Solved

Connect two physically separate locations (different co-location centers) to share Active Directory (replication) and file sharing

Posted on 2009-07-01
18
838 Views
Last Modified: 2012-05-07
Hi all-

Ive got a windows 2003 active directory domain with 3 servers set up in a collocation server rack for a non-profit (charity) that I volunteer for.  Im definitely not (as will become obvious from this post) a networking expert, but I know my way around Windows 2003.  

All of the machines have two NICs.

NIC #1 has a public IP address, firewalled to only allow access to services like web, smtp, and dns using the built in Routing and Remote access.

NIC #2 in each server is connected to a physically separate switch that allows non-firewalled access from server to server, using a private ip in the 10.1.1.x subnet.

One of the servers is acting as a VPN server, and hands out IPs in the same 10.1.1.x subnet
Were now interested in setting up a second collocation location (several states over) to give us more redundancy.  Im looking for suggestions on how to best accomplish this, in terms of connectivity and AD replication.

Remember that this is for a charity, and the budget is TIGHT.  If I can get away without purchasing VPN routers, that would be great.  I would be interested in the right way to do this if budget was unlimited (as long as connectivity between the 2 locations still goes over the Internet and doesnt use a dedicated line) and also any alternative way that wouldnt involve any additional expenditure.

There will be 4 servers in the remote collocation rack.  I was thinking of having one of these run AD and replicate the information over the WAN (via a VPN).  How to accomplish that is one of the big questions I have.

I figured that the 4 servers would also be set with nic #1 on a public IP (different provider from the primary location, different subnet altogether) and having nic #2 on a private network, say 10.2.1.x.

Whats the best way to have all 4 servers in the second location also have access to the 10.1.1.x subnet at the first location?  I assume if we can accomplish this, then the first location will be able to talk to the servers at the second location too.

Your ideas are appreciated!  
Thanks
0
Comment
Question by:weinberk
  • 9
  • 8
18 Comments
 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 400 total points
Comment Utility
You can have two locations with dedicated server-to-server VPN.  Actually I think 2003 R2 has some kind of a wizard for this...but it's not that difficult.  How do people connect to the Net now on the first site?  Basically they'd do the same only with a different subnet.  Your dhcp servers can set routes between sites with the classless static routes option...in AD Sites/Services you set up another site and give it a subnet, put the second server in that site.  You can do all this while they are physically close by just having two diff addresses on the external NICs of the two servers.  Get it all working before you move the server. :)
You set up a persistent VPN in RRAS on both servers, set up a user account for both to use, they always "dial" each other when connection drops.
For machines with static IP addresses that don't use DHCP (fi, servers) you can use
route -p add 10.1.2.0 (I assume you put the 2 in the wrong place) mask 255.255.255.0(?) 10.1.1.x (address of VPN server)...this has to be done on both ends, IOW you say always route packets from this subnet to the other subnet through the VPN connection you establish between servers.
Is any of this making sense? :)
Tell me more about how you have the first site set up?  Which machine(s) do(es) DNS/DHCP and where's the gateway to the Net?
0
 
LVL 15

Author Comment

by:weinberk
Comment Utility
Thanks for the reply!
There are 4 servers in each location, so you're suggesting that each have a connection to a vpn server at the other location?
It's all current static ip addresses, no DHCP for the servers.  The vpn connection that I use to remote in does hand out a dhcp address, though I could set this to be static on the servers.
Let's say that location one has public ip address 65.x.x.x.  Location two will be on 70.y.y.y.  The vpn servers will be 65.x.x.100 and 70.y.y.100.  The gateway to the net is the public address .1 at each location (65.x.x.1).
I didn't follow your routing example.  If there's a vpn connection already established, why bother with the route?  Wouldn't that be added automatically when the vpn connection is set?  
You didn't mention AD, but I assume that'll just plain old work once the two private lans are connected.
0
 
LVL 10

Expert Comment

by:Datedman
Comment Utility
I think better to have a hub location and each location connects to the hub.  

