Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


configure child domain through bovpn

Posted on 2011-10-26
Medium Priority
Last Modified: 2012-08-13
Hi Experts,
I am trying to configure a child domain via BOVPN (branch office vpn), the problem is that i cannot browse to my remote site typing machine name. How can I configure my remote site so that we can browse remote machines, printers, etc by name?

Is child domain an option to the setup?
Question by:Newco
  • 4
  • 3
LVL 29

Accepted Solution

pwindell earned 2000 total points
ID: 37038306
BOVPN?  sounds like Watchgard.

Forget "browsing".  Browsing is not required for anything to work,...and is never itself going to ever work dependably over even just a normal router between two subnets,...let along over a VPN or a Slow WAN link.

For a Child domain I assume you are going to build at least one DC at each Site.  When you build the first DC is needs to start out as a Stand Alone Server (not a "member" of anything).  It needs to use the DCs at the Master Domain as it's DNS (it must not use anything else for DNS).  Make sure it has the DNS Service installed on the machine but you must leave the DNS unconfigured and allow the DC Promo process to configure it.  When you run DC Promo you must specify that it is to be a Child Domain of a Parent Domain in a Single Forest and provide the name of the Parent Domain.  Once the process is complete you must change the DNS in its TCP/IP Specs to point to itself for DNS.

If you do a second DC in the same Site then you do that one a little differently.  It's TCP/IP Specs will simply point at the other DC you created previously and when running DC Promo you will tell it that it is to be a DC in an existing Domain and provide the name of the Child Domain.  When completed the TCP/IP Specs of the pair of DCs should point to each other first then them self second and then to third.  The reason for this is because you want the first choice to be a DC that is most likely already running when the machine is booting up.  The reason is last is because it is the least desirable and is only really there so that it can communicate with its own DNS Service in the event it has some kind of issue with its networking stack where it can't communicate with normal IP#s.

Author Comment

ID: 37039036
Yes, it is a WatchGuard XTM 2 series.

I got the browsing part figured out; I am pointing WINS to the WINS server at the HQ site; so far everything is working, the machine was joined as a member server and no problems. I am going to add DNS, DHCP services and promote to a DC so it can keep a copy of the GAL.

If I keep going this route, is there anything I should be aware of?
LVL 29

Expert Comment

ID: 37039122
I don't think it is supposed to be a Member Server.   You are creating a new domain with it,...not joining an existing one.

The GAL has nothing to do with anything at this point.  The GAL does not come from the Domain,...it comes from the Exchange Organization,...and the boundary of the Exchange Organization is the Forest, not the Domain as far as I know,...maybe some Exchange Expert can verify that..

You can install DNS and DHCP on the box,..but you cannot configure them now.  The machine has to use the DNS at HQ until after the DC Promo (just like you are doing with WINS).   DNS will be configured on the box automatically when it is DC Promo'ed.  DHCP cannot be configured until the Child Domain is in place and fully functional.

Routing should not be a problem as long as the Internet Firewall  and the VPN Router are the same physical device,...which in this case,..that is so.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.


Author Comment

ID: 37080407
You are right, GAL has to do with Exchange; I meant to say GC.
As for installing DNS & DHCP: I installed a secondary DNS that copies the HQ-DNS but as for DHCP, I install it to create leases on the new scope:
HQ scope:
Remote Scope:

So far is working good and I can browse both sites without a problem, but I still have to create the child domain. I am studying how to do it because I don't have experience with Server 2008; if you have some docs on how to do, I will appreciate it.

Yes, Inet firewall and VPN router are the same appliance.

Thank you for the help, I am at the HQ site but will go to visit the remote site tomorrow.
LVL 29

Expert Comment

ID: 37083035
As for installing DNS & DHCP: I installed a secondary DNS that copies the HQ-DNS

Unless I misunderstand what you mean by that,...I don't see any point in that,...in fact it may get in the way.  When a DC is created the DNS is configured automatically and correctly,...don't mess with it from there unless you know that what you are doing is documented to be the exact correct thing to do,...do not "guess" at things,...do not "wing-it" and hope things might work..
Don't create any Zones, don't create any Zone Transfers
Don't create any DNS Servers that are not DCs.

I have no "official" documents, but my first above post outlines creating a Child Domain.   Assuming your fist Domain (the Parent) is already in place and works correctly,...you take a stand alone server,...point it's TCP/IP Specs at one of your Domain Controllers,....run DC Promo and tell it that it is to be a new Child Domain of an existing Parent Domain.   When finished, move it's TCP/IP Specs to point to itself for DNS if it is going to be a single DC for the Child.  The Parent and Child are fully aware of each other through DNS which is replicated by AD,...they do not have to point DNS at each other once everything is in place.   Just look at my first post.

The only thing I am not sure of is if the new DC has to be a Member first,...but since it is effectively creating a "new" Domain,....I do not think it has to be a Member of anything.

Author Comment

ID: 37083709
Thanks pwindell,
I actually did what you said not to do... I know it's not recommended; I want to make it right and that's why I have this post.
I will go back to your first post and concentrate on the child DC and build from there. I will post back tomorrow.

Thank you for the help!

Author Closing Comment

ID: 37108655
Thank you, that's what I should have done to begin with.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question