We help IT Professionals succeed at work.

DC promotion over slower WAN link

Medium Priority
1,249 Views
Last Modified: 2012-05-12
We are in the process of standing up several remote DC's that will reside in branch offices that are connected over a WAN link.  Our AD infrastructure is on the larger side, with perhaps 10 to 20,000 objects to replicate.  Our desire is for each remote DC to be both a DNS and GC.  Are there any gotchas to performing such a promotion?  Anything we should keep an eye on?  Specifically I'm curious about:
1. length of time initial replication push might take.
2. whether or not the DC will try to self-register in it's own copy of DNS before replication has completed, thereby causing some failures.
3. Any other issues with this type of promotion that we may not have considered or know about.

Background Info:
The servers are Server 2008 R2, and the domain is mixed with some 2003 DC's still in the domain, but back at the main data center.  The domain infrastructure has an empty root domain, and a child domain where all accounts (user/computer) reside.  The new DC's will be child members, not root members.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2013

Commented:
What in the link speed of the WAN and how big is your ntds.dit

You can also use the install from media option and that can help save bandwidth    http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm

Thanks


Mike
Network Engineer
CERTIFIED EXPERT
Commented:
Set the server to use another DNS server as its primary DNS server. I think that replication might take an hour or two over T1. Have you considered using read only domain controllers? I love them because in the past we had to connect to the branch DC when unlocking a user or changing a password. Since we have moved to RODC at all branches we don't have to do that anymore. RODC would also cut down on your replication time because most accounts won't get replicated.

Author

Commented:
We strongly considered RODC's but elected against them since physical security of the server is not a primary concern (they are VM's and locked in a secure location).  We are deploying an RODC in our DMZ environment.

The NTDS.DIT file is about 500 MB so it's not excessive, however, I know it will take time to copy the file out and fully process.  I'm considering about 20 min on the replication considering it takes about 10 min for it to fully process locally.
CERTIFIED EXPERT
Top Expert 2013
Commented:
Unless you are dealing with a dialup connection or slow satellite connection I wouldn't worry much about 500 MB.  Do it after hours shouldn't cause too much stress.

Thanks

Mike
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
I don't use RODC because of the physical security issues; I use them because it makes management easier when all of the writeable DCs are local, as opposed to some changes which we had to make on a specific DC lest we have to wait for AD replication.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.