Link to home
Create AccountLog in
Avatar of Golchehr
Golchehr

asked on

one domain in Multiple sites

I need to setup a domain in 4 sites. Each site should have DC, DNS and DHCP but same domain.

They are connecting via site to site VPN.

Could you please tell me how can I setup AD. For example if I install XY.com in each site, how they replicate with each other ? Is that possible. Do I need to setup trust ?

Please let me know
Avatar of Sajid Shaik M
Sajid Shaik M
Flag of Saudi Arabia image

the best way for same domain is additional domain which is isay to setup... and will have the redundancy and failover for your domain ..

to make this ...

initially all sites must ping to main site..

this scenario you have to create additional domain each site...

each domain can have it's own DNS and DHCP no issues

first create addtional domain each site then

add subnet in the primery Domain controller

follow this article

http://technet.microsoft.com/en-us/library/cc770372.aspx

as well as see this youtube viedo

http://www.youtube.com/watch?v=Y9HjJ6RPgPk

all the best
Hi

First Install a DC in Primary site and then Create separate sites according to your physical site location in Active directory sites and services. Add the related site subnets to the AD sites. Create Site links pointing to Primary Site. So all the sites will get the replication from your primary site. You can promote the server in one place and move it to the remote site if you have low bandwidth links. Also set the replication interval based on the link.

http://technet.microsoft.com/en-us/library/cc731907.aspx

Thanks
Jai
ASKER CERTIFIED SOLUTION
Avatar of 172pilotSteve
172pilotSteve
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Golchehr
Golchehr

ASKER

Hi all, Thank you very much for answers.

172pilotSteve, I have a question about addressing.

Let me explain more. 4 sites are in LA, San Jose, San Fransisco and Chicago.

Each site should have It's DC and maybe Secondary DC as backup. We need to run DNS and DHCP on each site.

 I will install DC with DNS and DHCP in San Jose first and then LA, San Fransisco and Chicago.

Do I need to use Same scope IP address for DHCP server in each site ? For example if I have 192.168.1.0 for San Jose , do Need to use this range of IP address for other sites too or I can use 172.16.1.0 or.... ?

In DNS client  setup for  remote setup , If the IP addresses are different, How can I point DNS address to first DNS server ?

Thank you for your help
You can use different subnets since the DNS is AD integrated there is no issues. You need to create the reverse lookup zones  according to the subnets you create. Also you need to configure DHCP to update dns automatically. You can add as many DNS servers in the 006 options in dhcp to configure DNS server options. Make sure Primay DNS pointing to local site DC and secondary DNS pointing to nearest site DC.

If San Jose is your primary site means create all other site links pointing to Sanjose.

like San Jose/LA, San Jose/San Fransisco, San Jose/Chicago. Make sure site link contain only 2 sites.
Just for basic TCPIP routing, you need the clients in each site to be in different IP subnets, and therefore different DHCP scopes with different ranges/configurations.  All of that IP stuff is a lower level thing than the AD, and you'll want to make sure IP routing is working before you get working on the AD, because without underlying IP, the active directory has no chance.

So..  remember, the DHCP in each site is for the clients to be able to configure themselves from settings on the server.  Your server is going to have to be fixed IP (or at least normally is) and will have to be working before you can get AD, and AD has to work before your clients will likely care if they have an IP address, etc, so take it a little at a time!

Regarding what I mean about the DNS, your Remote sites have to be able to talk to the central site domain controller before they're going to be able to join the domain.  Be careful - you need to JOIN the domain when you install the remote sites, not create a NEW domain, because otherwise you're going to have 4 separate domains with the same name that don't know or trust each other, and all have separate user databases, etc, and there's no way out of that other than to rebuild.    SO, when you build the machine that WILL BE the remote site domain controller, it is first a domain MEMBER of the existing domain.  For it to connect to the domain, you have to configure it's client DNS to point to the existing domain controller:
User generated imageIn this picture, I'm assuming that for example the existing central site DC is 172.16.1.5, and so my remote server at the remote site, which has an IP address 192.168.56.10 (different subnet) MUST be able to route to the central site and connect to the DNS server which knows about the domain I need to join.  Once you can join the domain from the remote site, then you can install the Active Directory role / run DCPromo and become a DC.  At that point, the "AD Integrated DNS" will automatically start replicating the DNS database to that remote site (if you install the DNS Server role) and only then can you set the remote site DNS settings to itself.  After that, THEN you can worry about DHCP, and pointing your remote clients to the remote server for THEIR DNS.
Thank you.

If I run DCpromo and then ADD domain under existing domain, do I still need to join to the domain first ?
For Additional Domain controllers you need to join them first in your domain and then run DCPROMO

http://www.youtube.com/watch?v=x6NKvJMLO0o
roozbehdec:  I think technically, the DCPromo process will actually let you join a domain, and become a DC at once, but I really suggest taking it one step at a time.  It will take you only one reboot longer to do it the way we suggested, and join the domain first (then reboot) and then DCPromo (which also requires a reboot).  Especially because the act of joining a domain will qualify all of your network settings and validate your ability to authenticate to the domain, without complicating it with the additional part of joining the domain.

Also.. now is probably a good time to remind you... make sure all your clocks are sychronized.  The Kerberos authentication will fail if the clocks aren't pretty close to the same (aside from time zone differences..)