Dimitris Ioakimoglou
asked on
Do subdomains need to contact each other, and why?
Hello everyone,
need help with the following:
We have several subdomains in my company's network, each in a remote location, each over IPsec vpn. Let's call my remote sites 1 and 2 and my central site HQ.
Everything is windows 2008 R2. Everything works fine (so far) except an error I see on event viewer. KCC tries to map the active directory topology, and it seems the domain controller from site 1 tries to connect to the DC in site 2, and it fails. Now, both of those sites are remote sites. Actually I DON'T want those 2 sites to be able to access each other.
I could fix this via firewalling and just letting the DC related traffic through, but do I really need this?
I did remove replication object between DCs in sites 1 and 2, however I get the following errors:
1925 (The attempt to establish a replication link for the following writable directory partition failed. )
and
1865 (The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. )
and
1311 (There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers. )
So, can anyone suggest what I should do? Do I need to fix this and let the sites communicate, or can I simply bypass this somehow? What would be the effect?
need help with the following:
We have several subdomains in my company's network, each in a remote location, each over IPsec vpn. Let's call my remote sites 1 and 2 and my central site HQ.
Everything is windows 2008 R2. Everything works fine (so far) except an error I see on event viewer. KCC tries to map the active directory topology, and it seems the domain controller from site 1 tries to connect to the DC in site 2, and it fails. Now, both of those sites are remote sites. Actually I DON'T want those 2 sites to be able to access each other.
I could fix this via firewalling and just letting the DC related traffic through, but do I really need this?
I did remove replication object between DCs in sites 1 and 2, however I get the following errors:
1925 (The attempt to establish a replication link for the following writable directory partition failed. )
and
1865 (The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. )
and
1311 (There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers. )
So, can anyone suggest what I should do? Do I need to fix this and let the sites communicate, or can I simply bypass this somehow? What would be the effect?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OK. But please if you get stuck make another question so I may receive more points. This is a huge issue.
ASKER
Hm. Wouldn't a windows subdomain be considered a different realm in Kerberos terms? I think it would (from what I've been reading but I might be wrong of course), therefore I already use 3 distinct realms - since HQ is the parent windows domain and 1 and 2 are subdomains.
for example:
hq.local
1.hq.local
2.hq.local
are those not distinct realms?
for example:
hq.local
1.hq.local
2.hq.local
are those not distinct realms?
You can map any number of DNS domains with just one realm (kerberos domain).
And you can map any number of realms with just one DNS domain.
The only restriction is that any Windows instance can only be member of one realm.
That is why I introduce you the term realm, to make a distinction between both terms.
The way a windows instance became a member of a realm is by asking the active directory. (The User Interface to make the request is in the system properties).
Told you is a huge issue ;-) !!!
And you can map any number of realms with just one DNS domain.
The only restriction is that any Windows instance can only be member of one realm.
That is why I introduce you the term realm, to make a distinction between both terms.
The way a windows instance became a member of a realm is by asking the active directory. (The User Interface to make the request is in the system properties).
Told you is a huge issue ;-) !!!
ASKER
Ok, points for you then. Looks like I can fix it your way.
I really appreciated your points and I don’t want you walk that long way by your own.
Let us help you in the design of the realms. Make an open question with your scenery.
I think you only need one realm but I can’t tell until you explain why replication is an issue.
For your answer I guess you are going to make 3 realms in 3 different forest; don’t do it until you have this open question answered.
Let us help you in the design of the realms. Make an open question with your scenery.
I think you only need one realm but I can’t tell until you explain why replication is an issue.
For your answer I guess you are going to make 3 realms in 3 different forest; don’t do it until you have this open question answered.
ASKER