The routing is to make sure your servers can communicate with the other site for AD replication, accessing shares/exchange/whatnot on another site etc.  Gateway to the net is for workstations to connect out, and is in the private address range.  The only place where you have to worry about public ips is for the vpn connections.  Unless I'm missing something--and on rereading your post, I see I am. :)

Where are the workstations??  I was erroneously thinking you had more than one physical location.  IMO if your colocation setup is a good one there's no need to complicate it with more of them.
0
 
LVL 15

Author Comment

by:weinberk
Comment Utility
Thanks again for posting.  I'll try to clarify a bit...
There happen not to be any workstations - these are just servers being used in a hosting setup for this charity.  (Web, smtp, dns, etc).
There is currently only 1 phyical location.  Soon to be two, which is where the questions come from.
Each of the 4 existing servers at location 1 have a public ip address in the 65.x.x.x range.  They use 65.x.x.1 as a gatway to the net.  The second nic in each server is on 10.1.1.x and is connected via a separate switch for non-firewalled connectivity between servers.  2 servers here are running active directory.  One server is a vpn server.
The second location (1200 miles away) will be another 4 servers.  Same setup except on a 70.x.x.x network, with  70.x.x.1 as the gateway, and 10.1.2.x as the private ip on nic 2.  Another server or two will run active directory here.  There will be another vpn server here.
I don't know what you mean by a "hub."
I want to:
  1. Have active directory stay in sync
  2. Have location 2 be able to talk to location 1, and visa versa, over the private ip range (so a VPN)
For the ad sync, I think that'll just happen automatically when the connectivity works, but there's surely some setup needed.
For the 2 location connectivity, I could setup a VPN from each server to the other location's vpn server.  That would give the machine an additional ip in the range of the other location.
I'm just looking for ideas on how else to accomplish this, things to look out for, etc.
I'm happy to set a permanent route, I just don't know what that would do for me as the route would be set when the vpn connection is established, wouldn't it?
Is there a way to have only 1 server in each location set up a vpn connection and then somehow route all of the other servevrs through that server when trying to access the other location?  Is that what you were trying to explain with your route example?
 
THANKS
 
0
 
LVL 10

Expert Comment

by:Datedman
Comment Utility
Why do you even need AD?

The route is for a server on one network that is not the server with VPN to communicate with the other private network.  If there is only one server on the site, no routing necessary on that site beyond having the VPN work.  Personally I don't expose any domain controllers to the Net, I prefer to have a member server do VPN and keep the DC's on private networks.

Hub=1 location to which all others connect.

I think on any site where you have more than one server you will want to set routes on each server not connected to VPN to route to each other private subnet through the VPN connection.
0
 
LVL 10

Expert Comment

by:Datedman
Comment Utility
Oops sorry if you have more than two locations I guess you do need to set up routing on the VPN-connected machine to go to any subnet it's not VPN-connected to. :)  But I'm hoping this will only be two locations anyway?  In that case hub concept is not relevant.  If you start connecting more than 2 sites it does get a lot more complicated...
0
 
LVL 15

Author Comment

by:weinberk
Comment Utility
There will only be 2 sites for the forseeable future.
AD is needed for exchange (using RPC over https) and some other services.  The AD servers are without public IP's, but I didn't want to complicate the question.
Talk more about the routing please.  Are you suggesting that I only need 1 server to have a vpn connection to the other location and then I could use routing on every other server to route packets for the other network through the server that has the vpn connection?
Location 1:
server 10.1.1.50 connects to 70.x.x.x vpn server and gets a 10.1.2.50 ip address.
all other servers, route all 10.1.2.x traffic to 10.1.1.50???
Location 2:
no need for vpn connection, since another exists FROM location 1.
all servers route all 10.1.1.x traffic to 10.1.2.50 (the ip of the machine at location 1 that has the vpn line open)????
I think we're getting there.
0
 
LVL 10

Accepted Solution

by:
Datedman earned 400 total points
Comment Utility
No at location 2 they'd route thru the local address of machine that has the VPN connection.  VPN servers should have Custom config with VPN Server and Lan Routing.  

