JamesNT
asked on
Setting up a domain across four locations
Note: All servers are Windows Server 2016. All firewalls are SonicWALL. All Workstations are Windows 10 Pro with about 6 Macs thrown in.
Working with an office that has four locations all currently in workgroup configuration. We want to add a domain controller at each location but we want all four locations to be on the same domain. We will have IPSEC VPN's configured as follows (Office A is the main location):
Office B to Office A
Office C to Office A
Office D to Office A
So the domain controller at Office A will be the "main one" in that configuration as, for example, if an account is disabled at Office C, then replication would have to occur from Office C to Office A and then from Office A to Office D before the domain controller at Office D knew anything about the account being disabled.
Question: Is this a viable setup?
Question: What would be the DNS settings for each domain controller? Assume the following subnets:
Office A - 192.168.200.x
Office B - 192.168.201.x
Office C - 192.168.202.x
Office D - 192.168.203.x
James
Working with an office that has four locations all currently in workgroup configuration. We want to add a domain controller at each location but we want all four locations to be on the same domain. We will have IPSEC VPN's configured as follows (Office A is the main location):
Office B to Office A
Office C to Office A
Office D to Office A
So the domain controller at Office A will be the "main one" in that configuration as, for example, if an account is disabled at Office C, then replication would have to occur from Office C to Office A and then from Office A to Office D before the domain controller at Office D knew anything about the account being disabled.
Question: Is this a viable setup?
Question: What would be the DNS settings for each domain controller? Assume the following subnets:
Office A - 192.168.200.x
Office B - 192.168.201.x
Office C - 192.168.202.x
Office D - 192.168.203.x
James
Adam Brown
That is a viable configuration. You would essentially be configuring AD Sites and services to have a site for each office, then configure an IP Site Link for each site and add the main DC and each site's DC to its respective Site Link.
ASKER
Is this what we are talking about?
https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/
James
https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/
James
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I love the article's reference to "Primary Domain Controller." I've always said the server with the FSMO roles is the Primary Domain Controller and that MS's saying that there is no PDC and BDC anymore is nonsense. But I digress.
As for the IPSEC VPN, I will probably allow network to network. So, any computer 192.168.200.x can get to any computer 192.168.201.x. So basically any computer in one of the spokes can get to any computer in one of the hubs. Any issues with that in your mind?
James
As for the IPSEC VPN, I will probably allow network to network. So, any computer 192.168.200.x can get to any computer 192.168.201.x. So basically any computer in one of the spokes can get to any computer in one of the hubs. Any issues with that in your mind?
James
ASKER
Oh, and what about DNS? Or does the link take care of that? The article doesn't seem to mention DNS.
James
James
DNS is replicated with all other AD data as long as the DNS zones are Active Directory Integrated. If they aren't AD Integrated, make them AD integrated, cause it works well and is easy to manage. Non-AD Integrated DNS is a huge pain in the butt.
ASKER
I always AD integration my DNS. :)
So no special settings on the DC's for DNS. Just have each one point to itself?
James
So no special settings on the DC's for DNS. Just have each one point to itself?
James
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Lee: One of the town halls at summit a couple years ago seemed to come to a consensus on this, and I haven't seen articles that contradict it since. The consensus was, as I recall, that in a multi-DC domain, the first DNS entry should be another authoritative DNS server (usually a DC), then a second should be itself.
As it was a town hall, I won't give details (NDA's are weird) but of the publicly available knowledge, the basic jist is that the DNS service loads the AD integrated zone *after* the DC is determined to be healthy and advertises itself for DNS. By pointing to another DNS server first, the server can find another DC and start the netlogon advertising processes faster. If it points to itself first, reboots are slower as it can't use itself during startup as it isn't advertising as authoritative.
Once up, the impact is negligible, and order doesn't even really matter. If the primary DNS server goes down, fallback to secondary (itself) works as expected and is fast enough to be a non-issue. But when an environment is having issues and multiple reboots are required during a restore, that primary vs secondary really adds up.
It was actually broken down on a technical level really well. Not just a "because we think its better" and was straight from the server engineers in the room. Given that, I've actually switch from my SBS roots of "point to yourself first" mentality and have been recommending another DC first for the last ...three? years. I'd be curious if you've heard different more recently.
As it was a town hall, I won't give details (NDA's are weird) but of the publicly available knowledge, the basic jist is that the DNS service loads the AD integrated zone *after* the DC is determined to be healthy and advertises itself for DNS. By pointing to another DNS server first, the server can find another DC and start the netlogon advertising processes faster. If it points to itself first, reboots are slower as it can't use itself during startup as it isn't advertising as authoritative.
Once up, the impact is negligible, and order doesn't even really matter. If the primary DNS server goes down, fallback to secondary (itself) works as expected and is fast enough to be a non-issue. But when an environment is having issues and multiple reboots are required during a restore, that primary vs secondary really adds up.
It was actually broken down on a technical level really well. Not just a "because we think its better" and was straight from the server engineers in the room. Given that, I've actually switch from my SBS roots of "point to yourself first" mentality and have been recommending another DC first for the last ...three? years. I'd be curious if you've heard different more recently.
I *think* I dug it up... (Using the fact that the first sentence on the answer is it depends on who you ask). In which case, I misremembered and this question will pretty much guarantee I get it right in the future!
https://blogs.technet.microsoft.com/askds/2010/07/17/friday-mail-sack-saturday-edition/#dnsbest
Oh, look at that, it's by Ned!
https://blogs.technet.microsoft.com/askds/2010/07/17/friday-mail-sack-saturday-edition/#dnsbest
Oh, look at that, it's by Ned!
ASKER
I'm about 5 inches away from DEMANDING that EE allow me grant all of you 500 pts. This is a GREAT conversation! Let me digest all this and double check with the client on setup. I'll be back soon.
James
James
Thank you JamesNT - It's folks like you that are the reason I answer questions - people who see the value in a back and forth comments!
ASKER
Alright, I hope I was fair about all this. Thank you all for your assistance!
JamesNT
JamesNT