Solved

Domain controller at second office via VPN

Posted on 2016-09-15
10
57 Views
Last Modified: 2016-10-05
Here is my scenario:

We moved offices recently. to avoid moving all servers at once, we setup a site-to-site VPN since both locations have good bandwidth.  Everything is working fine but we need to move the servers. at the old office we have two DC's, file server, exchange server, and another app server.

I have moved the file server and it works fine after reconfiguring the NIC and updating the DNS settings via DC.

I want to move exchange next, but my concern is that I won't have a DC at the new office once i'm ready to unplug the DCs at the old office.

I'm a bit confused on whether I should just bring the DC's, change the IP's, flush dns', and configure the DHCP to give clients the new IP address of the DC's for DNS.  OR setup domain sites and services, which I have no experience with.

what is the proper way of doing do to prevent issues/down time?  It sounds like I need to setup a third dns server at the new office, but i'm not sure of the process and best practices.

Help please.

DC's are 2012 R2, each site has a cisco ASA 5510, at the old site we have Windows doing DHCP, at the new site we have the ASA doing DHCP.
0
Comment
Question by:E. H.
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 41801016
Before moving a DC, add the new segment as a scope to to the DHCP on the DC you are moving, configure AN IP on the remote segment on the other interface. Define scope options setting DNS to point to the local, itself and the remote as secondary...

You would need to make sure the IP you are assigning from the other location is not already in use. Make sure to update local DNS settings to reference itself using 127.0.0.1 as well as make sure the DNS services will bind to all IPs and are not limited to a specific ip.  This way when the system boots up the DNS server will respond when queried.

When you get to the other site, connect the Nic with the new location Ip....
Check the repadm /showrep to confirm ....

Your environment can operate with. Single DC at each site. Once a DC is at a new location, you can repeat the proces with the exchange... Check IPs, bindings in exchange, iis, etc
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 41801290
Exchange without a local AD server will basically be dead in the water. It may work, but it will be very slow as Exchange is heavily dependant on AD.

Sites and Services is easy to setup - you just create a new site, add the subnet then assign that to the relevant site. AD and Exchange does the rest. Therefore I would be putting a domain controller in to that second site first, change its IP address and reboot it. Move it in Sites and Services to the new site and then it should be fine.

Once you have a domain controller (with GC role) in the second site, you can move Exchange. The best way to do that is on the old site to stop the Exchange services (in fact stop as much as you can). Change the IP address of the server (checking IIS etc as well) then shut it down. Start it up in the new site and once it is up, reboot it again to ensure it is registering correctly.
0
 

Author Comment

by:E. H.
ID: 41802554
I forgot to mention that this VPN is only temporary, we will move all of the servers and won't need the site to site vpn. In fact, I need to get rid of it after moving all servers.

would this workaround work?:

Move one of the DC's to the new office, change the LAN static IP to that office's subnet, pointing the DNS to itself 127.0.0.1 and DNS2 to old office DC

Then transfer all FSMO roles to the DC at the new site and sync both DC's

Then change DNS settings to the DC at the new site for all LAN devices?
0
Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

 

Author Comment

by:E. H.
ID: 41802556
Arnold,

could you please provide me a few more details/examples?
0
 

Author Comment

by:E. H.
ID: 41802572
here is my current config:

OLD SITE
DC1 (HOLDS ALL FSMO ROLES)
IP: 192.168.254.2
GW: 192.168.254.1
Netmask: 255.255.255.0
DNS1: 192.168.254.2
DNS2: 8.8.8.8

DC2:
IP: 192.168.254.20
GW: 192.168.254.1
Netmask: 255.255.255.0
DNS1: 192.168.254.2
DNS2: 8.8.8.8


NEW SITE IDEA - LET ME KNOW IF THIS IS FEASIBLE.

STEP 1: TAKE DC2 TO NEW SITE.
STEP 2: Change the IP configuration to:

IP: 192.168.0.20
GW: 192.168.0.1
Netmask: 255.255.255.0
DNS1: 127.0.0.1
DNS2: 192.168.254.2

Step 3: If it works and can replicate, transfer all FSMO roles to this DC

Step 4: Change all LAN devices to point to 192.168.0.20 as the primary DNS (change DHCP scope)

Step 5: Either follow same process for DC1 from old site or decommission it and reconfigure it as secondary DNS at new site.
 
This is what I'm proposing, would it work??
0
 
LVL 78

Expert Comment

by:arnold
ID: 41802581
Yes, that would work. Once the dc2 is at the new site , remove reference to the prior site Ip. Making sure it keeps synchronizing...
The reason for the advice for the use of sites, is to avoid the cross site requests.
I.e. Once the exchange server is relocated, while DNS points to the local dc2, the info queried will provide responses pointing to all DCs. Such that some exchange queries might be directed to the remote/original office located DC.
How long do you have for the transition? Are most of the people relocated to the new location?
The site separation, provides exchange the local DC, and only if the local DC has an issue will exchange send requests to the remote site.

There is no need to decommission.

How many systems/servers do you have?

A simple straight forward if current side individuals have relocated, taking dc2 and exchange at the sane time to new location, reconfiguring the local network reflecting original ip, breaking the VPN to the old site.
Pull the network from each local workstation, reconnect and they all should be back on the same network.
Update network settings on the file server......
Then your new site should operate with no issues, all you would need is to bring the remaining old site servers to the new location........
0
 

Author Comment

by:E. H.
ID: 41802584
We have only these servers:
DC1, DC2, Exchange, File Server, LOB App Server

File Server has already been moved with no problems.

Yes, everyone has already moved to the new office.  The only thing left to do is move the servers and our deadline is by end of next week.

So if this scenario would work, I think i can setup a VM at the new site instead and transfer all roles. Basically achieve the same thing but without physically moving the current DC from old to new office.  Good idea?

regarding breaking the VPN, I can't do that as I need to move the servers separately (just a precautions).

the next move will be Exchange, assuming the DC idea works at the new office.
and then the last server would be the LOB app server.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41802599
Oh, your public DNS records, have they been updated to lower the ttl on the MX/mail server record?
Once exchange us moved to new location, you need to update the MX/mail record to point it to the new ip.

At no point there is/was a need to decommission, as long as DCs are not separated more than tombstone time which is usually 90 days. The transition, requires coordination only to grab one DC, and exchange and move them to the new site

Reconfigure the router for the local LAN matching the old, .......

I think the only time to use the complicated when there is a significant time of user operating at both sites.

If this weekend no users are at either office, and distance not an issue, grabbing all servers and relocating them should be straight forward.  Using ASA you could configure a second interface at the new site with the ok'd sire IPs 192.168.254.1/24
Breaking the VPN to the old site, adding rules to allow 192.168.0.0/24 to access 192.168.254.0/24 network...

vLan.... Or place both .....
Connect the servers you are bringing into the switch that is being fed by the second Asa inside interface.

Recreating the original environment at the new   Place. Then transitioning the file server and user compares...

Presumably there is no heavy equipment, racks, etc. that need to be moved ........

Is this a 24/7 operation?
0
 

Author Comment

by:E. H.
ID: 41807206
Hi Arnold,

Thank you for your help. And yes, it is a 24/7 operation.

I installed and added a third DC, which worked fine. Now i'm going to try to transfer the FSMO roles.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41807827
Do not transfer FSMO roles, it is unnecessary.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question