AD subnets VPN

I need to set up a remote location that authenticates AD to the DC at the main office. There is no on-site DC. I have the VPN setup to the remote office. On the firewall I have DHCP giving the secondary DNS to the Main office DC. Should this work? Do I need to add anything about the co-locations subnet at the DC in the main office?
WIZU2Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Julian123Commented:
I'd recommend the following:
1. Ensure your primary DNS server is an AD-integrated DNS server in addition to your secondary. Typically, folks use DCs as DNS servers but this isn't required (it could be an AD-integrated DNS server that isn't also a DC). The best practice is that the DNS server has all the records used by workstations to find domain controllers to authenticate and having DNS be AD-integrated helps ensure that will happen.
2. Set up your AD sites and services subnet to associate the subnet used by the remote office with the DC at the main office. This ensures that machines in that remote office will connect to the DC(s) in the main office and not some other DCs that could be in another remote office (if you have one).


Thanks!
0
WIZU2Author Commented:
I know how to add the additional subnets, but how do you make it associate?
0
N-WCommented:
On the firewall I have DHCP giving the secondary DNS to the Main office DC. Should this work?

I highly recommend you point both primary and secondary DNS to the main office's DNS servers. If you have the primary DNS as an external source (your ISP's DNS, Google DNS, etc) then lookups for internal domain resources (file shares, printers etc) will often fail.

I know how to add the additional subnets, but how do you make it associate?

When you create the new subnet, you need to select the required site like this:
ADSS
So to associate the 192.168.1.0/24 subnet with the "HQ" site, you would just select HQ and hit OK.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

SandeshdubeySenior Server EngineerCommented:
Also ensure correct dns setting on DC/clients as this

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

To associate the subnet with a site see this:
http://www.activewin.com/win2000/step_by_step/active_directory/adsites.shtml
0
WIZU2Author Commented:
Ok the second DC at the remote location is in a different time zone? The DC is pulling the time from the main office. How do I fix that issue?
0
N-WCommented:
The second DC should only "pull" UTC time from the DC holding the "PDC Emulator" FSMO role. This allows you to set a different timezone on the secondary DC and it should automatically calculate the correct time to display.

Has the correct timezone been set on the second DC?
0
WIZU2Author Commented:
I set the second DC at the remote location to the right time zone. But now the DC at main office is complaining about the time difference event ID 1925.
0
N-WCommented:
Are you able to post the full event error message?

ID 1925 usually refers to DNS lookup issues regarding AD replication.

It may be worth resetting the NTP configuration on your secondary DC too:
net stop w32time
w32tm /unregister (enter this command twice if presented with an error)
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.