Domain controller at second office via VPN

Posted on 2016-09-15
Medium Priority
Last Modified: 2016-10-05
Here is my scenario:

We moved offices recently. to avoid moving all servers at once, we setup a site-to-site VPN since both locations have good bandwidth.  Everything is working fine but we need to move the servers. at the old office we have two DC's, file server, exchange server, and another app server.

I have moved the file server and it works fine after reconfiguring the NIC and updating the DNS settings via DC.

I want to move exchange next, but my concern is that I won't have a DC at the new office once i'm ready to unplug the DCs at the old office.

I'm a bit confused on whether I should just bring the DC's, change the IP's, flush dns', and configure the DHCP to give clients the new IP address of the DC's for DNS.  OR setup domain sites and services, which I have no experience with.

what is the proper way of doing do to prevent issues/down time?  It sounds like I need to setup a third dns server at the new office, but i'm not sure of the process and best practices.

Help please.

DC's are 2012 R2, each site has a cisco ASA 5510, at the old site we have Windows doing DHCP, at the new site we have the ASA doing DHCP.
Question by:E. H.
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 79

Accepted Solution

arnold earned 2000 total points
ID: 41801016
Before moving a DC, add the new segment as a scope to to the DHCP on the DC you are moving, configure AN IP on the remote segment on the other interface. Define scope options setting DNS to point to the local, itself and the remote as secondary...

You would need to make sure the IP you are assigning from the other location is not already in use. Make sure to update local DNS settings to reference itself using as well as make sure the DNS services will bind to all IPs and are not limited to a specific ip.  This way when the system boots up the DNS server will respond when queried.

When you get to the other site, connect the Nic with the new location Ip....
Check the repadm /showrep to confirm ....

Your environment can operate with. Single DC at each site. Once a DC is at a new location, you can repeat the proces with the exchange... Check IPs, bindings in exchange, iis, etc
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 41801290
Exchange without a local AD server will basically be dead in the water. It may work, but it will be very slow as Exchange is heavily dependant on AD.

Sites and Services is easy to setup - you just create a new site, add the subnet then assign that to the relevant site. AD and Exchange does the rest. Therefore I would be putting a domain controller in to that second site first, change its IP address and reboot it. Move it in Sites and Services to the new site and then it should be fine.

Once you have a domain controller (with GC role) in the second site, you can move Exchange. The best way to do that is on the old site to stop the Exchange services (in fact stop as much as you can). Change the IP address of the server (checking IIS etc as well) then shut it down. Start it up in the new site and once it is up, reboot it again to ensure it is registering correctly.

Author Comment

by:E. H.
ID: 41802554
I forgot to mention that this VPN is only temporary, we will move all of the servers and won't need the site to site vpn. In fact, I need to get rid of it after moving all servers.

would this workaround work?:

Move one of the DC's to the new office, change the LAN static IP to that office's subnet, pointing the DNS to itself and DNS2 to old office DC

Then transfer all FSMO roles to the DC at the new site and sync both DC's

Then change DNS settings to the DC at the new site for all LAN devices?
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.


Author Comment

by:E. H.
ID: 41802556

could you please provide me a few more details/examples?

Author Comment

by:E. H.
ID: 41802572
here is my current config:




STEP 2: Change the IP configuration to:


Step 3: If it works and can replicate, transfer all FSMO roles to this DC

Step 4: Change all LAN devices to point to as the primary DNS (change DHCP scope)

Step 5: Either follow same process for DC1 from old site or decommission it and reconfigure it as secondary DNS at new site.
This is what I'm proposing, would it work??
LVL 79

Expert Comment

ID: 41802581
Yes, that would work. Once the dc2 is at the new site , remove reference to the prior site Ip. Making sure it keeps synchronizing...
The reason for the advice for the use of sites, is to avoid the cross site requests.
I.e. Once the exchange server is relocated, while DNS points to the local dc2, the info queried will provide responses pointing to all DCs. Such that some exchange queries might be directed to the remote/original office located DC.
How long do you have for the transition? Are most of the people relocated to the new location?
The site separation, provides exchange the local DC, and only if the local DC has an issue will exchange send requests to the remote site.

There is no need to decommission.

How many systems/servers do you have?

A simple straight forward if current side individuals have relocated, taking dc2 and exchange at the sane time to new location, reconfiguring the local network reflecting original ip, breaking the VPN to the old site.
Pull the network from each local workstation, reconnect and they all should be back on the same network.
Update network settings on the file server......
Then your new site should operate with no issues, all you would need is to bring the remaining old site servers to the new location........

Author Comment

by:E. H.
ID: 41802584
We have only these servers:
DC1, DC2, Exchange, File Server, LOB App Server

File Server has already been moved with no problems.

Yes, everyone has already moved to the new office.  The only thing left to do is move the servers and our deadline is by end of next week.

So if this scenario would work, I think i can setup a VM at the new site instead and transfer all roles. Basically achieve the same thing but without physically moving the current DC from old to new office.  Good idea?

regarding breaking the VPN, I can't do that as I need to move the servers separately (just a precautions).

the next move will be Exchange, assuming the DC idea works at the new office.
and then the last server would be the LOB app server.
LVL 79

Expert Comment

ID: 41802599
Oh, your public DNS records, have they been updated to lower the ttl on the MX/mail server record?
Once exchange us moved to new location, you need to update the MX/mail record to point it to the new ip.

At no point there is/was a need to decommission, as long as DCs are not separated more than tombstone time which is usually 90 days. The transition, requires coordination only to grab one DC, and exchange and move them to the new site

Reconfigure the router for the local LAN matching the old, .......

I think the only time to use the complicated when there is a significant time of user operating at both sites.

If this weekend no users are at either office, and distance not an issue, grabbing all servers and relocating them should be straight forward.  Using ASA you could configure a second interface at the new site with the ok'd sire IPs
Breaking the VPN to the old site, adding rules to allow to access network...

vLan.... Or place both .....
Connect the servers you are bringing into the switch that is being fed by the second Asa inside interface.

Recreating the original environment at the new   Place. Then transitioning the file server and user compares...

Presumably there is no heavy equipment, racks, etc. that need to be moved ........

Is this a 24/7 operation?

Author Comment

by:E. H.
ID: 41807206
Hi Arnold,

Thank you for your help. And yes, it is a 24/7 operation.

I installed and added a third DC, which worked fine. Now i'm going to try to transfer the FSMO roles.
LVL 79

Expert Comment

ID: 41807827
Do not transfer FSMO roles, it is unnecessary.

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question