Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Setting up DNS / RODC in branch office

Posted on 2012-08-20
7
Medium Priority
?
3,024 Views
Last Modified: 2012-09-05
Howdy All,

I'm in the process of trying to sort out a setup for our new branch office. We currently have a SBS 2011 server in our head office which provides the usual exchange/sharepoint/file&print etc.

In the branch office we currently have two staff, but this will scale in the coming months.

The plan is to install a couple of draytek routers with a site to site vpn configured between them. Then in the branch office install a basic server configured as an RODC and a file/print server.

I've got the two routers configured and i can ping between the two networks, and also access file shares and RDP to the servers in the head office, however only by IP address.

My next step is to setup DNS/RODC, but i'm a bit unsure how to go about this. I've read plenty of microsoft articles which involve 2-300 pages of some helpful info about prerequisites etc, as well as more basic guides online.

My main issue at the moment is DNS. I haven't yet installed the DNS role as generally i have installed it as part of the dcpromo / ADDS installation.

I attempted to run a dcpromo - however because DNS isn't able to resolve the domain at the other end of the VPN i can't proceed.

I next went to install DNS manually, but again hit an issue because the ADDS role is now installed, and it spits back an error that the DNS role should be run at the same time.

Finally i had the bright idea to adjust the DNS server address on the network adapter to point to the SBS Server which provides DNS at the main office.

Before i flounder around and break something, can someone give me some pointers about the correct way to proceed from here?

Thanks muchly in advance!
0
Comment
Question by:elemist
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Author Comment

by:elemist
ID: 38312150
Also i've read that its not recommended to install both an RODC and a RWDC in the same "AD site"? Does SBS support multiple sites? and if so is this something i should be configuring?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 38312274
In order to have DNS in your remote office you would initally add the DNS server to the network properties of your card. This will allow you to ping the domain and devinces in it.

From there you will be able to promote the remote server as an RODC. The RODC is completely Read Only DNS/ADDS etc. If you are using a RODC make sure that you currently have RWDC in your environment as well.

As you can use RODC with a 2003 FFL the updates get pushed to the RODC by only 2008 RWDC's.

Once you have successfully promoted the RODC check sites and services to ensure that this has been updated and the DC that will be the repliction partner.

Hope this helps!
0
 
LVL 6

Expert Comment

by:SebastianAbbinanti
ID: 38312281
I don't believe there is an issue with multiple sites on SBS, however there is a limit of 75 users.

I would suggest that you install the server at the primary site as a member server and then DC promo it. There is really no need to do an RODC is this configuration. Once the server is a DC, create a new site and insure that you can route between the sites.

Then you can move the server to the second site and change its IP address. It will know how to find the SBS server as long as it can route to it via the VPN tunnel.

At both locations you can setup the primary and secondary DNS servers as follows:

Devices at Primary Location:
Primary DNS: SBS
Secondary DNS: DC at second location.

Devices at Secondary Location:
Primary DNS: DC at second Location
Secondary DNS: SBS

Thanks,
S.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 38312284
Another thing you should concider is the PRP (password replicaiton policy). You should see a tab for this under the computer's properties.
0
 
LVL 1

Author Comment

by:elemist
ID: 38312398
Thanks for your quick replies.

Firstly the main reason for a RODC is the site has very low security, and no IT support. At some point depending on growth we may bring in a contractor to do basic support, and i don't want any chance of some cowboy screwing up a full blown DC and that replicating to head office.

I've set the DNS server address on the adapter to the main office DNS server and proceeded through the dcpromo. So far everything has gone ok - its just replicating AD now.

Once thats complete could i change the DNS address to point locally at itself? I want to setup DCHP for the clients and have them pointing to a local DNS server. I'm not 100% sure how stable the VPN link will be, and the last thing i want is for everything to break when it drops out.
0
 
LVL 6

Expert Comment

by:SebastianAbbinanti
ID: 38312422
Yes, just setup a forwarder for DNS, and the secondary address should be the ip address of the SBS. This way, if the DNS service is down or restarting, the server can still get DNS.

Thanks,
S.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 38312424
That is exactly correct. You can then change it to point at itself once DNS and ADDS has been completed. What I would recommend is having the secondary DNS sever added on the remote server so if for whatever reason the DNS is not working locally it will query the DNS server at the Main office.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question