Normally you set up a persistent VPN on both ends to connect to the other I think.  Will work with one-way but I think there's an issue with setting up to use the same IP on each end unless it's a persistent connection on both ends--I forget atm and don't have one I setup I can refer to right now.  The more static the IPs are the better DNS/WINS works as I recall, sorry kind of under the weather today and not feeling very sharp. :)
0
 
LVL 15

Author Comment

by:weinberk
Comment Utility
Hope you start feeling better soon.  
What do you mean by "persistent vpn?"  Do you mean with vpn hardware, or through the basic ms networking?
 
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 400 total points
Comment Utility
Sorry missed this for some reason...
Persistent VPN connection in RRAS.  Right-click on Network Interfaces, use the demand-dial interface wizard.
http://technet.microsoft.com/en-us/library/dd835605(WS.10).aspx might help?
0
 
LVL 15

Author Comment

by:weinberk
Comment Utility
I'm out until Monday, but will give this a shot ASAP.  Happy 4th.
0
 
LVL 10

Expert Comment

by:Datedman
Comment Utility
Happy weekend!  Oh man, what's a WEEKEND heh, my kids are coming in tonight tho so *I must learn to take a break.*
0
 
LVL 5

Assisted Solution

by:Adam Ray
Adam Ray earned 100 total points
Comment Utility
I wrestled with a similar situation a while back.  I had two sites at different ends of the country with one server at each site.  (It's a fairly low budget project so I had to make do with the domain controller being exposed to the Internet--though behind a firewall obviously.)

Anyway, I used IP Security Policies (configurable through a MMC snap-in) to create an encryption policy between the two servers.  So basically I'm using IPsec rather than a VPN to encrypt my traffic.

I'm not saying this would make more sense in your situation than a persistent VPN, since you already have multiple servers and private networks and such set up.  But it may be worth considering--if it'll even work in your situation.  (Disclaimer: I'm by no means an expert at multi-site setups--any others I've done in the past have had hardware (router) VPNs--so maybe this idea just needs to be thrown away.)

Perhaps Datedman can comment on this, from reading the posts he seems more proficient in this area than I.
0
 
LVL 10

Expert Comment

by:Datedman
Comment Utility
Haven't done it that way wcllc.  I would think a VPN is more versatile and it's basically the way MS recommends for branch offices but I'm sure there's more than one way to skin a cat.
0
 
LVL 15

Author Comment

by:weinberk
Comment Utility

I googled a bit more based on the information that you provided and found this:
http://technet.microsoft.com/en-us/library/dd835605(WS.10).aspx
only to discover that it's the same link that you provided.  It's great.
Thank you for all of your help.
I was able to very simply create a persistent VPN connection in RRAS on the new server from a temporary location and join it to the domain at the primary location.  Great stuff.
I haven't figured out how to get the other machines on the network to even be able to ping machines at the primary location, but I'll open another question on that.  Keep your eyes open please.
Much appreciated.
 
0
 
LVL 15

Author Closing Comment

by:weinberk
Comment Utility
Thank you both for your help.  I'm going to give it a go with what I've learned. I'll post back here if I open other related questions.  Take care and thanks for the time and input!
0
 
LVL 10

Expert Comment

by:Datedman
Comment Utility
Use the DHCP option Classless Static Routes to route one network to the other.  And from the other back.

If a machine has a static IP and isn't using DHCP, you can use route -p:

route -p add 192.168.x.0 mask 255.255.255.0 192.168.y.z

Where x is the remote (to this machine) subnet, y is this subnet, z is the machine with the VPN connect.

Make both VPN servers LAN routers too.

And at a MINIMUM, use RRAS's incoming packet filter to firewall out all but the ports you need.  Which will include GRE (protocol 47) both ways, TCP port 1723 both ways, and any other ports needed if you are also using these machines to get to the Net?  (Like established TCP, and ports for DNS, and maybe NTP?)
0
 
LVL 15

Author Comment

by:weinberk
Comment Utility
Datedman-
Thanks for the followup even after I awarded the points and closed the question.
We're using static IP's.  I had already tried adding the permanent route, exactly how you suggested, but it didn't work.  
Traceroute shows the machine going to the machine with the vpn connection, but then stalling out.  We'll chat in a new thread when i have more time to test and document what I've done.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now