet connectivity all day... which brings up another thought.

Pber's question about the WAN speed and the DCs pointing at each other got me thinking.  I've been hounding my ISP off and on this morning about our connectivity issues, and they swear it must be a problem on our end (I don't put much faith in their excuses, though, because they said the same thing last week when someone wrapped a car around a telephone pole and took out connectivity for a square block).  I kept pointing to the fact that it's spotty at both of our locations-- the main site with a T1 and this backup site on DSL.

Now, I'm not ruling out the ISP's culpability (these two offices are a quarter mile from one another), but I'm suddenly wondering if my demotion of this additional DC this morning might be causing these connectivity problems.  It's like we're having mini-outages that last 20 seconds or so, interspersed with 5-10 minute periods where we have no problem loading certain websites (like EE and Google) but not others (and I can confirm we're not just loading cached sites... our connectivity is truly halfway at those times).  And to top it off, we've had a few 10-30 minute full outages.

Do you think this is related?
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24356454
Pber - I've been playing with the DNS settings on this DC-to-be all morning.  Mostly, however, I've left it pointing at 127.0.0.1 for primary DNS.  I've tried using both the internal and the actual IP of our primary DC, in various combinations with the 127 address and this DC-to-be's actual IP.  In my last conversation with the ISP, I got from them the IP address of their DNS, but I've not yet tried it in any combination with the other addresses.

Thoughts?  Thanks for your help, folks!
0
 
LVL 26

Expert Comment

by:Pber
ID: 24356493
You will need to point the DC-to-be at your main DC for DNS and not your ISP.  You only configure your ISPs as forwarders if you need external resolution for accessing the web.
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24356506
Just to clarify the physical network setup here, so I don't confuse us all with terms like "remote," "local," and "this," "that," or "the other" --


My company's main office
  • T1 connectivity
  • one server:
    • Win Server 2003 R2 Enterprise Ed.
    • webserver
    • primary DC
    • probably the DNS server
    • internal IP of 10.0.0.1
My company's other office
  • disaster recover office
  • DSL connectivity
  • one server:
    • Win Server 2003 R2 Standard Ed.
    • my "DC-to-be"
    • no internal IP
    • actual IP statically defined (follows one digit after DSL modem's)
  • where I'm currently sitting
Hope all this clarifies things, if need be!
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24356814
I have now tried pointing my DC-to-be (in the recovery office) at the primary DC (in the main office), using both internal IP (10.0.0.1) and actual IP.  Each time, I used the primary DC address as the primary DNS and I left the secondary DNS blank.  Each time, I rebooted to make sure it took, then tried obtaining domain membership using the Computer Name Change dialog in System Properties.  No luck either time (same error as above).  Each time, even after failing to join the domain, I also tried installing Active Directory anyway... but I of course got a similar error when it came to providing username/password/domain.

What now?

Thanks!
0
 
LVL 18

Expert Comment

by:Don S.
ID: 24359212
Can you look at what the other computer in your internal (not at your remote site) are using for a DNS server?  Run Ipconfig /all from a command window on one of the computers.  Set the Primary DNS on the DC-tobe to the same primary DNS address as one of those.  If that doesn't work, then you are likely not passing port 53 traffic through your VPN for some reason.  Also, you should be able to get to the internet and have names resolve correctly if you point the DC-to-be server at the correct internal DNS server address.
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24359315
There are two active connections on the primary DC at the main office.  They each have only the primary DNS specified, and they both set it to 10.0.0.1-- that machine's own internal IP address (from its primary connection).
As we discussed earlier, I already tried that on my DC-to-be.  But I'd like to ask again-- when my DC-to-be is physically not connected to the main network, how can it possibly work to change its DNS to a value internal to that separate network?  I wouldn't think that number would make any sense to my DC-to-be, and indeed, using 10.0.0.1 causes it to lose Internet connectivity.  Remember, this is the one that hooks up to the Internet by plugging directly into a DSL modem/router.
Unless this has to do with the VPN... and I just realized I never answered your question about the VPN.  I don't know if it's a site-to-site VPN or a remote client VPN.  I don't really know the difference-- I didn't set it up, and networking isn't really my forte.  The VPN was setup so users could login from off campus.  I use it frequently... I provide the actual IP address of our main DC, then I provide my personal login credentials (not admin).  At that point, I can open Remote Desktop Connection and provide an IP address internal to our network.
That's what I mean by VPN.  But obviously when I'm using my DC-to-be, that connection piggy-backs on the main Internet connection, which dies if I change the DNS.
What am I missing here? :-)
Thanks for your patience!
 
