Solved

one domain in Multiple sites

Posted on 2013-05-13
9
397 Views
Last Modified: 2013-07-09
I need to setup a domain in 4 sites. Each site should have DC, DNS and DHCP but same domain.

They are connecting via site to site VPN.

Could you please tell me how can I setup AD. For example if I install XY.com in each site, how they replicate with each other ? Is that possible. Do I need to setup trust ?

Please let me know
0
Comment
Question by:Golchehr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 16

Expert Comment

by:Shaik M. Sajid
ID: 39163731
the best way for same domain is additional domain which is isay to setup... and will have the redundancy and failover for your domain ..

to make this ...

initially all sites must ping to main site..

this scenario you have to create additional domain each site...

each domain can have it's own DNS and DHCP no issues

first create addtional domain each site then

add subnet in the primery Domain controller

follow this article

http://technet.microsoft.com/en-us/library/cc770372.aspx

as well as see this youtube viedo

http://www.youtube.com/watch?v=Y9HjJ6RPgPk

all the best
0
 
LVL 13

Expert Comment

by:Jaihunt
ID: 39163875
Hi

First Install a DC in Primary site and then Create separate sites according to your physical site location in Active directory sites and services. Add the related site subnets to the AD sites. Create Site links pointing to Primary Site. So all the sites will get the replication from your primary site. You can promote the server in one place and move it to the remote site if you have low bandwidth links. Also set the replication interval based on the link.

http://technet.microsoft.com/en-us/library/cc731907.aspx

Thanks
Jai
0
 
LVL 10

Accepted Solution

by:
172pilotSteve earned 500 total points
ID: 39164563
I agree generally with Jaihunt, however I feel those recommendations are more about tweaking performance than the actual setup, so I'm going to take a stab from the beginning...

First, if you have one domain, take the concept of TRUST out of your mind.  Trusts are between forests, not between sites in the same domain.  Your DCs in multiple sites will replicate with each other automatically as long as they can talk to each other.

First, if you haven't already done so, install your first DC..  You now have a domain.  Make sure your DC is running DNS, and can/has registered it's _MSTSC and _PDC type subzones, and has registered itself in those locations.

Now, on your second (and subsequent) DCs, to get them installed, point the CLIENT DNS (the DNS entries in your NIC setup) to the first domain controller.  This way, the machine itself will "know about" the domain, and let you DCPROMO it / install the DC role to the DC.  Technically, you now have a second (or third/fourth) DC.  After you have all four DCs running, install DNS on the 2nd-4th DC (if you didn't already install DNS server role before) and then make sure the domain zone is replicating to the secondary DCs by running the DNS client MMC and looking to make sure the same zone info is on all DCs.  After you're SURE that the DCs all have valid DNS info, go back into the client settings on the remote DCs and tell them to query themselves for DNS.  Now that their local DNS servers have knowledge of the central DNS/DC, it will be faster/more reliable to use the local database, and you'll still have the DNS knowledge to allow for replication.

NOW, you can go into sites and services, and create sites for each remote site, and create subnets and assign them to the sites.  The main things this does, is tells AD which DC to prefer for authentication for a machine on those specific subnets, and it changes the way replication works, but in a situation with only one DC at each site, that part of it isn't too important, other than it will slow down the replication interval which might be important if you have a lot of AD changes.

Now..  just for performance reasons, you probably don't want remote sites to replicate with each other, since they'll have to use the central site as a conduit to communicate with each other (unless you've got your VPN connections fully meshed).  For this reason, you'll want to create the site links as Jaihunt talked about, to force each remote site to use the central site as it's replication partner.  Sometimes this is actually required, rather than just a performance issue, if your VPN doesn't allow remote sites to directly communicate with each other (some VPNs only allow remotes to communicate with central site, not pass thru to other remotes)

Let me know if you have any problems/questions..  The biggest deal is to make sure DNS is available to find a DC that can authenticate and direct the replication.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Author Comment

by:Golchehr
ID: 39165267
Hi all, Thank you very much for answers.

