Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Remote Domain controller

I need to bring a read -only domain controller to the remote location over the site-to-site VPN.  Anyone can help what process needs to be happen to complete this and have synch happen over the VPN?
What happens if my VPN goes down.  Would the Domain Controller still accessible?  How to make it fault tolerant?  Uptime is very critical here.
0
Tiras25
Asked:
Tiras25
  • 5
  • 4
  • 2
6 Solutions
 
Rob StoneCommented:
If you've not already looked at this guide, have a read through the relevant parts to your case:
http://technet.microsoft.com/en-us/library/cc754719(v=ws.10).aspx

It would be logical to install using the NTDSUTIL IFM (Install from media) option which will save a lot of replication traffic when it's at the remote site.

If the VPN goes down, any users AND computers that are not in the Allow Password Replication Policy (this in ADU&C, not GPMC) will not be able to log on until the VPN link is re-established.
0
 
SandeshdubeyCommented:
In addition its woth readly below KB article.

RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx

Steps for Deploying an RODC
http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx

Installing AD DS from Media
http://technet.microsoft.com/en-us/library/cc770654(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc770627(v=ws.10).aspx

Q.Once RWDC is down or the line between headquarter and branch office is down, could client in branch office could still access to the domain with RODC?
 A:When the password for an account has been cached on the RODC, the user and/or computer can log in whenever a Read/Write Domain Controller is unavailable

Passwords can be cached on a Read-only Domain Controller (RODC), using the Password Replication Policy (PRP).More information: Administering the Password Replication Policy:http://technet.microsoft.com/de-de/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx
0
 
Tiras25Author Commented:
Thanks guys.  Do you know what ports needs to be open through through the firewall for domain controller to communicate?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Tiras25Author Commented:
Thanks again, Sandeshdubey.  So the idea is to have users in Password Replication Policy.  So even if the VPN link is down they should still be able to log on into the RODC.
0
 
Rob StoneCommented:
Yes, but remember you need to add the computer accounts as well.

It's also worth noting from a security perspective that if the RODC get's stolen those credentials are vulnerable to be hacked. Microsoft do like to make that point clear.
0
 
Tiras25Author Commented:
Understood. I my case users only no computers.   I'm thinking maybe just do a domain trust relationship better.  Faster to implement.  But less fault tolerance.  If VPN link is down users won't be able to login.
0
 
SandeshdubeyCommented:
Yes,if the link is down user will face authentication issue.But for domain and trust you need to have DC in other site.Are you planning to have other forest or writable/RODC of same forest.
0
 
Tiras25Author Commented:
Yes I already have other forest with writable DC.  How can I make trust relationship more tolerant though. That's an issue.
0
 
SandeshdubeyCommented:
If there is connectivity issue then resources will be not access and users will fail authentication issue as trust will be broken if connectivity does not exit.
0
 
Tiras25Author Commented:
Understand.  Looking for way to make domain trusts relationship more fault tolerant.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now