Link to home
Start Free TrialLog in
Avatar of dlitsolutions
dlitsolutions

asked on

Restructuring an existing SBS 2011 multi site domain

Hi,

We recently took over a maintenance contract of a SBS 2011 network, with 4 branch offices.

This network was not configured inline with our normal operating setup, and I want to completely overhaul the AD structure, but wanted some advice before I make changes and screw things up.

In brief, the SBS is in the Head office building, and the branch offices have VPN links at the firewall level to the main office and each other. The servers each have their own subnet, and all the servers are DC's with a copy of the GC. There are no sites setup within AD sites and services.They have several DFS shares already included on their network, but users in HQ may login and get mapped to the share in remote site 2, so all drive network drive access is being hampered.

Our primary task is to get the DFS and AD working properly. I was planning on creating the relevant sites in AD, creating the subnets, and manually adding the existing servers, PC's etc into these sites. But because each server is an AD controller, and DFS replication partner, I dont want to screw up a working, albeit slow, network.

If this isnt a work around, then I will need to make change how the DFS shares are mapped out, so that users in each location when logging in hit their local DFS share. I have toyed with re-writing the drive map policy and replacing the local dns string of the DFS shares with %logonserver%.

My only other option is to remove the DFS setup, remove AD from each server, and rebuild from the ground up.

Any advise on this would be greatly appreciated.
ASKER CERTIFIED SOLUTION
Avatar of Olaf De Ceuster
Olaf De Ceuster
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dlitsolutions
dlitsolutions

ASKER

Hi Olaf, ipconfig of the PDC.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : C********
   Primary Dns Suffix  . . . . . . . : c******.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : c*******.local

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.26.40(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-76-8D-CD
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::45f3:8e40:4612:7cdf%10(Preferred)
   Link-local IPv6 Address . . . . . : fe80::4e7c:61f6:7672:b303%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.26.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.26.1
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-04-8B-5A-00-0C-29-9A-93-0E

   DNS Servers . . . . . . . . . . . : fe80::4e7c:61f6:7672:b303%10
                                       192.168.26.2
   NetBIOS over Tcpip. . . . . . . . : Enabled
IP Config of a satellite office.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : CENTAUR
   Primary Dns Suffix  . . . . . . . : creative.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : creative.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-5A-DE-26
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9460:6d3:8f10:9551%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.36.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::b118:e8af:675a:d1d0%10
                                       192.168.36.1
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-D5-EB-F1-00-0C-29-5A-DE-26

   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.36.2
                                       192.168.26.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{C8A2240A-B811-487F-A6AE-525951692FEC}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
PDC Dcdiag


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = c*******

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\c*******

      Starting test: Connectivity

         ......................... c******* passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\c*******

      Starting test: Advertising

         ......................... c******* passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... c******* passed test FrsEvent

      Starting test: DFSREvent

         ......................... c******* passed test DFSREvent

      Starting test: SysVolCheck

         ......................... c******* passed test SysVolCheck

      Starting test: KccEvent

         ......................... c******* passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... c******* passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... c******* passed test MachineAccount

      Starting test: NCSecDesc

         ......................... c******* passed test NCSecDesc

      Starting test: NetLogons

         [c*******] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... c******* failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... c******* passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,c*******] DsReplicaGetInfo(PENDING_OPS, NULL)

         failed, error 0x2105 "Replication access was denied."

         ......................... c******* failed test Replications

      Starting test: RidManager

         ......................... c******* passed test RidManager

      Starting test: Services

            Could not open NTDS Service on c*******, error 0x5

            "Access is denied."

         ......................... c******* failed test Services

      Starting test: SystemLog



      Starting test: VerifyReferences

         ......................... c******* passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : creative

      Starting test: CheckSDRefDom

         ......................... creative passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... creative passed test CrossRefValidation

   
   Running enterprise tests on : c******.local

      Starting test: LocatorCheck

         ......................... c******.local passed test LocatorCheck

      Starting test: Intersite

         ......................... c******.local passed test Intersite
Satellite DC DCDIAG


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = D*******

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\D*******

      Starting test: Connectivity

         ......................... D******* passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\D*******

      Starting test: Advertising

         ......................... D******* passed test Advertising

      Starting test: FrsEvent

         ......................... D******* passed test FrsEvent

      Starting test: DFSREvent

         ......................... D******* passed test DFSREvent

      Starting test: SysVolCheck

         ......................... D******* passed test SysVolCheck

      Starting test: KccEvent

         ......................... D******* passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... D******* passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... D******* passed test MachineAccount

      Starting test: NCSecDesc

         ......................... D******* passed test NCSecDesc

      Starting test: NetLogons

         [D*******] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... D******* failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... D******* passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,D*******] A recent replication attempt failed:

            From MANTICORE to D*******

            Naming Context: DC=ForestDnsZones,DC=creative,DC=local

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2012-11-14 08:57:39.

            The last success occurred at 2012-11-08 17:57:09.

            135 failures have occurred since the last success.

         [MANTICORE] DsBindWithSpnEx() failed with error 1722,

         The RPC server is unavailable..
         [Replications Check,D*******] A recent replication attempt failed:

            From MANTICORE to D*******

            Naming Context: DC=DomainDnsZones,DC=creative,DC=local

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2012-11-14 08:57:39.

            The last success occurred at 2012-11-08 17:57:08.

            135 failures have occurred since the last success.

         [Replications Check,D*******] A recent replication attempt failed:

            From MANTICORE to D*******

            Naming Context: CN=Schema,CN=Configuration,DC=creative,DC=local

            The replication generated an error (1722):

            The RPC server is unavailable.

            The failure occurred at 2012-11-14 08:58:21.

            The last success occurred at 2012-11-08 17:57:08.

            135 failures have occurred since the last success.

            The source remains down. Please check the machine.

         [Replications Check,D*******] A recent replication attempt failed:

            From MANTICORE to D*******

            Naming Context: CN=Configuration,DC=creative,DC=local

            The replication generated an error (1722):

            The RPC server is unavailable.

            The failure occurred at 2012-11-14 08:58:00.

            The last success occurred at 2012-11-08 17:57:08.

            135 failures have occurred since the last success.

            The source remains down. Please check the machine.

         [Replications Check,D*******] A recent replication attempt failed:

            From MANTICORE to D*******

            Naming Context: DC=creative,DC=local

            The replication generated an error (1722):

            The RPC server is unavailable.

            The failure occurred at 2012-11-14 08:57:39.

            The last success occurred at 2012-11-08 18:06:39.

            135 failures have occurred since the last success.

            The source remains down. Please check the machine.

         ......................... D******* failed test Replications

      Starting test: RidManager

         ......................... D******* passed test RidManager

      Starting test: Services

            Could not open NTDS Service on D*******, error 0x5

            "Access is denied."

         ......................... D******* failed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x00000457

            Time Generated: 11/14/2012   09:39:52

            Event String:

            Driver HP LaserJet P2015 Series PCL 5e required for printer !!ZEUS!Workshop is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 11/14/2012   09:39:53

            Event String:

            Driver HP LaserJet 4050 Series PCL 5 required for printer !!ZEUS.dlit.local!HP4050 is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 11/14/2012   09:39:53

            Event String:

            Driver Olivetti d-Copia 200MF KX required for printer !!zeus!Olivetti d-Copia 200MF KX is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 11/14/2012   09:39:54

            Event String:

            Driver HP Universal Printing PS required for printer !!zeus!HP CP2025n is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 11/14/2012   09:39:59

            Event String:

            Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

         ......................... D******* failed test SystemLog

      Starting test: VerifyReferences

         ......................... D******* passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : creative

      Starting test: CheckSDRefDom

         ......................... creative passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... creative passed test CrossRefValidation

   
   Running enterprise tests on : C*******.local

      Starting test: LocatorCheck

         ......................... C*******.local passed test LocatorCheck

      Starting test: Intersite

         ......................... C*******.local passed test Intersite
Sorry, I have reran the DCdiag on elevated level, they are attached.
PDC-DCDIAG.txt
Satellite-DCDIAG.txt
Do complete tested backups first
Doesn't look too bad.
Delete all DFS /FRS settings.
Just set up your sites and subnets. Move DC's in correct sites, set up Reverse DNS. Clean and reregister all DNS entries.
Point primary DNS from DC's at the PDC (SBS) .Leave it sit for a few hours.You should be OK. If not just run dcdiag to demote, restart and run dcdiag again with hardcoded dns to the sbs server.
Make sure you manually move the DC's in the correct SBS OU.
Make your Group policy to suit.
Recreate DFS /FRS
Give yourself a weekend just in case.
Run the SBS BPA first to make sure the SBS is healty...all will depend on that.

Good luck.
Olaf