Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Active Directory Site Link Thru 2 Firewalls

Status
Not open for further replies.
EnemyAce

EnemyAce

IS-IT--Management
Jul 16, 2003
30
CA
This one is a real challange, well for me anyways.

I'm in the process of setting up a new site across town from our Office. I ran dcpromo on a box in the Office, than moved it to the new site. I'd like to have this dc be able to replicate with our Office dc's.

The problem is, both sites have private IP addresses due to NAT enabled firewalls. Is there an easy solution to make this all work? What ports if any will I need to open up on each Firewall.
 
Sort by date Sort by votes
Easiest method would be to set up a vpn between sites and make sure both have different private ip ranges. After that, they should appear local and being private won't matter a bit. Should then set up sites after if the vpn is even an option...
 
Upvote 0 Downvote
I'm trying to do the same thing but i know nothing about site replication etc, do you know where i can get some info on this? i've tried the microsoft site but it didn't help.

Thanks

Paul
 
Upvote 0 Downvote
Thanks for the tip. I did actually attempt to setup a VPN connection between sites but failed. The reason I'm assuming, is that both Private IP ranges we're identical.

Does it matter what machine establishes the VPN tunnel, or does it have to be initiated from the Domain Controller?
 
Upvote 0 Downvote
You set up a demand dial vpn on both machines, and make sure they use shared credentials(works well if you create an account just for this purpose). Make sure you don't forget to add them as static routes to get to the other location as well.

As far as site replication, with nothing fancy it isn't that difficult. Just make the 2 sites in AD sites and services, set up a subnet for each and add them to the sites, and make sure the servers are in the correct site.
 
Upvote 0 Downvote
Thanks for all your help. The Demand Dial VPN worked beautifully and I now have both sites connected. I also configured the Site Link in Active Directory, although this may or may not have been done right.

From either Demand Dial VPN box, I can browse and connect to all the Servers on the other end. I'm unable to do this from any of the other Servers however. I'd like to be able to browse and connect to all remote servers from ANY machine on either side.

If I had setup the AD Site Link properly, would I be able to do this? I'd like the remote site to be treated as if the boxes were all on the local LAN.
 
Upvote 0 Downvote
You need to make sure that dns is set up correctly. My advice if you are having VPN between 2 sites is to setup each site with its own subnet.

ie. site 1 ip addrtess scheme: 192.168.0.x
site 2 ip address scheme: 192.168.1.x

Make sure that you have a reverse lookup zone entered into dns for each subnet. if the vpn is from firewall to firewall you should have no problem replicating active directory between the sites and browsing between the sights. Make sure that you have the correct ports open and check event viewer for communication errors.
 
Upvote 0 Downvote
You need to make sure that dns is set up correctly. My advice if you are having VPN between 2 sites is to setup each site with its own subnet but on the same domain.

ie. site 1 ip addrtess scheme: 192.168.0.x
site 2 ip address scheme: 192.168.1.x

Make sure that you have a reverse lookup zone entered into dns for each subnet. if the vpn is from firewall to firewall you should have no problem replicating active directory between the sites and browsing between the sights. Make sure that you have the correct ports open and check event viewer for communication errors.

You can set the time you would like AD to replicate through sites and services, and it might have been an idea to have run dcpromo over the vpn to make sure that communication is in place.
 
Upvote 0 Downvote
Other than PPTP, what ports need to open?
 
Upvote 0 Downvote
It looks like the problem may be routing table related. When I do a Route Print on either of the VPN machines, I see paths to the opposite LAN's. None of that information is in the routing table of my client machine for example.

Would this keep me from browsing, or even pinging the remote network? What do I need to do to have the routing table from the demand dial VPN server replicate to all machines on the LAN? Or do I have to manually enter this on each machine?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
84
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
316
goombawaho
goombawaho
Theo2k
  • Locked
  • Question
RDS 2016
Replies
0
Views
173
Theo2k
Theo2k
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
292
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
215
antonio_dsanchez
antonio_dsanchez

Part and Inventory Search

Sponsor

Back
Top