Solved

Configuring Server 2008 Domain Controllers for future VPN Use

Posted on 2010-09-14
8
280 Views
Last Modified: 2012-05-10
We are setting up a new network that is actually two locations joined by two VPN routers that provide a constant tunnel. All of the servers are at location 1.

My question is should I configured location 2 servers while they are at location 1? If so, what are the key things that need to happen for success? We are planning to have a DFS setup between both locations, and to allow both sides of the network preform user login/authentication to the same domain.

Theoretically we would like it if one location went down (servers only, not internet/vpn) that the other could then preform the network authentication/login. Obviously it would be very slow, but still something that would be nice.

If I should not configure all the servers at location 1, I'm not seeing the picture perfectly as to how I could join server B to the domain hosted by server A. Since DNS doesn't work automatically over the VPN conneciton.

Location 1 - 10.8.44.x
Location 2 - 10.8.45.x

From either location I can ping by IP Address of a system/server on the other side but not by FQDN currently.
0
Comment
Question by:ne3
  • 3
  • 3
  • 2
8 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33676504
First thing is DNS should be able to work across the VPN no matter what.

You can create the Domain Controllers at HQ then send to remote location or you can create the DCs at the remote location either way will work. If you create at HQ you would need to change the IP scheme when they got on site.
0
 

Author Comment

by:ne3
ID: 33676884
First DNS: Since our servers provide DNS, is it not possible to use windows server dns to configure VPN DNS?


Secondly: Say VPN DNS was working fine, I could setup all the servers get everything working fine all at location 1 then change ip addresses and send to location 2. And that wouldn't screw up DFS or Active Directory.

I didn't think you could just "change" a servers IP Address easily without it breaking everything.
0
 

Expert Comment

by:ovidbailey
ID: 33677128
ne3,
It's pretty inexpensive (e.g., < $125)  to set up a test bench for this.
I'll make the following assumptions:
Current configuration:
Internet
     |
ISP Router1
     |
Firewall Router
     |
Inside Switch
    |              |
 DC1         DC2

To create the test environment, buy a cheap switch and a cheap VPN router. For the latter, something like a Netgear FVS318 or one of the Linksys routers with a V in the model (e.g., WRV54G or BEFVP).

Build the new environment like this:

Internet
        |
ISP Router1
        |
   New cheap switch
         |                         |
VPNRouter              Firewall router
         |                         |
     DC2                    DC1

Using this configuration, you can model a new site config, set up replication rules, etc. without screwing up your existing network and having to drive across the city/state/country to your other location.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Expert Comment

by:ovidbailey
ID: 33677191
Maybe not relevant for you, and you may have encountered this before, but you might confirm that your clients are configured to use TCP instead of UDP for Kerberos authentication communication. It's a quick registry or GP fix.
See this article:
http://support.microsoft.com/kb/244474
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 33681704
Yes you must have Windows DNS to run a domain. I'm not understanding why you can't use if you are running through VPN.
0
 

Author Comment

by:ne3
ID: 33681842
DNS across the VPN was not working because there was no Windows DNS server on the other side of the network, as we had not made it to that stage yet.

I've started configuring the servers that will go to Location 2 now, and everything looks like it will work fine. Thanks letting me knock info/ideas out of you.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33681973
Not a problem
0
 

Author Closing Comment

by:ne3
ID: 33718249
Wasn't a direct solution, but got me on the right track.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Local DNS and Home Routers 4 31
SPF record issue 6 32
NIC set to static, but still pulls DHCP address 8 18
Forest Functionality Level 3 16
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question