Authenticating to DC at remote site thru BOVPN

Discussion in 'Server Networking' started by Marc S, Jan 29, 2009.

  1. Marc S

    Marc S Guest

    Our our main office, we have 2 DCs. There is a 3rd DC at a remote site that
    is connected to our main office thru a BOVPN (Branch Office VPN)...always
    connected. The 3rd DC replicates with the 2 DCs at the main site, however I
    feel that when users at the main office happen to hit the remote 3rd DC,
    there is a severe delay logging on.

    Is there any way to speed up or prevent logging onto the 3rd remote DC?
    Any settings I should confirm are set properly?
    Marc S, Jan 29, 2009
    1. Advertisements

  2. Hello Marc,

    Did you configure AD sits and services to reflect your topology with the
    sites and add the subnet to the site and then move the DC's to there belonging

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Jan 29, 2009
    1. Advertisements

  3. Marc S

    Marc S Guest

    After searching thru google, I see comments regarding this too. I don't know.
    Consultants setup the remote DC, so I don't know what' on it.

    Can you briefly explain how to do this, or point me in the direction for
    Marc S, Jan 29, 2009
  4. Meinolf Weber [MVP-DS], Jan 29, 2009
  5. Marc S

    Marc S Guest

    Thanks. Sounds like you've done this before, can you answer these questions
    to help me.
    1. At neither my main office or my remote office are there Subnets created
    under AD Sites and Services. In both cases, they are blank. Is it possible,
    they are blank, and the network runs ok?

    2. Both sites have their own different ip address, and currently only talk
    thru the BOVPN. Do I only add "one" subnet on each respective's own

    3. Can I add the subnets this during the day, will it effect any network

    4. Do I need to restart any services after add each subnet?

    5. If I use private ip internally, is the subnet and subnet
    Marc S, Jan 29, 2009
  6. Hello Marc,

    1. Yes, you only realize it in the longer logon as you see when authenticating
    against the remote DC or when site aware applications/services are used.

    2. You have to add each used subnet from your network

    3. Yes, no downtime is needed for creating the subnets/sites or moving the
    DC's to there belonging site

    4. No, not needed

    5. Yes, that's right, that's one and do not forget the remote subnet

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Jan 29, 2009
  7. Marc S

    Marc S Guest

    1. If I add both subnets to each DC (main & remote), won't I still see the
    user try to logon to the remote DC?

    2. To add, do I simply right click on Subnets, and add new subnet? Just
    enter nework address, mask, and select site (only 1 site)?

    3. What do you mean moving the DC? If I only have 1 site (still called
    Default-First-Site-Name), do I need to move any DCs?

    4. After reading all this, I'm trying to understand the purpose. If
    everything talks now, and I'm adding both subnets from main and remote, what
    benefit is this providing to speed up the logons?
    Marc S, Jan 29, 2009
  8. Hello Marc,

    1. You have to create also a site for the remote office. You have "Default
    First Site Name" with in the moment main and remote DC's under it. Create
    a second site for the remote offce, add the remote subnet and move the DC
    which belongs to the remote site to it

    2. Yes

    3. rightclick one level above and choose crete new site, name remote or whatever,
    add the correct subnet to it and now move the DC, rightclick the DC or drag
    and drop it to the new site

    4. When the new site is created you have 2 sites "Default First Site Name"
    and "Remote", each with it's belonging subnets and DC's.
    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Jan 29, 2009
  9. If you open the AD Sites & Services MMC and just look under the Help Topics
    it explains the whole thing.

    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    Phillip Windell, Jan 30, 2009
  10. Marc S

    Marc S Guest

    So, let me make sure I'm clear, after re-reading. With two separate offices,
    it's best to have 2 separate sites created in AD Sites & Services. I have 2
    DCs in Site 1, and 1 DC in Site 2.

    Currently all is listed under one site, with no subnet listed and all 3 DCs
    listed, which works, but is NOT best practice to make logons most efficient.

    1) Do I need to manually create the 2nd Site, specific subnet, move DC on
    ALL three DCs separately.. under each DCs AD Sites & Services? (I wasn't
    sure if I created on one DC, they would auto populate on the others.)

    2) Once this is one, will all 3 DCs continue to replicate, even though 2 DCs
    are listed in Site 1 and 1DC is listed under Site 2...they are listed in 2
    separate sites?
    Marc S, Jan 30, 2009
  11. Yes,...I think,....

    It is the way you are re-asking the question that makes it hard to tell if
    you understand of not.

    It is just this simple:

    1. A Site is a geographical location connected via a slow WAN Link (I don't
    care what kind WAN link it is)

    2. Each Physical Site uses a different Subnet

    3. Each Physical Site has at least one DC minimum.

    4. In AD there is a Site Object,...and a Subnet Object associated with it.
    The primary roles of this is to manage effiecient logins at the physical
    Sites and efficient Replication between the physical Sites.

    5. All hosts are a "member" of a particular site by virture of their IP#.
    This is true of DCs as well but there may be a few other tasks involved with
    the DC's membership of a Site

    6. Please hunt down documentation for using Active Directory Sites and
    Service and study it. If nothing else the built in Help within the ADS&S
    MMC will do a pretty good job of explaining it.

    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    Phillip Windell, Jan 30, 2009
  12. Hello Marc,

    1. Yes, create it manually, No only one time creation.

    2. Yes, they will, you can still see under NTDS settings the connections.

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Jan 31, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.