Solved

Remote Domain controller

Posted on 2013-06-20
11
265 Views
Last Modified: 2013-07-17
I need to bring a read -only domain controller to the remote location over the site-to-site VPN.  Anyone can help what process needs to be happen to complete this and have synch happen over the VPN?
What happens if my VPN goes down.  Would the Domain Controller still accessible?  How to make it fault tolerant?  Uptime is very critical here.
0
Comment
Question by:Tiras25
  • 5
  • 4
  • 2
11 Comments
 
LVL 15

Accepted Solution

by:
Rob Stone earned 167 total points
ID: 39264999
If you've not already looked at this guide, have a read through the relevant parts to your case:
http://technet.microsoft.com/en-us/library/cc754719(v=ws.10).aspx

It would be logical to install using the NTDSUTIL IFM (Install from media) option which will save a lot of replication traffic when it's at the remote site.

If the VPN goes down, any users AND computers that are not in the Allow Password Replication Policy (this in ADU&C, not GPMC) will not be able to log on until the VPN link is re-established.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39265419
In addition its woth readly below KB article.

RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx

Steps for Deploying an RODC
http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx

Installing AD DS from Media
http://technet.microsoft.com/en-us/library/cc770654(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc770627(v=ws.10).aspx

Q.Once RWDC is down or the line between headquarter and branch office is down, could client in branch office could still access to the domain with RODC?
 A:When the password for an account has been cached on the RODC, the user and/or computer can log in whenever a Read/Write Domain Controller is unavailable

Passwords can be cached on a Read-only Domain Controller (RODC), using the Password Replication Policy (PRP).More information: Administering the Password Replication Policy:http://technet.microsoft.com/de-de/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266147
Thanks guys.  Do you know what ports needs to be open through through the firewall for domain controller to communicate?
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39266160
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266753
Thanks again, Sandeshdubey.  So the idea is to have users in Password Replication Policy.  So even if the VPN link is down they should still be able to log on into the RODC.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 15

Assisted Solution

by:Rob Stone
Rob Stone earned 167 total points
ID: 39266803
Yes, but remember you need to add the computer accounts as well.

It's also worth noting from a security perspective that if the RODC get's stolen those credentials are vulnerable to be hacked. Microsoft do like to make that point clear.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266863
Understood. I my case users only no computers.   I'm thinking maybe just do a domain trust relationship better.  Faster to implement.  But less fault tolerance.  If VPN link is down users won't be able to login.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39267821
Yes,if the link is down user will face authentication issue.But for domain and trust you need to have DC in other site.Are you planning to have other forest or writable/RODC of same forest.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39267938
Yes I already have other forest with writable DC.  How can I make trust relationship more tolerant though. That's an issue.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39267978
If there is connectivity issue then resources will be not access and users will fail authentication issue as trust will be broken if connectivity does not exit.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39268682
Understand.  Looking for way to make domain trusts relationship more fault tolerant.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now