DNS and AD issue on a BDC which in remote office

Help

Using Server 2003 I have my AD GC in my main server. named server.x.local
I also have a server call server2.local at a remote office

Server - 192.168.0.1
server2 192.168.254.1

I have connected the servers via a VPN and replicated the AD from Server to
Sever2.

DNS has 2 zones x.local and remote
x.local is controlled by server and I would like remote to be controlled by
and be part of the AD information.

If server2 is not connected to server via VPN AD can not be found. I did
notice that in remote zone on server2 it does not have _msdcs, _sites, _tcp
and _udc records which I think is the problem.

Do I have my DNS setup correctly give that I have 2 ip zones and how do I
resovle my issue of server2 not finding the AD when not connected to server.

"Help me" <> wrote in message
news:C166EC45-806A-48DA-975A-...
> Help
>
> Using Server 2003 I have my AD GC in my main server. named server.x.local
> I also have a server call server2.local at a remote office
>
> Server - 192.168.0.1
> server2 192.168.254.1
>
> I have connected the servers via a VPN and replicated the AD from Server
> to
> Sever2.
>
> DNS has 2 zones x.local and remote
> x.local is controlled by server and I would like remote to be controlled
> by
> and be part of the AD information.
>
> If server2 is not connected to server via VPN AD can not be found. I did
> notice that in remote zone on server2 it does not have _msdcs, _sites,
> _tcp
> and _udc records which I think is the problem.
>
> Do I have my DNS setup correctly give that I have 2 ip zones and how do I
> resovle my issue of server2 not finding the AD when not connected to
> server.

Why do you have two zones? Which zone is the AD zone?

Assuming that both DCs are in the same domain, and assuming that x.local is
the AD DNS domain name, then you only really need the zone. In this case,
both DCs should be GCs for two reasons, 1) confines logon requests to a GC
at that location, and 2) it's a best practice with one domain.

Assuming if the remote DC is in a child zone called remote.x.local, then you
do need the two zones. In this case, you need a GC at both locations to
allow logons at that site instead of traversing the WAN link looking for a
GC, but a GC cannot be on an IM, which each domain has one, which means that
you must (should anyway) have two DCs per domain.

If the SRV records are not showing up (those records you mentioned), then it
may likely be because the DCs are not configured to the correct DNS servers,
and/or the zone(s) are in different replication scopes, which also would be
dependent on whether the two DCs are in the same domain or not.

To better assist you, we'll need additional information to diagnose the
issue. Please post:

1. Unedited ipconfig /all from both DCs.
2. Whether both DCs are in the same domain or is it a parent-child forest.
3 .The AD zone name(s) (whether one domain or two domains).
4. An ipconfig /all from a sample client from each location.
5. If both DCs are GCs.
6. Is the VPN tunnel up 24/7?

Thank you,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Hello Help,

Is that a multi domain forest that you have more then one DNS zone? Please
describe more details about the setup of the domain(s) including ipconfig
/all the domain names in DNS and AD and the NetBios domain names.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Help
>
> Using Server 2003 I have my AD GC in my main server. named
> server.x.local I also have a server call server2.local at a remote
> office
>
> Server - 192.168.0.1
> server2 192.168.254.1
> I have connected the servers via a VPN and replicated the AD from
> Server to Sever2.
>
> DNS has 2 zones x.local and remote x.local is controlled by server and
> I would like remote to be controlled by and be part of the AD
> information.
>
> If server2 is not connected to server via VPN AD can not be found. I
> did notice that in remote zone on server2 it does not have _msdcs,
> _sites, _tcp and _udc records which I think is the problem.
>
> Do I have my DNS setup correctly give that I have 2 ip zones and how
> do I resovle my issue of server2 not finding the AD when not connected
> to server.
>

Ace

I have one forest domain. Server and Sever2 should allow all users to log
onto their networks of responsibility. The vpn should not need to be up 24/7.

x.x.0.x is the ip zone of server is the AD zone which is x.local.
x.x.254.x is the ip zone of the remote site.

I connected the sites using a vpn and replicated the AD from server to server2

Users need to be able to logon at either site.

Should x.x.254.x be added to the AD zone of x.local and how do I do that ?

Should the 2 zones be named main.x.local and remote.x.local and make server
and server2 both gcs ?




Should I make to domain zones in the same forest ?

