AD sites connection subnet question

Hi
I setup an active directory with 2 domain controllers. Each is within a physically separated network with one public IP behind a firewall. If i open a vpn tunnel on one server the replication works. But i want to make the replication without a manual vpn connection (although, now it's a task, but a  user session is still necessary) the plan is to implement a direct server connection, for instance by using IPSec. Therefore, I created two AD sites and as far as I understand, i put the public IP of one network in the Ip address field in the "add subnet" wizard. Is this correct? What subnetmask do i need to add /0? I would then configure port forwarding to the internal server address on the firewall?

Is this concept going to work or would it be easier to setup a vpn tunnel between the networks and use different ip ranges? This would use new routers.

Thanks in advance for any help!
KellerITAsked:
Who is Participating?
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
AD Sites are services is merly a logical representation of how DC's replication is managed (manaully or by KCC). If you did not setup AD Sites and Services your AD authentication would work but it would not be consistent. Sites and services work by creating logical sites for DC's and also to provide users a way to authenticate to an appropriate domain controller that is in the same site, which provides efficency.

Sites and services want the internal IP subnet for each logical site you have in active directory. Regardless of how you connect to your sites physically (vpn/mpls/direct connection/etc) Sites are Services does not care. That being said you just need to have a a physical connection and then you can associate the IP/Subnets in Sites and Services.

Will.
0
 
MaheshConnect With a Mentor ArchitectCommented:
Not sure are you referring to AD sites and subnets ?
If that's the case, adding public IP to AD sites and services is not required

All you need to do, just create site to site VPN tunnel between both sites and replicate DCs over internet through VPN tunnel
http://computer.howstuffworks.com/vpn4.htm

Mahesh
0
 
ZenVenkyConnect With a Mentor ArchitectCommented:
In stead of doing it hard way, I would suggest you to configure site to site VPN tunneling which will take care of AD replication and DCs communication. Before you proceed to do anything just ping 1 DC from another if it resolves the IP to name and name to IP then its good. If note then go ahead and configure site to site tunneling in VPN. To do so refer your VPN configuration documents.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.