?
Solved

Remote Domain controller

Posted on 2013-06-20
11
Medium Priority
?
272 Views
Last Modified: 2013-07-17
I need to bring a read -only domain controller to the remote location over the site-to-site VPN.  Anyone can help what process needs to be happen to complete this and have synch happen over the VPN?
What happens if my VPN goes down.  Would the Domain Controller still accessible?  How to make it fault tolerant?  Uptime is very critical here.
0
Comment
Question by:Tiras25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 15

Accepted Solution

by:
Rob Stone earned 668 total points
ID: 39264999
If you've not already looked at this guide, have a read through the relevant parts to your case:
http://technet.microsoft.com/en-us/library/cc754719(v=ws.10).aspx

It would be logical to install using the NTDSUTIL IFM (Install from media) option which will save a lot of replication traffic when it's at the remote site.

If the VPN goes down, any users AND computers that are not in the Allow Password Replication Policy (this in ADU&C, not GPMC) will not be able to log on until the VPN link is re-established.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 1332 total points
ID: 39265419
In addition its woth readly below KB article.

RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx

Steps for Deploying an RODC
http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx

Installing AD DS from Media
http://technet.microsoft.com/en-us/library/cc770654(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc770627(v=ws.10).aspx

Q.Once RWDC is down or the line between headquarter and branch office is down, could client in branch office could still access to the domain with RODC?
 A:When the password for an account has been cached on the RODC, the user and/or computer can log in whenever a Read/Write Domain Controller is unavailable

Passwords can be cached on a Read-only Domain Controller (RODC), using the Password Replication Policy (PRP).More information: Administering the Password Replication Policy:http://technet.microsoft.com/de-de/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266147
Thanks guys.  Do you know what ports needs to be open through through the firewall for domain controller to communicate?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 1332 total points
ID: 39266160
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266753
Thanks again, Sandeshdubey.  So the idea is to have users in Password Replication Policy.  So even if the VPN link is down they should still be able to log on into the RODC.
0
 
LVL 15

Assisted Solution

by:Rob Stone
Rob Stone earned 668 total points
ID: 39266803
Yes, but remember you need to add the computer accounts as well.

It's also worth noting from a security perspective that if the RODC get's stolen those credentials are vulnerable to be hacked. Microsoft do like to make that point clear.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266863
Understood. I my case users only no computers.   I'm thinking maybe just do a domain trust relationship better.  Faster to implement.  But less fault tolerance.  If VPN link is down users won't be able to login.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 1332 total points
ID: 39267821
Yes,if the link is down user will face authentication issue.But for domain and trust you need to have DC in other site.Are you planning to have other forest or writable/RODC of same forest.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39267938
Yes I already have other forest with writable DC.  How can I make trust relationship more tolerant though. That's an issue.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 1332 total points
ID: 39267978
If there is connectivity issue then resources will be not access and users will fail authentication issue as trust will be broken if connectivity does not exit.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39268682
Understand.  Looking for way to make domain trusts relationship more fault tolerant.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question