Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Configuring Server 2008 Domain Controllers for future VPN Use
Posted on 2010-09-14
We are setting up a new network that is actually two locations joined by two VPN routers that provide a constant tunnel. All of the servers are at location 1.
My question is should I configured location 2 servers while they are at location 1? If so, what are the key things that need to happen for success? We are planning to have a DFS setup between both locations, and to allow both sides of the network preform user login/authentication to the same domain.
Theoretically we would like it if one location went down (servers only, not internet/vpn) that the other could then preform the network authentication/login. Obviously it would be very slow, but still something that would be nice.
If I should not configure all the servers at location 1, I'm not seeing the picture perfectly as to how I could join server B to the domain hosted by server A. Since DNS doesn't work automatically over the VPN conneciton.
Location 1 - 10.8.44.x
Location 2 - 10.8.45.x
From either location I can ping by IP Address of a system/server on the other side but not by FQDN currently.
My question is should I configured location 2 servers while they are at location 1? If so, what are the key things that need to happen for success? We are planning to have a DFS setup between both locations, and to allow both sides of the network preform user login/authentication to the same domain.
Theoretically we would like it if one location went down (servers only, not internet/vpn) that the other could then preform the network authentication/login. Obviously it would be very slow, but still something that would be nice.
If I should not configure all the servers at location 1, I'm not seeing the picture perfectly as to how I could join server B to the domain hosted by server A. Since DNS doesn't work automatically over the VPN conneciton.
Location 1 - 10.8.44.x
Location 2 - 10.8.45.x
From either location I can ping by IP Address of a system/server on the other side but not by FQDN currently.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
3
-
2
8 Comments
First thing is DNS should be able to work across the VPN no matter what.
You can create the Domain Controllers at HQ then send to remote location or you can create the DCs at the remote location either way will work. If you create at HQ you would need to change the IP scheme when they got on site.
You can create the Domain Controllers at HQ then send to remote location or you can create the DCs at the remote location either way will work. If you create at HQ you would need to change the IP scheme when they got on site.
First DNS: Since our servers provide DNS, is it not possible to use windows server dns to configure VPN DNS?
Secondly: Say VPN DNS was working fine, I could setup all the servers get everything working fine all at location 1 then change ip addresses and send to location 2. And that wouldn't screw up DFS or Active Directory.
I didn't think you could just "change" a servers IP Address easily without it breaking everything.
Secondly: Say VPN DNS was working fine, I could setup all the servers get everything working fine all at location 1 then change ip addresses and send to location 2. And that wouldn't screw up DFS or Active Directory.
I didn't think you could just "change" a servers IP Address easily without it breaking everything.
ne3,
It's pretty inexpensive (e.g., < $125) to set up a test bench for this.
I'll make the following assumptions:
Current configuration:
Internet
|
ISP Router1
|
Firewall Router
|
Inside Switch
| |
DC1 DC2
To create the test environment, buy a cheap switch and a cheap VPN router. For the latter, something like a Netgear FVS318 or one of the Linksys routers with a V in the model (e.g., WRV54G or BEFVP).
Build the new environment like this:
Internet
|
ISP Router1
|
New cheap switch
| |
VPNRouter Firewall router
| |
DC2 DC1
Using this configuration, you can model a new site config, set up replication rules, etc. without screwing up your existing network and having to drive across the city/state/country to your other location.
It's pretty inexpensive (e.g., < $125) to set up a test bench for this.
I'll make the following assumptions:
Current configuration:
Internet
|
ISP Router1
|
Firewall Router
|
Inside Switch
| |
DC1 DC2
To create the test environment, buy a cheap switch and a cheap VPN router. For the latter, something like a Netgear FVS318 or one of the Linksys routers with a V in the model (e.g., WRV54G or BEFVP).
Build the new environment like this:
Internet
|
ISP Router1
|
New cheap switch
| |
VPNRouter Firewall router
| |
DC2 DC1
Using this configuration, you can model a new site config, set up replication rules, etc. without screwing up your existing network and having to drive across the city/state/country to your other location.
Maybe not relevant for you, and you may have encountered this before, but you might confirm that your clients are configured to use TCP instead of UDP for Kerberos authentication communication. It's a quick registry or GP fix.
See this article:
http://support.microsoft.com/kb/244474
See this article:
http://support.microsoft.com/kb/244474
Yes you must have Windows DNS to run a domain. I'm not understanding why you can't use if you are running through VPN.
DNS across the VPN was not working because there was no Windows DNS server on the other side of the network, as we had not made it to that stage yet.
I've started configuring the servers that will go to Location 2 now, and everything looks like it will work fine. Thanks letting me knock info/ideas out of you.
I've started configuring the servers that will go to Location 2 now, and everything looks like it will work fine. Thanks letting me knock info/ideas out of you.
Featured Post
The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.
One of a set of tools we're offering as a way of saying thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Here's a look at newsworthy articles and community happenings during the last month.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention.
Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten.
The USB drive must be s…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month5 days, 15 hours left to enroll
Earn Certification
MCSA Configuring Windows 7 Exam 70-680
$49.00$44.10
626 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.