elemist
asked on
Setting up DNS / RODC in branch office
Howdy All,
I'm in the process of trying to sort out a setup for our new branch office. We currently have a SBS 2011 server in our head office which provides the usual exchange/sharepoint/file&p
In the branch office we currently have two staff, but this will scale in the coming months.
The plan is to install a couple of draytek routers with a site to site vpn configured between them. Then in the branch office install a basic server configured as an RODC and a file/print server.
I've got the two routers configured and i can ping between the two networks, and also access file shares and RDP to the servers in the head office, however only by IP address.
My next step is to setup DNS/RODC, but i'm a bit unsure how to go about this. I've read plenty of microsoft articles which involve 2-300 pages of some helpful info about prerequisites etc, as well as more basic guides online.
My main issue at the moment is DNS. I haven't yet installed the DNS role as generally i have installed it as part of the dcpromo / ADDS installation.
I attempted to run a dcpromo - however because DNS isn't able to resolve the domain at the other end of the VPN i can't proceed.
I next went to install DNS manually, but again hit an issue because the ADDS role is now installed, and it spits back an error that the DNS role should be run at the same time.
Finally i had the bright idea to adjust the DNS server address on the network adapter to point to the SBS Server which provides DNS at the main office.
Before i flounder around and break something, can someone give me some pointers about the correct way to proceed from here?
Thanks muchly in advance!
I'm in the process of trying to sort out a setup for our new branch office. We currently have a SBS 2011 server in our head office which provides the usual exchange/sharepoint/file&p
In the branch office we currently have two staff, but this will scale in the coming months.
The plan is to install a couple of draytek routers with a site to site vpn configured between them. Then in the branch office install a basic server configured as an RODC and a file/print server.
I've got the two routers configured and i can ping between the two networks, and also access file shares and RDP to the servers in the head office, however only by IP address.
My next step is to setup DNS/RODC, but i'm a bit unsure how to go about this. I've read plenty of microsoft articles which involve 2-300 pages of some helpful info about prerequisites etc, as well as more basic guides online.
My main issue at the moment is DNS. I haven't yet installed the DNS role as generally i have installed it as part of the dcpromo / ADDS installation.
I attempted to run a dcpromo - however because DNS isn't able to resolve the domain at the other end of the VPN i can't proceed.
I next went to install DNS manually, but again hit an issue because the ADDS role is now installed, and it spits back an error that the DNS role should be run at the same time.
Finally i had the bright idea to adjust the DNS server address on the network adapter to point to the SBS Server which provides DNS at the main office.
Before i flounder around and break something, can someone give me some pointers about the correct way to proceed from here?
Thanks muchly in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't believe there is an issue with multiple sites on SBS, however there is a limit of 75 users.
I would suggest that you install the server at the primary site as a member server and then DC promo it. There is really no need to do an RODC is this configuration. Once the server is a DC, create a new site and insure that you can route between the sites.
Then you can move the server to the second site and change its IP address. It will know how to find the SBS server as long as it can route to it via the VPN tunnel.
At both locations you can setup the primary and secondary DNS servers as follows:
Devices at Primary Location:
Primary DNS: SBS
Secondary DNS: DC at second location.
Devices at Secondary Location:
Primary DNS: DC at second Location
Secondary DNS: SBS
Thanks,
S.
I would suggest that you install the server at the primary site as a member server and then DC promo it. There is really no need to do an RODC is this configuration. Once the server is a DC, create a new site and insure that you can route between the sites.
Then you can move the server to the second site and change its IP address. It will know how to find the SBS server as long as it can route to it via the VPN tunnel.
At both locations you can setup the primary and secondary DNS servers as follows:
Devices at Primary Location:
Primary DNS: SBS
Secondary DNS: DC at second location.
Devices at Secondary Location:
Primary DNS: DC at second Location
Secondary DNS: SBS
Thanks,
S.
Another thing you should concider is the PRP (password replicaiton policy). You should see a tab for this under the computer's properties.
ASKER
Thanks for your quick replies.
Firstly the main reason for a RODC is the site has very low security, and no IT support. At some point depending on growth we may bring in a contractor to do basic support, and i don't want any chance of some cowboy screwing up a full blown DC and that replicating to head office.
I've set the DNS server address on the adapter to the main office DNS server and proceeded through the dcpromo. So far everything has gone ok - its just replicating AD now.
Once thats complete could i change the DNS address to point locally at itself? I want to setup DCHP for the clients and have them pointing to a local DNS server. I'm not 100% sure how stable the VPN link will be, and the last thing i want is for everything to break when it drops out.
Firstly the main reason for a RODC is the site has very low security, and no IT support. At some point depending on growth we may bring in a contractor to do basic support, and i don't want any chance of some cowboy screwing up a full blown DC and that replicating to head office.
I've set the DNS server address on the adapter to the main office DNS server and proceeded through the dcpromo. So far everything has gone ok - its just replicating AD now.
Once thats complete could i change the DNS address to point locally at itself? I want to setup DCHP for the clients and have them pointing to a local DNS server. I'm not 100% sure how stable the VPN link will be, and the last thing i want is for everything to break when it drops out.
Yes, just setup a forwarder for DNS, and the secondary address should be the ip address of the SBS. This way, if the DNS service is down or restarting, the server can still get DNS.
Thanks,
S.
Thanks,
S.
That is exactly correct. You can then change it to point at itself once DNS and ADDS has been completed. What I would recommend is having the secondary DNS sever added on the remote server so if for whatever reason the DNS is not working locally it will query the DNS server at the Main office.
ASKER