Server is the "main" GC of the main

"Ace Fekay [MCT]" wrote:

> "Help me" <> wrote in message
> news:C166EC45-806A-48DA-975A-...
> > Help
> >
> > Using Server 2003 I have my AD GC in my main server. named server.x.local
> > I also have a server call server2.local at a remote office
> >
> > Server - 192.168.0.1
> > server2 192.168.254.1
> >
> > I have connected the servers via a VPN and replicated the AD from Server
> > to
> > Sever2.
> >
> > DNS has 2 zones x.local and remote
> > x.local is controlled by server and I would like remote to be controlled
> > by
> > and be part of the AD information.
> >
> > If server2 is not connected to server via VPN AD can not be found. I did
> > notice that in remote zone on server2 it does not have _msdcs, _sites,
> > _tcp
> > and _udc records which I think is the problem.
> >
> > Do I have my DNS setup correctly give that I have 2 ip zones and how do I
> > resovle my issue of server2 not finding the AD when not connected to
> > server.
>
> Why do you have two zones? Which zone is the AD zone?
>
> Assuming that both DCs are in the same domain, and assuming that x.local is
> the AD DNS domain name, then you only really need the zone. In this case,
> both DCs should be GCs for two reasons, 1) confines logon requests to a GC
> at that location, and 2) it's a best practice with one domain.
>
> Assuming if the remote DC is in a child zone called remote.x.local, then you
> do need the two zones. In this case, you need a GC at both locations to
> allow logons at that site instead of traversing the WAN link looking for a
> GC, but a GC cannot be on an IM, which each domain has one, which means that
> you must (should anyway) have two DCs per domain.
>
> If the SRV records are not showing up (those records you mentioned), then it
> may likely be because the DCs are not configured to the correct DNS servers,
> and/or the zone(s) are in different replication scopes, which also would be
> dependent on whether the two DCs are in the same domain or not.
>
> To better assist you, we'll need additional information to diagnose the
> issue. Please post:
>
> 1. Unedited ipconfig /all from both DCs.
> 2. Whether both DCs are in the same domain or is it a parent-child forest.
> 3 .The AD zone name(s) (whether one domain or two domains).
> 4. An ipconfig /all from a sample client from each location.
> 5. If both DCs are GCs.
> 6. Is the VPN tunnel up 24/7?
>
> Thank you,
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>
> .
>

"Help me" <> wrote in message
news:4D5C2DAE-7565-4C7E-8149-...
> Ace
>
> I have one forest domain. Server and Sever2 should allow all users to log
> onto their networks of responsibility. The vpn should not need to be up
> 24/7.
>
> x.x.0.x is the ip zone of server is the AD zone which is x.local.
> x.x.254.x is the ip zone of the remote site.
>
> I connected the sites using a vpn and replicated the AD from server to
> server2
>
> Users need to be able to logon at either site.
>
> Should x.x.254.x be added to the AD zone of x.local and how do I do that ?
>
> Should the 2 zones be named main.x.local and remote.x.local and make
> server
> and server2 both gcs ?
>
>
>
>
> Should I make to domain zones in the same forest ?
>
> Server is the "main" GC of the main
>

If both DCs are in the same domain/forest, then the VPN must be up 24/7.
This is based on basic AD functionality that includes replication, among
other things. How often is your VPN is active?

As I mentioned earlier, it is highly recommended to have all DCs in a single
domain/forest to be GCs.

More info on this:
"If a single domain forest, you can have all DCs a GC. If multiple domains,
it is recommended for a GC to not be on the FSMO IM Role, unless you make
all DCs GCs"
http://msmvps.com/blogs/ulfbsimonwei.../08/37975.aspx

Otherwise remote clients will be looking for the GC at the corp site when
trying to logon and if your VPN is down, they can't logon, and possibly
causing numerous other problems that you are probably seeing.

You do not need a remote.x.local zone. The AD domain DNS zone is x.local.
That is the only zone you should have. Period. Both DCs and all clients are
under the x.local name. Introducing any other zones will cause problems.

With two or more physical locations, it is recommended to create Active
Directory Sites. You would create create an IP Subnet Object for the
Corp-Site IP subnet which from what you're saying is "x.x.0.x", then create
a Site named, such as, Corp-Site, then associate that IP Subnet Object with
Corp-Site.

Then create another IPSubnet Object for x.x.254.x, then create another AD
Site called say, Remote-Site, and associate that IP Subnet OBject with the
Site.

The link below provides more specifics on how to create AD Sites.

How To Create an Active Directory Server in Windows Server 2003After the new
Active Directory domain is established, create a user account in ... How To
Configure DNS Records for Your Web Site in Windows Server 2003 ...
http://support.microsoft.com/kb/324753

I hope that helps understand AD's basic functionality and requirements.
Please post back with any additional questions.

Ace