Site and services 2012 - best pratice, redundancey

I have a client with 4 main sites, All are connected by High speed VPN.

Each 'site' has it's own DC, and in DHCP each site has a different site as it's second DNS.  So we have not needed AD sites as of yet.

We are now adding a 5th site, that will not be part os the VPN mesh, it will only be off one of the sites.

This will require setting up the sites as AD sites so they know how to talk to the 5th one.

My worry / question is, When I have setup sites before, with only 1 AD in each site, when the AD goes down, the site goes down, the machines seem to stop looking at the other sites as backup.  

Am I missing something that allows sites to stills goto another site's AD?  Is there a better way to set up the sites?

Also, what happens when a machine not in any defined sites' IP range comes along, does it go to any site?


The docs I can find online are either too simplistic, or way to detailed to answer these questions.
ewhitewayAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robin CMSenior Security and Infrastructure EngineerCommented:
When you say "only 1 AD in each site" I assume you mean "one AD Domain Controller", and those are all DCs of the same active directory?
If you have sites set up properly, with subnets correctly defined, the machines in a particular site will normally talk to the DC at their site, unless that DC becomes unavailable. In which case they will try and find a different DC. This cuts down on WAN traffic. If you had more than one DC at a particular site, you can designate one as a "bridgehead", and this one does all the WAN communication. If you only have one DC at each site, they will all be bridgeheads.

Your problem may be that you only have one DC at each site, and that DC is possibly also the DNS server for that site. So when the DC is down, DNS is also down. DNS is required for the clients to find a DC to talk to. So you really need resilient DNS per site, which probably means adding an extra DC at each site, which helps with your availability anyway.

If you don't define a subnet, the client on that network will arbitrarily pick a DC to talk to, which may not be one on the same site as the client. You can define a "catch-all" subnet that such machines will drop into if you like, though this may not help you much.
There's some good info here, if you've not seen it: https://technet.microsoft.com/en-gb/magazine/2009.06.subnets.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Providing slightly a separate aspects  - can consider having a global traffic controller to manage the loading and also maintain high resiliency as required. I got to know of application delivery controllers can serves it purpose though most may want to stick to either
- Azure Cloud (or a Disaster Recovery Environment) with On-premises to Azure etc; or
- AD Clustering with fault tolerance e.g. to add one or more additional DC to the AD to handle authentication and authorization requests in case there is a failure on the domain's single available domain controller

in specific, maybe the other means is to go into looking at "controllers" in example of application level support for their need for AD in different sites.. e.g. Microsoft Lync Server 2010 and 2013 - Site Resiliency using F5  BIG-IP GTM and LTM hardware loadbalancer (HLB). The global server load balancers (GTM) were implemented to manage traffic to each site based upon central site availability and health, while the local server load balancers (LTM) managed connections within each site to the local servers.
By leveraging both local and global load balancers, we achieved both server and site resiliency while using a single URL for users to connect to. The GTM resolves a single URL to different IP addresses based on the selected load balancing algorithm and availability of global services. By having the authoritative Windows DNS servers (contoso.com) delegate the URL (pool.contoso.com) to the GTM, users connecting to pool.contoso.com are sent to the appropriate site at the time of DNS resolution. The local server load balancer then gets the connection and load balances it to the appropriate server.

The HLBs were configured to monitor the Front End Pool members by using an HTTP or HTTPS monitor, which gives the load balancers the best information about the health and performance of the servers. The HLBs then use this information to load balance the incoming connections to the best local Front End. Using a feature called Feature Priority Activation, we also configured the HLBs to proxy connections to the other central site if all the local Front Ends reached capacity or no longer functioned.

The global server load balancers (GTM) were configured to monitor the HLBs in each site and to direct users to the best performing site. The GTM can be configured to send all users to a specific site in the case of active/standby central sites (as was the case for this test), or load balance users between the sites for active/active deployments. If one site reaches capacity or becomes unavailable, the GTM directs users to the other available site(s).
See the "DNS and HLB Topology Reference" for the overall architecture and flow use case in the .doc download - http://go.microsoft.com/fwlink/p/?LinkId=211389

There are also active active option for info  active-active configuration too.

*Pardon me but above mentioned is just for illustration example and I am not F5 staff per se..
ewhitewayAuthor Commented:
That confirms what I was thinking, I will set it up and see how it goes.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.