AD Replication at Remote Location.

We are trying to set up a remote domain controller Windows 2003.
At the main office we currently have AD1 which is our primary AD and AD2 which is a backup. Now due to server migration and moves we need to temporarily setup a third AD (AD3) at a remote location.
Our router does not support VPN and seeing this is a temporary situation, we do not want to upgrade at this time. Trying to determine the best way to configure the system so that remote AD3 can replicate with AD1 in the main office.
Here is what we have done so far. Set up AD3 and ran DCPromo. All 3 Ads are on the same domain – example.com, but AD3 is using a different IP scheme. Example - main office 192.1.1.0 and remote office 192.20.1.0 We have configured NAT at the remote site and assigned an external IP to AD3.
In Active Directory Site and Services renamed default site to Main and created a new site for the  Remote office. Added subnets for Main office and Remote, for the Remote office,  we used the external IP. Then created Inter-Site link between offices using IP. Pointed DNS entries for Remote AD3 to it's external IP.
In TCP/IP setting of AD3 unchecked “Register this connection’s address in DNS”.
When replication takes place, the DNS entry for AD3 is changed to the private IP address. Even tried changing it on all 3 ADs and it still reverts back to the private IP the next time it replicates. Once this happens, AD1 can no longer communicate with AD3. Is there a way to prevent DNS settings for AD3 from changing, or perhaps we are going about this all entirely wrong…..
LVL 1
TomProAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Could you clarify whether your use of AD means you actually have three separate AD environments or are those represent Domain controllers of the same domain.

Black to your question, unless you have typos in The IP address ranges you provided the issue is that 192.1, 192.20 are not private IP blocks, but actually are external systems.
You need to use one of the three private segments
10. a choice of one on this range
172.16-31
192.168.

Do you have a VPN connection between these locations?

Your AD design might not include sites/branches.
0
TomProAuthor Commented:
All 3 Domain controllers are for the same domain.

The IP addresses I provided were just an example, sorry for the confusion. The main office has 192 and remote office is using 10. Also, we have NAT setup on the remote office with a public IP pointing to the AD (AD3).

No VPN connection. Our router at the main office does not support VPN and seeing this is a temporary situation, we do not want to upgrade at this time.

Our AD design does include Sites, the Main office is in a separate site from the Remote office.
0
arnoldCommented:
You can setup an ipsec vpn policy between/among DCs to facilitate replication.
exposing DC3 on the internet is a bad/dangerous idea.
,openvpn might also be an option, pptp rras.

http://support.microsoft.com/?scid=kb%3Ben-us%3B816514&x=4&y=1

does the remote new office need access to data from main office?
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

TomProAuthor Commented:
The remote office does not need to access data from the main office.

Will review the IPSec Tunneling as an option.
0
arnoldCommented:
openVPN might be a simpler option to implement.
between DC3 and DC2
http://openvpn.net/index.php/open-source/documentation/howto.html

IPSEC windows setup guide
http://support.microsoft.com/?scid=kb%3Ben-us%3B816514&x=4&y=1
0
SteveCommented:
some form of VPN is your only option here. you cant put the DC behind a NAT/firewall and get replication working as the DCs actual IP address is always used for replication. (hence why your DNS keeps changing back)

if 3rd party VPN software is the way you go, I'd recommend only setting it up on one of the main site servers.
3rd party software, particularly VPN software that adds additional 'NICs' to the server can have some dodgy effects on domain controllers. keeping one free from VPN stuff safeguards your domain from total loss in the event the VPN client causes problems.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.