[Webinar] Streamline your web hosting managementRegister Today


one domain in Multiple sites

Posted on 2013-05-13
Medium Priority
Last Modified: 2013-07-09
I need to setup a domain in 4 sites. Each site should have DC, DNS and DHCP but same domain.

They are connecting via site to site VPN.

Could you please tell me how can I setup AD. For example if I install XY.com in each site, how they replicate with each other ? Is that possible. Do I need to setup trust ?

Please let me know
Question by:Golchehr
  • 3
  • 3
  • 2
  • +1
LVL 17

Expert Comment

by:Sajid Shaik M
ID: 39163731
the best way for same domain is additional domain which is isay to setup... and will have the redundancy and failover for your domain ..

to make this ...

initially all sites must ping to main site..

this scenario you have to create additional domain each site...

each domain can have it's own DNS and DHCP no issues

first create addtional domain each site then

add subnet in the primery Domain controller

follow this article


as well as see this youtube viedo


all the best
LVL 13

Expert Comment

ID: 39163875

First Install a DC in Primary site and then Create separate sites according to your physical site location in Active directory sites and services. Add the related site subnets to the AD sites. Create Site links pointing to Primary Site. So all the sites will get the replication from your primary site. You can promote the server in one place and move it to the remote site if you have low bandwidth links. Also set the replication interval based on the link.


LVL 10

Accepted Solution

172pilotSteve earned 1500 total points
ID: 39164563
I agree generally with Jaihunt, however I feel those recommendations are more about tweaking performance than the actual setup, so I'm going to take a stab from the beginning...

First, if you have one domain, take the concept of TRUST out of your mind.  Trusts are between forests, not between sites in the same domain.  Your DCs in multiple sites will replicate with each other automatically as long as they can talk to each other.

First, if you haven't already done so, install your first DC..  You now have a domain.  Make sure your DC is running DNS, and can/has registered it's _MSTSC and _PDC type subzones, and has registered itself in those locations.

Now, on your second (and subsequent) DCs, to get them installed, point the CLIENT DNS (the DNS entries in your NIC setup) to the first domain controller.  This way, the machine itself will "know about" the domain, and let you DCPROMO it / install the DC role to the DC.  Technically, you now have a second (or third/fourth) DC.  After you have all four DCs running, install DNS on the 2nd-4th DC (if you didn't already install DNS server role before) and then make sure the domain zone is replicating to the secondary DCs by running the DNS client MMC and looking to make sure the same zone info is on all DCs.  After you're SURE that the DCs all have valid DNS info, go back into the client settings on the remote DCs and tell them to query themselves for DNS.  Now that their local DNS servers have knowledge of the central DNS/DC, it will be faster/more reliable to use the local database, and you'll still have the DNS knowledge to allow for replication.

NOW, you can go into sites and services, and create sites for each remote site, and create subnets and assign them to the sites.  The main things this does, is tells AD which DC to prefer for authentication for a machine on those specific subnets, and it changes the way replication works, but in a situation with only one DC at each site, that part of it isn't too important, other than it will slow down the replication interval which might be important if you have a lot of AD changes.

Now..  just for performance reasons, you probably don't want remote sites to replicate with each other, since they'll have to use the central site as a conduit to communicate with each other (unless you've got your VPN connections fully meshed).  For this reason, you'll want to create the site links as Jaihunt talked about, to force each remote site to use the central site as it's replication partner.  Sometimes this is actually required, rather than just a performance issue, if your VPN doesn't allow remote sites to directly communicate with each other (some VPNs only allow remotes to communicate with central site, not pass thru to other remotes)

Let me know if you have any problems/questions..  The biggest deal is to make sure DNS is available to find a DC that can authenticate and direct the replication.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 39165267
Hi all, Thank you very much for answers.

172pilotSteve, I have a question about addressing.

Let me explain more. 4 sites are in LA, San Jose, San Fransisco and Chicago.

Each site should have It's DC and maybe Secondary DC as backup. We need to run DNS and DHCP on each site.

 I will install DC with DNS and DHCP in San Jose first and then LA, San Fransisco and Chicago.

Do I need to use Same scope IP address for DHCP server in each site ? For example if I have for San Jose , do Need to use this range of IP address for other sites too or I can use or.... ?

In DNS client  setup for  remote setup , If the IP addresses are different, How can I point DNS address to first DNS server ?

Thank you for your help
LVL 13

Expert Comment

ID: 39165407
You can use different subnets since the DNS is AD integrated there is no issues. You need to create the reverse lookup zones  according to the subnets you create. Also you need to configure DHCP to update dns automatically. You can add as many DNS servers in the 006 options in dhcp to configure DNS server options. Make sure Primay DNS pointing to local site DC and secondary DNS pointing to nearest site DC.

If San Jose is your primary site means create all other site links pointing to Sanjose.

like San Jose/LA, San Jose/San Fransisco, San Jose/Chicago. Make sure site link contain only 2 sites.
LVL 10

Expert Comment

ID: 39165489
Just for basic TCPIP routing, you need the clients in each site to be in different IP subnets, and therefore different DHCP scopes with different ranges/configurations.  All of that IP stuff is a lower level thing than the AD, and you'll want to make sure IP routing is working before you get working on the AD, because without underlying IP, the active directory has no chance.

So..  remember, the DHCP in each site is for the clients to be able to configure themselves from settings on the server.  Your server is going to have to be fixed IP (or at least normally is) and will have to be working before you can get AD, and AD has to work before your clients will likely care if they have an IP address, etc, so take it a little at a time!

Regarding what I mean about the DNS, your Remote sites have to be able to talk to the central site domain controller before they're going to be able to join the domain.  Be careful - you need to JOIN the domain when you install the remote sites, not create a NEW domain, because otherwise you're going to have 4 separate domains with the same name that don't know or trust each other, and all have separate user databases, etc, and there's no way out of that other than to rebuild.    SO, when you build the machine that WILL BE the remote site domain controller, it is first a domain MEMBER of the existing domain.  For it to connect to the domain, you have to configure it's client DNS to point to the existing domain controller:
DNS CLient pictureIn this picture, I'm assuming that for example the existing central site DC is, and so my remote server at the remote site, which has an IP address (different subnet) MUST be able to route to the central site and connect to the DNS server which knows about the domain I need to join.  Once you can join the domain from the remote site, then you can install the Active Directory role / run DCPromo and become a DC.  At that point, the "AD Integrated DNS" will automatically start replicating the DNS database to that remote site (if you install the DNS Server role) and only then can you set the remote site DNS settings to itself.  After that, THEN you can worry about DHCP, and pointing your remote clients to the remote server for THEIR DNS.

Author Comment

ID: 39167110
Thank you.

If I run DCpromo and then ADD domain under existing domain, do I still need to join to the domain first ?
LVL 13

Expert Comment

ID: 39167124
For Additional Domain controllers you need to join them first in your domain and then run DCPROMO

LVL 10

Expert Comment

ID: 39167821
roozbehdec:  I think technically, the DCPromo process will actually let you join a domain, and become a DC at once, but I really suggest taking it one step at a time.  It will take you only one reboot longer to do it the way we suggested, and join the domain first (then reboot) and then DCPromo (which also requires a reboot).  Especially because the act of joining a domain will qualify all of your network settings and validate your ability to authenticate to the domain, without complicating it with the additional part of joining the domain.

Also.. now is probably a good time to remind you... make sure all your clocks are sychronized.  The Kerberos authentication will fail if the clocks aren't pretty close to the same (aside from time zone differences..)

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question