• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 300
  • Last Modified:

AD Replication at Remote Location.

We are trying to set up a remote domain controller Windows 2003.
At the main office we currently have AD1 which is our primary AD and AD2 which is a backup. Now due to server migration and moves we need to temporarily setup a third AD (AD3) at a remote location.
Our router does not support VPN and seeing this is a temporary situation, we do not want to upgrade at this time. Trying to determine the best way to configure the system so that remote AD3 can replicate with AD1 in the main office.
Here is what we have done so far. Set up AD3 and ran DCPromo. All 3 Ads are on the same domain – example.com, but AD3 is using a different IP scheme. Example - main office and remote office We have configured NAT at the remote site and assigned an external IP to AD3.
In Active Directory Site and Services renamed default site to Main and created a new site for the  Remote office. Added subnets for Main office and Remote, for the Remote office,  we used the external IP. Then created Inter-Site link between offices using IP. Pointed DNS entries for Remote AD3 to it's external IP.
In TCP/IP setting of AD3 unchecked “Register this connection’s address in DNS”.
When replication takes place, the DNS entry for AD3 is changed to the private IP address. Even tried changing it on all 3 ADs and it still reverts back to the private IP the next time it replicates. Once this happens, AD1 can no longer communicate with AD3. Is there a way to prevent DNS settings for AD3 from changing, or perhaps we are going about this all entirely wrong…..
  • 3
  • 2
2 Solutions
Could you clarify whether your use of AD means you actually have three separate AD environments or are those represent Domain controllers of the same domain.

Black to your question, unless you have typos in The IP address ranges you provided the issue is that 192.1, 192.20 are not private IP blocks, but actually are external systems.
You need to use one of the three private segments
10. a choice of one on this range

Do you have a VPN connection between these locations?

Your AD design might not include sites/branches.
TomProAuthor Commented:
All 3 Domain controllers are for the same domain.

The IP addresses I provided were just an example, sorry for the confusion. The main office has 192 and remote office is using 10. Also, we have NAT setup on the remote office with a public IP pointing to the AD (AD3).

No VPN connection. Our router at the main office does not support VPN and seeing this is a temporary situation, we do not want to upgrade at this time.

Our AD design does include Sites, the Main office is in a separate site from the Remote office.
You can setup an ipsec vpn policy between/among DCs to facilitate replication.
exposing DC3 on the internet is a bad/dangerous idea.
,openvpn might also be an option, pptp rras.


does the remote new office need access to data from main office?
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

TomProAuthor Commented:
The remote office does not need to access data from the main office.

Will review the IPSec Tunneling as an option.
openVPN might be a simpler option to implement.
between DC3 and DC2

IPSEC windows setup guide
some form of VPN is your only option here. you cant put the DC behind a NAT/firewall and get replication working as the DCs actual IP address is always used for replication. (hence why your DNS keeps changing back)

if 3rd party VPN software is the way you go, I'd recommend only setting it up on one of the main site servers.
3rd party software, particularly VPN software that adds additional 'NICs' to the server can have some dodgy effects on domain controllers. keeping one free from VPN stuff safeguards your domain from total loss in the event the VPN client causes problems.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now