Solved

Remote Domain controller

Posted on 2013-06-20
11
264 Views
Last Modified: 2013-07-17
I need to bring a read -only domain controller to the remote location over the site-to-site VPN.  Anyone can help what process needs to be happen to complete this and have synch happen over the VPN?
What happens if my VPN goes down.  Would the Domain Controller still accessible?  How to make it fault tolerant?  Uptime is very critical here.
0
Comment
Question by:Tiras25
  • 5
  • 4
  • 2
11 Comments
 
LVL 15

Accepted Solution

by:
Rob Stone earned 167 total points
ID: 39264999
If you've not already looked at this guide, have a read through the relevant parts to your case:
http://technet.microsoft.com/en-us/library/cc754719(v=ws.10).aspx

It would be logical to install using the NTDSUTIL IFM (Install from media) option which will save a lot of replication traffic when it's at the remote site.

If the VPN goes down, any users AND computers that are not in the Allow Password Replication Policy (this in ADU&C, not GPMC) will not be able to log on until the VPN link is re-established.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39265419
In addition its woth readly below KB article.

RODC Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx

Steps for Deploying an RODC
http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx

Installing AD DS from Media
http://technet.microsoft.com/en-us/library/cc770654(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc770627(v=ws.10).aspx

Q.Once RWDC is down or the line between headquarter and branch office is down, could client in branch office could still access to the domain with RODC?
 A:When the password for an account has been cached on the RODC, the user and/or computer can log in whenever a Read/Write Domain Controller is unavailable

Passwords can be cached on a Read-only Domain Controller (RODC), using the Password Replication Policy (PRP).More information: Administering the Password Replication Policy:http://technet.microsoft.com/de-de/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266147
Thanks guys.  Do you know what ports needs to be open through through the firewall for domain controller to communicate?
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39266160
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266753
Thanks again, Sandeshdubey.  So the idea is to have users in Password Replication Policy.  So even if the VPN link is down they should still be able to log on into the RODC.
0
 
LVL 15

Assisted Solution

by:Rob Stone
Rob Stone earned 167 total points
ID: 39266803
Yes, but remember you need to add the computer accounts as well.

It's also worth noting from a security perspective that if the RODC get's stolen those credentials are vulnerable to be hacked. Microsoft do like to make that point clear.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39266863
Understood. I my case users only no computers.   I'm thinking maybe just do a domain trust relationship better.  Faster to implement.  But less fault tolerance.  If VPN link is down users won't be able to login.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39267821
Yes,if the link is down user will face authentication issue.But for domain and trust you need to have DC in other site.Are you planning to have other forest or writable/RODC of same forest.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39267938
Yes I already have other forest with writable DC.  How can I make trust relationship more tolerant though. That's an issue.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 333 total points
ID: 39267978
If there is connectivity issue then resources will be not access and users will fail authentication issue as trust will be broken if connectivity does not exit.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 39268682
Understand.  Looking for way to make domain trusts relationship more fault tolerant.
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now