Solved

DNS using remote branch office server

Posted on 2009-07-08
8
848 Views
Last Modified: 2012-05-07
I'm running Windows Server 2003 domain servers.  DNS is running on these servers.  We are now opening a branch office.
In the branch office we will have 1 server running Windows Server 2008.
I want the clients in the branch office to authenticate to the windows domain over our site-to-site vpn.  However, when doing outside DNS lookups (using web browser, etc) I want them to direct their DNS queries to the server in the branch office.  So ultimately they will have a local DNS server.

So far I've only figured out how to handle both external and internal DNS lookups successfully on a domain controller.  But since this branch office server is not a domain controller, how can I set things up so that I can still have internal DNS working, AND use the branch office server for doing external lookups?

Thanks.
0
Comment
Question by:luchianoduckman
  • 3
  • 3
  • 2
8 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 24811121
Is the Office 2008 machine a domain member server?? And is your DNS server AD integrated??
You can give it a shot and try to install a local DNS server on the Server 2008 machine, point your local clients to this machine using DHCP and add conditional forwarders for your own domain pointing to the main Office 2003 domain servers. Tbh i would say upgrading the 2008 server to a DC, this way you will make your life much easier...
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24817005

Why will you not be making the server in the branch office a Domain Controller? It is best practice to have AT LEAST one Domain Controller at a remote location, and ALL DCs should be Global Catalogs (GCs). This means authentication traffic can remain LOCAL to the site, reducing the traffic required to flow over the VPN link to the DCs in the main site. Furthermore, a local DC means the site can continue to operate if the VPN line or Internet connection is lost, since a writable copy of the Active Directory database is held locally.

If you are concerned about DC security, you should consider deploying a Windows Server 2008 Read-Only Domain Controller (RODC) to the remote site. This will give similar benefits (local authentication), but does not hold a writable copy of Active Directory, so your domain cannot be damaged as easily if someone gains physical access to the server.

Having a server act as a DC is by no means a resource intensive task, and any modern server is capable of doing so. Having a local DC means it can become a DNS server, with zones replicating using AD-integrated zones, and then forwarders configured to forward non-local DNS requests directly to the nameservers at the ISP.

-Matt
0
 

Author Comment

by:luchianoduckman
ID: 24817918
I haven't tried installing a 2008 DC in a 2003 environment.
Can Windows 2003 and 2008 DCs hapily coexist?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24818039

Windows 2003 and 2008 DCs will happily co-exist. I have several networks running in this configuration and have not experienced any issues.

You need to remember that you cannot install a 2008 DC until the schema has been extended. This is a routine operation, which simply entails loading the Server 2008 DVD into your current Schema Master DC. Then, open a Command Prompt, switch to x:\SOURCES\ADPREP (where x: is the DVD drive) and run

adprep /forestprep
adprep /domainprep /gpprep

That will prepare the domain and the schema to support 2008 DCs, at which point you can then promote the 2008 DC as a DC via the standard dcpromo procedure.

-Matt
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:luchianoduckman
ID: 24819822
How do clients query for domain servers?  The reason I ask is the following:

If I have the DC running in the branch office - likely on the same subnet as the clients, at least for now - when I boot a Windows XP client machine, will it broadcast it's DC request on it's local subnet first, and the local DC will reply?

I don't entirely understand how clients discover the DC.  If I put a local DC in the branch office, I want to make sure that the clients are querying it correctly, rather than going to the vpn to query our main office DCs.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24820428
"If I have the DC running in the branch office - likely on the same subnet as the clients, at least for now - when I boot a Windows XP client machine, will it broadcast it's DC request on it's local subnet first, and the local DC will reply?"

Yes they do, they first look at their own site and broadcast a request to the network for receiving an ip address.. After that, when it also receives a DNS server ip address it will ask that DNS server for it's SRV record, this is the DC the machine will authenticate against, at least it will find the closest server in range..
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24822100

DCs are discovered through DNS. All the workstations in the branch office should be configured with their local DC as the preferred DNS server. When a station boots, it locates its nearest DC using the entries in the _msdcs subdomain of your main Active Directory DNS zone. The "broadcast" is something completely different; the stations transmit a broadcast packet to the network to locate a DHCP server, but that is largely irrelevant for locating a DC other than for giving clients a DNS Server address.

In order to allow clients to locate their nearest DC, you MUST configure Active Directory Sites and Services. In doing so, you allocate subnet objects to the two sites you create - one for your main office, another for the branch office. The subnet entries you bind to each site should define the subnet of the machines in that site. You can then move the DC object for the branch office into the branch office's site's 'Servers' container. When a station boots up, it uses its own subnet information and compares it to that stored in Active Directory; if it finds a matching site with a DC (in this case, the local DC), it will use that one preferably before attempting to communicate over the VPN to another DC in a different site.

-Matt
0
 

Author Closing Comment

by:luchianoduckman
ID: 31628734
Setup domain site...worked.  :)
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now