172pilotSteve, I have a question about addressing.

Let me explain more. 4 sites are in LA, San Jose, San Fransisco and Chicago.

Each site should have It's DC and maybe Secondary DC as backup. We need to run DNS and DHCP on each site.

 I will install DC with DNS and DHCP in San Jose first and then LA, San Fransisco and Chicago.

Do I need to use Same scope IP address for DHCP server in each site ? For example if I have 192.168.1.0 for San Jose , do Need to use this range of IP address for other sites too or I can use 172.16.1.0 or.... ?

In DNS client  setup for  remote setup , If the IP addresses are different, How can I point DNS address to first DNS server ?

Thank you for your help
0
 
LVL 13

Expert Comment

by:Jaihunt
ID: 39165407
You can use different subnets since the DNS is AD integrated there is no issues. You need to create the reverse lookup zones  according to the subnets you create. Also you need to configure DHCP to update dns automatically. You can add as many DNS servers in the 006 options in dhcp to configure DNS server options. Make sure Primay DNS pointing to local site DC and secondary DNS pointing to nearest site DC.

If San Jose is your primary site means create all other site links pointing to Sanjose.

like San Jose/LA, San Jose/San Fransisco, San Jose/Chicago. Make sure site link contain only 2 sites.
0
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 39165489
Just for basic TCPIP routing, you need the clients in each site to be in different IP subnets, and therefore different DHCP scopes with different ranges/configurations.  All of that IP stuff is a lower level thing than the AD, and you'll want to make sure IP routing is working before you get working on the AD, because without underlying IP, the active directory has no chance.

So..  remember, the DHCP in each site is for the clients to be able to configure themselves from settings on the server.  Your server is going to have to be fixed IP (or at least normally is) and will have to be working before you can get AD, and AD has to work before your clients will likely care if they have an IP address, etc, so take it a little at a time!

Regarding what I mean about the DNS, your Remote sites have to be able to talk to the central site domain controller before they're going to be able to join the domain.  Be careful - you need to JOIN the domain when you install the remote sites, not create a NEW domain, because otherwise you're going to have 4 separate domains with the same name that don't know or trust each other, and all have separate user databases, etc, and there's no way out of that other than to rebuild.    SO, when you build the machine that WILL BE the remote site domain controller, it is first a domain MEMBER of the existing domain.  For it to connect to the domain, you have to configure it's client DNS to point to the existing domain controller:
DNS CLient pictureIn this picture, I'm assuming that for example the existing central site DC is 172.16.1.5, and so my remote server at the remote site, which has an IP address 192.168.56.10 (different subnet) MUST be able to route to the central site and connect to the DNS server which knows about the domain I need to join.  Once you can join the domain from the remote site, then you can install the Active Directory role / run DCPromo and become a DC.  At that point, the "AD Integrated DNS" will automatically start replicating the DNS database to that remote site (if you install the DNS Server role) and only then can you set the remote site DNS settings to itself.  After that, THEN you can worry about DHCP, and pointing your remote clients to the remote server for THEIR DNS.
0
 

Author Comment

by:Golchehr
ID: 39167110
Thank you.

If I run DCpromo and then ADD domain under existing domain, do I still need to join to the domain first ?
0
 
LVL 13

Expert Comment

by:Jaihunt
ID: 39167124
For Additional Domain controllers you need to join them first in your domain and then run DCPROMO

http://www.youtube.com/watch?v=x6NKvJMLO0o
0
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 39167821
roozbehdec:  I think technically, the DCPromo process will actually let you join a domain, and become a DC at once, but I really suggest taking it one step at a time.  It will take you only one reboot longer to do it the way we suggested, and join the domain first (then reboot) and then DCPromo (which also requires a reboot).  Especially because the act of joining a domain will qualify all of your network settings and validate your ability to authenticate to the domain, without complicating it with the additional part of joining the domain.

Also.. now is probably a good time to remind you... make sure all your clocks are sychronized.  The Kerberos authentication will fail if the clocks aren't pretty close to the same (aside from time zone differences..)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question