Domain controller at second office via VPN

Posted on 2016-09-15
Last Modified: 2016-10-05
Here is my scenario:

We moved offices recently. to avoid moving all servers at once, we setup a site-to-site VPN since both locations have good bandwidth.  Everything is working fine but we need to move the servers. at the old office we have two DC's, file server, exchange server, and another app server.

I have moved the file server and it works fine after reconfiguring the NIC and updating the DNS settings via DC.

I want to move exchange next, but my concern is that I won't have a DC at the new office once i'm ready to unplug the DCs at the old office.

I'm a bit confused on whether I should just bring the DC's, change the IP's, flush dns', and configure the DHCP to give clients the new IP address of the DC's for DNS.  OR setup domain sites and services, which I have no experience with.

what is the proper way of doing do to prevent issues/down time?  It sounds like I need to setup a third dns server at the new office, but i'm not sure of the process and best practices.

Help please.

DC's are 2012 R2, each site has a cisco ASA 5510, at the old site we have Windows doing DHCP, at the new site we have the ASA doing DHCP.
Question by:E. H.
  • 5
  • 4
LVL 78

Accepted Solution

arnold earned 500 total points
ID: 41801016
Before moving a DC, add the new segment as a scope to to the DHCP on the DC you are moving, configure AN IP on the remote segment on the other interface. Define scope options setting DNS to point to the local, itself and the remote as secondary...

You would need to make sure the IP you are assigning from the other location is not already in use. Make sure to update local DNS settings to reference itself using as well as make sure the DNS services will bind to all IPs and are not limited to a specific ip.  This way when the system boots up the DNS server will respond when queried.

When you get to the other site, connect the Nic with the new location Ip....
Check the repadm /showrep to confirm ....

Your environment can operate with. Single DC at each site. Once a DC is at a new location, you can repeat the proces with the exchange... Check IPs, bindings in exchange, iis, etc
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 41801290
Exchange without a local AD server will basically be dead in the water. It may work, but it will be very slow as Exchange is heavily dependant on AD.

Sites and Services is easy to setup - you just create a new site, add the subnet then assign that to the relevant site. AD and Exchange does the rest. Therefore I would be putting a domain controller in to that second site first, change its IP address and reboot it. Move it in Sites and Services to the new site and then it should be fine.

Once you have a domain controller (with GC role) in the second site, you can move Exchange. The best way to do that is on the old site to stop the Exchange services (in fact stop as much as you can). Change the IP address of the server (checking IIS etc as well) then shut it down. Start it up in the new site and once it is up, reboot it again to ensure it is registering correctly.

Author Comment

by:E. H.
ID: 41802554
I forgot to mention that this VPN is only temporary, we will move all of the servers and won't need the site to site vpn. In fact, I need to get rid of it after moving all servers.

would this workaround work?:

Move one of the DC's to the new office, change the LAN static IP to that office's subnet, pointing the DNS to itself and DNS2 to old office DC

Then transfer all FSMO roles to the DC at the new site and sync both DC's

Then change DNS settings to the DC at the new site for all LAN devices?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

by:E. H.
ID: 41802556

could you please provide me a few more details/examples?

Author Comment

by:E. H.
ID: 41802572
here is my current config:




STEP 2: Change the IP configuration to:


Step 3: If it works and can replicate, transfer all FSMO roles to this DC

Step 4: Change all LAN devices to point to as the primary DNS (change DHCP scope)

Step 5: Either follow same process for DC1 from old site or decommission it and reconfigure it as secondary DNS at new site.
This is what I'm proposing, would it work??
LVL 78

Expert Comment

ID: 41802581
Yes, that would work. Once the dc2 is at the new site , remove reference to the prior site Ip. Making sure it keeps synchronizing...
The reason for the advice for the use of sites, is to avoid the cross site requests.
I.e. Once the exchange server is relocated, while DNS points to the local dc2, the info queried will provide responses pointing to all DCs. Such that some exchange queries might be directed to the remote/original office located DC.
How long do you have for the transition? Are most of the people relocated to the new location?
The site separation, provides exchange the local DC, and only if the local DC has an issue will exchange send requests to the remote site.

There is no need to decommission.

How many systems/servers do you have?

A simple straight forward if current side individuals have relocated, taking dc2 and exchange at the sane time to new location, reconfiguring the local network reflecting original ip, breaking the VPN to the old site.
Pull the network from each local workstation, reconnect and they all should be back on the same network.
Update network settings on the file server......
Then your new site should operate with no issues, all you would need is to bring the remaining old site servers to the new location........

Author Comment

by:E. H.
ID: 41802584
We have only these servers:
DC1, DC2, Exchange, File Server, LOB App Server

File Server has already been moved with no problems.

Yes, everyone has already moved to the new office.  The only thing left to do is move the servers and our deadline is by end of next week.

So if this scenario would work, I think i can setup a VM at the new site instead and transfer all roles. Basically achieve the same thing but without physically moving the current DC from old to new office.  Good idea?

regarding breaking the VPN, I can't do that as I need to move the servers separately (just a precautions).

the next move will be Exchange, assuming the DC idea works at the new office.
and then the last server would be the LOB app server.
LVL 78

Expert Comment

ID: 41802599
Oh, your public DNS records, have they been updated to lower the ttl on the MX/mail server record?
Once exchange us moved to new location, you need to update the MX/mail record to point it to the new ip.

At no point there is/was a need to decommission, as long as DCs are not separated more than tombstone time which is usually 90 days. The transition, requires coordination only to grab one DC, and exchange and move them to the new site

Reconfigure the router for the local LAN matching the old, .......

I think the only time to use the complicated when there is a significant time of user operating at both sites.

If this weekend no users are at either office, and distance not an issue, grabbing all servers and relocating them should be straight forward.  Using ASA you could configure a second interface at the new site with the ok'd sire IPs
Breaking the VPN to the old site, adding rules to allow to access network...

vLan.... Or place both .....
Connect the servers you are bringing into the switch that is being fed by the second Asa inside interface.

Recreating the original environment at the new   Place. Then transitioning the file server and user compares...

Presumably there is no heavy equipment, racks, etc. that need to be moved ........

Is this a 24/7 operation?

Author Comment

by:E. H.
ID: 41807206
Hi Arnold,

Thank you for your help. And yes, it is a 24/7 operation.

I installed and added a third DC, which worked fine. Now i'm going to try to transfer the FSMO roles.
LVL 78

Expert Comment

ID: 41807827
Do not transfer FSMO roles, it is unnecessary.

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question