3 sites, 1 AD, DNS questions

Hello,

I have 3 sites,
HQ - 10.181.82.0/ Server 2008 R2 - moving to 2012 shortly
Site A - 172.26.10.0 Server 2008 R2
Site B - 172.21.122.0 Server 2012

I have juniper 5GT at all three sites with VPN back to HQ.  My question is I want HQ to be the main active directory server.  Site A & B to be members or DC, they are basically file servers, Symantec endpoint.  I've tried setting up site B today and server 2012 keeps dropping and I can't see anything on the HQ side.  If I do a DNS refresh it will come back - sometimes.  
So; I need some assistance with this.  
1.  Do I make the remote servers Member server or Domain controllers?
2.  What DNS entries should be made, or don't touch them?

Any help would be much appreciated.

Chad
cirschickAsked:
Who is Participating?
 
Will SzymkowskiSenior Solution ArchitectCommented:
Yes this definitly points to some network gear in your remote site.

Replace it and you should be fine.

Will.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Site A & B to be members or DC, they are basically file servers, Symantec endpoint
As a rule of thumb DC's should not be file servers as well. There are special permissions/restrictions for DC's and it is not a good idea to have this type of setup.

1.  Do I make the remote servers Member server or Domain controllers?
How many users are in each remote site and what type of connection do you have at your remote sites back to HQ? If you were going to put a DC in these sites it should be based on the number of users and also your connection back to HQ. It should also be on a separate server and not a file server.

2.  What DNS entries should be made, or don't touch them?
Based on your initial issue 2012 server drops? are you meaning it is removed from DNS? or can you ping it?

If this is the case setting up additonal DC's will probably not correct this issue.

I would possibly enable DNS diagnosic logging
https://technet.microsoft.com/en-ca/library/cc759581(v=ws.10).aspx

Will.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
First, while at a basic level, I agree - DCs should not be file servers and vice versa, I would point out that many small business (with multiple sites or not) do not have the budget to allow for separation of these services.  USUALLY, in my experience, businesses, have a mail server, a database server, an RDS server, or a LOB app server that would (these days) eat the available license (when virtualizing).  And given all those other functions, the BEST candidate to be the file server is the DC in almost all circumstances.  So, while Will is correct, it's far from the point I'd want to focus on.

For me, my general rule *IF* you understand AD backup and restore procedures and when it's appropriate to use them, is to put a single DC at each site so that you a) have offsite redundancy of AD; and b) have a local authentication server for your users.  The exception being when a) your link between sites is VERY unreliable and b) your remote sites consist of fewer than 10 users (even then, I might still put a remote DC at ONE of the remote sites for off-site redundancy.

You should not be touching DNS.  DCs update DNS every reboot (technically, every time the netlogon service starts).  Especially if the DCs are your file servers, then you definitely don't need to make any DNS modifications.  If not, then assuming you have default settings for DHCP, DNS, and your workstations, the DNS for Windows systems should update automatically.  You might want to enable scavenging but other than that, you shouldn't need to touch it.  

As for connectivity, you need to test and evaluate the reliability of your links.  Are you using a VPN between sites?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
cirschickAuthor Commented:
We are using the Juniper 5GT routers, IPsec VPN, there is a 10Mbps full fiber internet connection at each site.
So I have no problem with having the files on the HQ server as long as site A/B can access them without issues.
New question is the clients at site B (172.21.122.0/24) has issues pinging DNS names such as server/ PC on the HQ (10.181.82.0/24) network.  The primary DNS server on the clients/ remote server is HQ main DC 10.181.82.152
The Local Authentication Users: I just create an OU group called remoteBusers & remoteBcomputers within my main AD, I've also created specific GP for that OU outside of the main HQ OU.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
New question is the clients at site B (172.21.122.0/24) has issues pinging DNS names such as server/ PC on the HQ (10.181.82.0/24) network.

If you are having issues pinging the DNS/DC's in HQ this is going to create issues all around.

You need to get your network sorted out first which then should resolve the DNS issues you had originally.

Will.
0
 
cirschickAuthor Commented:
So would you say I should be looking into the router more?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
If you are having ping issues this is basic network troubleshooting. You might want to look into the firewall rules at each site and also possibly using tracert to determine if a specific hop is creating the dropped packets.

But yes, you need to look deeper into the network.

Will.
0
 
cirschickAuthor Commented:
AWESOME!!!!, ping is fine, tracert works
after 10-15 minutes it drops

MUST BLOW UP ROUTER!!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.