3 sites, 1 AD, DNS questions

Hello,

I have 3 sites,
HQ - 10.181.82.0/ Server 2008 R2 - moving to 2012 shortly
Site A - 172.26.10.0 Server 2008 R2
Site B - 172.21.122.0 Server 2012

I have juniper 5GT at all three sites with VPN back to HQ.  My question is I want HQ to be the main active directory server.  Site A & B to be members or DC, they are basically file servers, Symantec endpoint.  I've tried setting up site B today and server 2012 keeps dropping and I can't see anything on the HQ side.  If I do a DNS refresh it will come back - sometimes.  
So; I need some assistance with this.  
1.  Do I make the remote servers Member server or Domain controllers?
2.  What DNS entries should be made, or don't touch them?

Any help would be much appreciated.

Chad
cirschickAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Site A & B to be members or DC, they are basically file servers, Symantec endpoint
As a rule of thumb DC's should not be file servers as well. There are special permissions/restrictions for DC's and it is not a good idea to have this type of setup.

1.  Do I make the remote servers Member server or Domain controllers?
How many users are in each remote site and what type of connection do you have at your remote sites back to HQ? If you were going to put a DC in these sites it should be based on the number of users and also your connection back to HQ. It should also be on a separate server and not a file server.

2.  What DNS entries should be made, or don't touch them?
Based on your initial issue 2012 server drops? are you meaning it is removed from DNS? or can you ping it?

If this is the case setting up additonal DC's will probably not correct this issue.

I would possibly enable DNS diagnosic logging
https://technet.microsoft.com/en-ca/library/cc759581(v=ws.10).aspx

Will.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
First, while at a basic level, I agree - DCs should not be file servers and vice versa, I would point out that many small business (with multiple sites or not) do not have the budget to allow for separation of these services.  USUALLY, in my experience, businesses, have a mail server, a database server, an RDS server, or a LOB app server that would (these days) eat the available license (when virtualizing).  And given all those other functions, the BEST candidate to be the file server is the DC in almost all circumstances.  So, while Will is correct, it's far from the point I'd want to focus on.

For me, my general rule *IF* you understand AD backup and restore procedures and when it's appropriate to use them, is to put a single DC at each site so that you a) have offsite redundancy of AD; and b) have a local authentication server for your users.  The exception being when a) your link between sites is VERY unreliable and b) your remote sites consist of fewer than 10 users (even then, I might still put a remote DC at ONE of the remote sites for off-site redundancy.

You should not be touching DNS.  DCs update DNS every reboot (technically, every time the netlogon service starts).  Especially if the DCs are your file servers, then you definitely don't need to make any DNS modifications.  If not, then assuming you have default settings for DHCP, DNS, and your workstations, the DNS for Windows systems should update automatically.  You might want to enable scavenging but other than that, you shouldn't need to touch it.  

As for connectivity, you need to test and evaluate the reliability of your links.  Are you using a VPN between sites?
0
cirschickAuthor Commented:
We are using the Juniper 5GT routers, IPsec VPN, there is a 10Mbps full fiber internet connection at each site.
So I have no problem with having the files on the HQ server as long as site A/B can access them without issues.
New question is the clients at site B (172.21.122.0/24) has issues pinging DNS names such as server/ PC on the HQ (10.181.82.0/24) network.  The primary DNS server on the clients/ remote server is HQ main DC 10.181.82.152
The Local Authentication Users: I just create an OU group called remoteBusers & remoteBcomputers within my main AD, I've also created specific GP for that OU outside of the main HQ OU.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Will SzymkowskiSenior Solution ArchitectCommented:
New question is the clients at site B (172.21.122.0/24) has issues pinging DNS names such as server/ PC on the HQ (10.181.82.0/24) network.

If you are having issues pinging the DNS/DC's in HQ this is going to create issues all around.

You need to get your network sorted out first which then should resolve the DNS issues you had originally.

Will.
0
cirschickAuthor Commented:
So would you say I should be looking into the router more?
0
Will SzymkowskiSenior Solution ArchitectCommented:
If you are having ping issues this is basic network troubleshooting. You might want to look into the firewall rules at each site and also possibly using tracert to determine if a specific hop is creating the dropped packets.

But yes, you need to look deeper into the network.

Will.
0
cirschickAuthor Commented:
AWESOME!!!!, ping is fine, tracert works
after 10-15 minutes it drops

MUST BLOW UP ROUTER!!!
0
Will SzymkowskiSenior Solution ArchitectCommented:
Yes this definitly points to some network gear in your remote site.

Replace it and you should be fine.

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.