Solved

Remote Domain controller

Posted on 2013-06-20
11
270 Views
Last Modified: 2013-07-17
I need to bring a read -only domain controller to the remote location over the site-to-site VPN.  Anyone can help what process needs to be happen to complete this and have synch happen over the VPN?
What happens if my VPN goes down.  Would the Domain Controller still accessible?  How to make it fault tolerant?  Uptime is very critical here.
0
Comment
Question by:Tiras25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 15

Accepted Solution

by:
Rob Stone earned 167 total points
ID: 39264999
If you've not already looked at this guide, have a read through the relevant parts to your case:
http://technet.microsoft.com/en-us/library/cc754719(v=ws.10).aspx

It would be logical to install using the NTDSUTIL IFM (Install from media) option which will save a lot of replication traffic when it's at the remote site.

If the VPN goes down, any users AND computers that are not in the Allow Password Replication Policy (this in ADU&C, not GPMC) will not be able to log on until the VPN link is re-established.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39265419
In addition its woth readly below KB article.

RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx

Steps for Deploying an RODC
http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx

Installing AD DS from Media
http://technet.microsoft.com/en-us/library/cc770654(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc770627(v=ws.10).aspx

Q.Once RWDC is down or the line between headquarter and branch office is down, could client in branch office could still access to the domain with RODC?
 A:When the password for an account has been cached on the RODC, the user and/or computer can log in whenever a Read/Write Domain Controller is unavailable

Passwords can be cached on a Read-only Domain Controller (RODC), using the Password Replication Policy (PRP).More information: Administering the Password Replication Policy:http://technet.microsoft.com/de-de/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266147
Thanks guys.  Do you know what ports needs to be open through through the firewall for domain controller to communicate?
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39266160
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266753
Thanks again, Sandeshdubey.  So the idea is to have users in Password Replication Policy.  So even if the VPN link is down they should still be able to log on into the RODC.
0
 
LVL 15

Assisted Solution

by:Rob Stone
Rob Stone earned 167 total points
ID: 39266803
Yes, but remember you need to add the computer accounts as well.

It's also worth noting from a security perspective that if the RODC get's stolen those credentials are vulnerable to be hacked. Microsoft do like to make that point clear.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266863
Understood. I my case users only no computers.   I'm thinking maybe just do a domain trust relationship better.  Faster to implement.  But less fault tolerance.  If VPN link is down users won't be able to login.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39267821
Yes,if the link is down user will face authentication issue.But for domain and trust you need to have DC in other site.Are you planning to have other forest or writable/RODC of same forest.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39267938
Yes I already have other forest with writable DC.  How can I make trust relationship more tolerant though. That's an issue.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39267978
If there is connectivity issue then resources will be not access and users will fail authentication issue as trust will be broken if connectivity does not exit.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39268682
Understand.  Looking for way to make domain trusts relationship more fault tolerant.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question