Add Domain Controllers to Remote Sites

[CoreyWilson]

Hello all,

I am looking for a very simple answer to installing new domain controllers in remote sites. I know there are a number of documents explaining how to do this but it seems they make it sound way more complicated then it has to be when you start reading step by step instructions not to mention many leave out important steps, but I am still just a little unsure of the process.

We have sixteen remote sites, all of which are already established with their own IP range and are communicating with our head office, all are separated by a router. I would like to configure windows 2003 domain controllers and global catalog in each of these remote sites. We would like to build these servers at our head office and ship them out preinstalled and ready to go.

As I understand this is what is necessary to approach the task the way we would like: In Active Directory Sites and Services create a site for each location where a DC will reside, choose the DEFAULTIPSITELINK connector since all sites are connected by relatively quick line speeds we don’t need smtp. Then create a subnet representing each site with the same information and subnet that is assigned and configured at each remote location. Then choose the newly created subnet and associate it with the site name that was just created. We don’t plan to do anything fancy like disabling transitivity for site links or anything.

After each site is configured, I am guessing we can install and configure a domain controller that will be running at each site. Creating and promoting this DC at the head office will install it into the default site/subnet. We can then take and move that newly created domain controller into the appropriate site into which it will be shipped. When the server is delivered to the remote site and powered on it will then be able to service clients in that location keeping those clients AD related queries local instead of across the WAN?

This server will be configured as GC and I am aware of getting a newly created domain controller back online as soon as possible…at the least, before the default tombstone time runs out.

Does this sound about right? Am I missing any steps in the process?

Help and suggestions and greatly appreciated.

Thank you

 

[soutener]

if you have all the sites perminatly vpn'd through the routers (or you can do it using ISA) just run dcpromo on the remote sites, make sure you have DNS configured to point to your main DNS server @ corporate.

after the dcpromo is completed, you can to into ad sites and services, and configure the dc's into different sites (just create them) from there configure replication, i have mine set to every hour.

that's really about it.

 

[CoreyWilson]

Alright thanks for the help.

 

[58sniper]

You don't mention how many users are in each of those sites. 16 DC/GC boxes might be excessive if you've only got a small number of users in those offices. You're going to greatly increase replication traffic with that many.

Pat Richard, MCSE MCSA:Messaging CNA
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[CoreyWilson]

Roughly 50-100 users a site. You raised a valid point. With that being said however, how would you configure a single DC to service multiple sites within that region? Can you assign multiple subnets to a single DC? How would clients in remote sites know to contact that server vs. the head office server? Do you configure the cost on the central regional server to be less then the cost of the head office link? THerefore when clients authenticate or query they detect this server being closer and start using it?

 

[WhoKilledKenny]

Your Question:
With that being said however, how would you configure a single DC to service multiple sites within that region?
You would collapse the region into one site, should your WAN links be large enough to handle the traffic. Only need to create separate sites for managing replication.

FYI: best practice is aleast TWO DC's per site with a least one being a global catalog.

 

[CoreyWilson]

Hi Kenny,

I am aware of the best practices however all of our sites are seperated by routers at each location and each site is using a different ip range. So I am guessing multiple subnets can be assigned to a single site?

Thanks

 

[Andreh]

Create the sites in AD Sites and Services before you create the local DC's for each site. Then promote the servers to DC's locally following the below. This way, when you create the DC's in their relevant IP range, they will automatically be placed in their established site. Then it is a matter of configuring replication as you see fit.

To avoid the need to replicate a full AD replica over all the links, use the 'DCPROMO /adv' from a system state backup of an existing DC to create DC’s in remote sites from backup:

http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm

This link addresses the issues of creating DC locally and shipping them out:

http://technet2.microsoft.com/Windo...b8bf-449e-b11a-f116d22f858a1033.mspx?mfr=true

DNS is important as soutener mentioned. Point the remote DC's DNS (that each server should have if that many users are involved) to the central location (forwarders) for replication. Also consider if you don't want internet to go back to this location you will need to think about this.

Good luck.

"Assumption is the mother of all f#%kups!

 

[CoreyWilson]

Hi Guys,

I greatly appreciate all the responses and help I have received. A lot of what has been posted I am aware of but the one issue I am still a little confused on how to handle is this.

Lets say Site A is a regional office 10.1.1.x, and it will have a DC that will service Site B 10.1.2.x and Site C 10.1.3.x. How do I get the PC's in the sites B and C to point to site A? Do I point the primary DNS server for clients in sites b and c to the DC in Site A and use AD intergrated DNS? I am guessing this is how I would approach it, its the only way I see of doing it. Reasoning behind placing a DC in these offices is because we need to configure replication services for file storage and file storage itself, so I figured it would be easier taking that approach and simply limit replication traffic back to the head office.

 

[Seaspray0]

Consider installing the DNS service on the DC's at the remote sites after you have them running as DC's. Add your domain zones as secondary zones then upgrade them to active directory integrated. Direct your DHCP at each site to use the site's local DNS in the scope options. If you use WINS, you can install the service at each branch and configure a replication between them and your main office as well. Hand out the site WINS in your DHCP options. Having the DNS and WINS available locally will improve network access for your clients and provide reliability of services should you have a power outage at your main site. Creating seperate sites, moving the DC's to each site, and configuring site replication properly will decrease the network traffic over your WAN pipes due to replication between the services (i.e. active directory, dns, wins) and improve performance as well.

Microsoft provides excellent documentation in the help as well as online concerning sites, what services you should set up on each, configuring replication between, and why you need to use them to improve performance and reliability.


Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA