Solved

one domain in Multiple sites

Posted on 2013-05-13
9
379 Views
Last Modified: 2013-07-09
I need to setup a domain in 4 sites. Each site should have DC, DNS and DHCP but same domain.

They are connecting via site to site VPN.

Could you please tell me how can I setup AD. For example if I install XY.com in each site, how they replicate with each other ? Is that possible. Do I need to setup trust ?

Please let me know
0
Comment
Question by:roozbehdec
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 16

Expert Comment

by:Shaik M. Sajid
Comment Utility
the best way for same domain is additional domain which is isay to setup... and will have the redundancy and failover for your domain ..

to make this ...

initially all sites must ping to main site..

this scenario you have to create additional domain each site...

each domain can have it's own DNS and DHCP no issues

first create addtional domain each site then

add subnet in the primery Domain controller

follow this article

http://technet.microsoft.com/en-us/library/cc770372.aspx

as well as see this youtube viedo

http://www.youtube.com/watch?v=Y9HjJ6RPgPk

all the best
0
 
LVL 13

Expert Comment

by:Jaihunt
Comment Utility
Hi

First Install a DC in Primary site and then Create separate sites according to your physical site location in Active directory sites and services. Add the related site subnets to the AD sites. Create Site links pointing to Primary Site. So all the sites will get the replication from your primary site. You can promote the server in one place and move it to the remote site if you have low bandwidth links. Also set the replication interval based on the link.

http://technet.microsoft.com/en-us/library/cc731907.aspx

Thanks
Jai
0
 
LVL 10

Accepted Solution

by:
172pilotSteve earned 500 total points
Comment Utility
I agree generally with Jaihunt, however I feel those recommendations are more about tweaking performance than the actual setup, so I'm going to take a stab from the beginning...

First, if you have one domain, take the concept of TRUST out of your mind.  Trusts are between forests, not between sites in the same domain.  Your DCs in multiple sites will replicate with each other automatically as long as they can talk to each other.

First, if you haven't already done so, install your first DC..  You now have a domain.  Make sure your DC is running DNS, and can/has registered it's _MSTSC and _PDC type subzones, and has registered itself in those locations.

Now, on your second (and subsequent) DCs, to get them installed, point the CLIENT DNS (the DNS entries in your NIC setup) to the first domain controller.  This way, the machine itself will "know about" the domain, and let you DCPROMO it / install the DC role to the DC.  Technically, you now have a second (or third/fourth) DC.  After you have all four DCs running, install DNS on the 2nd-4th DC (if you didn't already install DNS server role before) and then make sure the domain zone is replicating to the secondary DCs by running the DNS client MMC and looking to make sure the same zone info is on all DCs.  After you're SURE that the DCs all have valid DNS info, go back into the client settings on the remote DCs and tell them to query themselves for DNS.  Now that their local DNS servers have knowledge of the central DNS/DC, it will be faster/more reliable to use the local database, and you'll still have the DNS knowledge to allow for replication.

NOW, you can go into sites and services, and create sites for each remote site, and create subnets and assign them to the sites.  The main things this does, is tells AD which DC to prefer for authentication for a machine on those specific subnets, and it changes the way replication works, but in a situation with only one DC at each site, that part of it isn't too important, other than it will slow down the replication interval which might be important if you have a lot of AD changes.

Now..  just for performance reasons, you probably don't want remote sites to replicate with each other, since they'll have to use the central site as a conduit to communicate with each other (unless you've got your VPN connections fully meshed).  For this reason, you'll want to create the site links as Jaihunt talked about, to force each remote site to use the central site as it's replication partner.  Sometimes this is actually required, rather than just a performance issue, if your VPN doesn't allow remote sites to directly communicate with each other (some VPNs only allow remotes to communicate with central site, not pass thru to other remotes)

Let me know if you have any problems/questions..  The biggest deal is to make sure DNS is available to find a DC that can authenticate and direct the replication.
0
 

Author Comment

by:roozbehdec
Comment Utility
Hi all, Thank you very much for answers.

172pilotSteve, I have a question about addressing.

Let me explain more. 4 sites are in LA, San Jose, San Fransisco and Chicago.

Each site should have It's DC and maybe Secondary DC as backup. We need to run DNS and DHCP on each site.

 I will install DC with DNS and DHCP in San Jose first and then LA, San Fransisco and Chicago.

Do I need to use Same scope IP address for DHCP server in each site ? For example if I have 192.168.1.0 for San Jose , do Need to use this range of IP address for other sites too or I can use 172.16.1.0 or.... ?

In DNS client  setup for  remote setup , If the IP addresses are different, How can I point DNS address to first DNS server ?

Thank you for your help
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 13

Expert Comment

by:Jaihunt
Comment Utility
You can use different subnets since the DNS is AD integrated there is no issues. You need to create the reverse lookup zones  according to the subnets you create. Also you need to configure DHCP to update dns automatically. You can add as many DNS servers in the 006 options in dhcp to configure DNS server options. Make sure Primay DNS pointing to local site DC and secondary DNS pointing to nearest site DC.

If San Jose is your primary site means create all other site links pointing to Sanjose.

like San Jose/LA, San Jose/San Fransisco, San Jose/Chicago. Make sure site link contain only 2 sites.
0
 
LVL 10

Expert Comment

by:172pilotSteve
Comment Utility
Just for basic TCPIP routing, you need the clients in each site to be in different IP subnets, and therefore different DHCP scopes with different ranges/configurations.  All of that IP stuff is a lower level thing than the AD, and you'll want to make sure IP routing is working before you get working on the AD, because without underlying IP, the active directory has no chance.

So..  remember, the DHCP in each site is for the clients to be able to configure themselves from settings on the server.  Your server is going to have to be fixed IP (or at least normally is) and will have to be working before you can get AD, and AD has to work before your clients will likely care if they have an IP address, etc, so take it a little at a time!

Regarding what I mean about the DNS, your Remote sites have to be able to talk to the central site domain controller before they're going to be able to join the domain.  Be careful - you need to JOIN the domain when you install the remote sites, not create a NEW domain, because otherwise you're going to have 4 separate domains with the same name that don't know or trust each other, and all have separate user databases, etc, and there's no way out of that other than to rebuild.    SO, when you build the machine that WILL BE the remote site domain controller, it is first a domain MEMBER of the existing domain.  For it to connect to the domain, you have to configure it's client DNS to point to the existing domain controller:
DNS CLient pictureIn this picture, I'm assuming that for example the existing central site DC is 172.16.1.5, and so my remote server at the remote site, which has an IP address 192.168.56.10 (different subnet) MUST be able to route to the central site and connect to the DNS server which knows about the domain I need to join.  Once you can join the domain from the remote site, then you can install the Active Directory role / run DCPromo and become a DC.  At that point, the "AD Integrated DNS" will automatically start replicating the DNS database to that remote site (if you install the DNS Server role) and only then can you set the remote site DNS settings to itself.  After that, THEN you can worry about DHCP, and pointing your remote clients to the remote server for THEIR DNS.
0
 

Author Comment

by:roozbehdec
Comment Utility
Thank you.

If I run DCpromo and then ADD domain under existing domain, do I still need to join to the domain first ?
0
 
LVL 13

Expert Comment

by:Jaihunt
Comment Utility
For Additional Domain controllers you need to join them first in your domain and then run DCPROMO

http://www.youtube.com/watch?v=x6NKvJMLO0o
0
 
LVL 10

Expert Comment

by:172pilotSteve
Comment Utility
roozbehdec:  I think technically, the DCPromo process will actually let you join a domain, and become a DC at once, but I really suggest taking it one step at a time.  It will take you only one reboot longer to do it the way we suggested, and join the domain first (then reboot) and then DCPromo (which also requires a reboot).  Especially because the act of joining a domain will qualify all of your network settings and validate your ability to authenticate to the domain, without complicating it with the additional part of joining the domain.

Also.. now is probably a good time to remind you... make sure all your clocks are sychronized.  The Kerberos authentication will fail if the clocks aren't pretty close to the same (aside from time zone differences..)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now