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 18

Accepted Solution

by:
Don S. earned 500 total points
ID: 24359724
What you are missing is that you do not have a site to site VPN.  Without that, the remote server cannot be a domain controller in the same domain as the main site.
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24360978
I'm almost afraid to ask what setting up a site-to-site VPN would entail.  Actually, since this machine was in fact setup as an additional DC before -- albeit with a few issues -- it's possible that the site-to-site is already in existence.  How can I check?  How can I sign in "site-to-site" with my DC-to-be if this VPN is there?

And if it doesn't exist... what then?

Thanks for everything!
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24364263
Good morning, dons6718 and Pber!  Just to give you an update, I have downloaded from TechNet a 50+ page document outlining site-to-site VPNs.  I will spend some time carefully reading it, because I want to have a good understanding of what I'm doing before I start monkeying around! :-)  I'm sure I'll have questions here and there, however, so I hope I can post those here when I'm done.  Thanks!
0
 
LVL 18

Expert Comment

by:Don S.
ID: 24364337
site to site (or branch office) VPN really doesn't have anything to do with domains or domain membership.
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24364593
But to quote you from above:  "What you are missing is that you do not have a site to site VPN.  Without that, the remote server cannot be a domain controller in the same domain as the main site."

And yet you just said "site to site (or branch office) VPN really doesn't have anything to do with domains or domain membership."

I'm sure those two comments are not contradictory. :-)  And yet they seem that way to me in my ignorance.  Would you mind clarifying?  If I need a site-to-site VPN so that my remote server can be on the same domain, then I would think the VPN does alot to do with being part of the domain.
0
 
LVL 18

Expert Comment

by:Don S.
ID: 24364655
Site to site VPN is usually established between routers or firewalls and is a prerequisite for establishing an additional domain controller at a remote location.  Either that or a true point to point private connection such as a point to point T1 or Frame realay or a virtual crcuit in a MPLS or something like that.
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24365070
Okay... I mostly follow you that far.  And like you said, that's prerequisite to having a DC at a remote location, because otherwise there's no way it could share the same domain.  All that makes sense to me.

So what did you mean when you said that the VPN doesn't have anything to do with domains or domain membership?  I understand that it's unrelated in terms of configuration-- they're setup separately-- but in my situation, I can't have a remote DC without a site-to-site VPN.

Back to my reading... let me know if I'm more confused than I think I am. :-)
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24365273
I have a silly question... if I set up my so-called DC-to-be so it's on a site-to-site VPN with my primary DC, then I can add my DC-to-be to the same domain again and users will log directly into the domain.  The machine will, for all intents and purposes, be on the same domain.

So my question:  does my "DC-to-be" even need to be promoted to DC?  I've got some other considerations here that may make the answer "yes," but for purposes of the networking-- being able to sign into the domain-- my remote computer can become part of the network without having to promote it to a DC, is that right?

Thanks for your patience with me!
0
 
LVL 18

Expert Comment

by:Don S.
ID: 24366213
that is correct.  however, putting a DC in a remote site will off load the authentication traffic over the wide area network.  If there are only a couple of computers at the remote location, then that is not really an issue.  But making it an additional DC in your domain will provide you with redundancy and backup in case your primary Dc fails.  A good thing to have.
0
 
LVL 8

Author Comment

by:Bobaran98
ID: 24376092
Hey guys, just an update.  I'll be installing a Cisco/Linksys RV042 at the remote site, between the DSL router and the server.  My understanding is that this is probably the safest and easiest way to go (I'm not sure if you said that above, but I've heard that elsewhere too... it's all running together!).
In any case, I wanted you to know I've not forgotten you!  Hopefully I'll be able to close this thread very soon, but I may have another question come up.  Thanks!
0
 
LVL 8

Author Closing Comment

by:Bobaran98
ID: 31584092
Thanks, and sorry for not closing out this question earlier.  I ended up purchasing a Linksys/Cisco VPN Router with built-in firewall (RV-082, I think) to place at my disaster recovery office.  Only $157 at a local store.  That piece of equipment proved a charm to configure... unfortunately, we've had a much harder time configuring the existing router and firewall to allow for the other end of the VPN tunnel... and it looks now like we're going to be purchasing a new firewall for the main office.  If I were starting from scratch, I'd get two of the Linksys/Cisco dealios and have 'er up and runnin' quick!  Regardless, you were right on about needing the site-to-site VPN setup and how to go about doing that.  Thanks!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SolarWind and DNS Server 12 41
Backup UPS - email alert 3 86
help!! No network & No Internet connectivity 4 28
Raid 6 or Raid 10? 19 57
Hyper-convergence systems have taken the IT world by storm and have quickly started to change our point of view of how the data center should and could be architected. In this article, I’ll explain the benefits of employing a hyper-converged system …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now