Domain Controllers Accross a VPN

Discussion in 'Server Networking' started by dsfseattle, Jul 19, 2007.

  1. dsfseattle

    dsfseattle Guest

    I have three sites that are connected via a Cisco 1811 router. Currently, at
    the home office I have two domain controllers (all computers run Windows 2003
    Server R2). One is the primary and the other is used as a backup (I
    understand that pdc and bdc are retired terms for this version of Windows).
    The two remote sites connect to the home office. There will be no need for
    the remote offices to connect to each other for the foreseeable future.

    I am going to place a server at each of the two remote locations. My
    thinking is that I want to join that server to the domain. Then I want to
    make that server a local DC for that remote site. I would expect that this
    DC would be refreshed from the primary dc.

    I have been able to join the server from the remote site to the domain so I
    believe that the vpn is setup correctly. But I am having difficulty making
    the server a DC because I cannot find the domain when I run the wizard.

    I'm wondering if I need to create the dns server on the remote server and
    then have a forwarder on the home office dns server (thinking out load here).

    Any help would be great.

    Dave
     
    dsfseattle, Jul 19, 2007
    #1
    1. Advertisements

  2. Fine. But you need to use the Active Directory Sites object. The Sites
    Object is what controls and maintains DC Replication over the slow WAN link
    (VPN).
    Make sure that the only DNS listed in the TCP/IP Settings is the DC with the
    PDC Emulator Role. Once the remote server is promoted to a DC then that
    will be changed so that it points to itself. Make sure when you attempt to
    Promote that you address the Domain by the FQDN, not the Netbios version of
    the name. Also make sure this new DC has DNS installed on itself *first*
    before it is DCPromo'ed. You may even want the Zone created in it,...it will
    fill in the rest of the data via Replication later.

    Once it is functioning, the Clients will set their DNS in the TCP/IP config
    to point to their local DC. There should *never* be any other DNS listed
    there. If you want redundancy there, then you need two DCs at each site.
    Then the DC/DNS will contain the local ISP's DNS in the Forwarders list.
    This is the only place the ISP's DNS should appear. Whatever is being used
    as a firewall device at the Site needs to allow the local DC (and *only* the
    local DC) to make outbound DNS queries to the ISP's DNS. The reason the
    local DC should be the only one is so that this will root out any PCs that
    may have rogue DNS entries. Rogue DNS entries on PCs *will* cause you
    problems if not taken care of.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
    Phillip Windell, Jul 19, 2007
    #2
    1. Advertisements

  3. dsfseattle

    dsfseattle Guest

    I followed your advice, read up on it, and implemented. Worked like a charm
    (after I disabled the firewall).

    Dave
     
    dsfseattle, Jul 27, 2007
    #3
  4. Excellent!
    Glad it worked out for you.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jul 27, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.