Adding another dc to my domain in another location

[said07]

I have 2 dcs on my network and we would like to add a 3rd read only for a branch office that is in another location. The 2 offices are connected by a site to site vpn and each of our networks has its own ip scheme. Which ip should the 3rd dc should have? an ip from my network or the branch office?
Thanks for the input

 

[58sniper]

The DC should have an address in the subnet that it will reside in. The branch office.

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.

 

[said07]

68sniper, glad to hear from you again
my plan was to configure the dc in my location then ship.
Should I just setup win 2008 in my location, let it get a dhcp ip, enable rdp, send to branch office, change to satic ip from branch office, then add dc role and replicate overnight?

 

[58sniper]

You could do that. You could make it a DC while it's in your main office, so that the entire DIT file transfers, and replication finishes, then change the IP to a static address for your branch office, and ship it there.

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.

 

[said07]

I read somewhere firewall ports needs to be opened for replication. That won't be an issue for us since we are in site to site, correct?

 

[kmcferrin]

As long as traffic between the sites isn't being filtered at either end of the VPN tunnel then you shouldn't need to mess with firewall ports.

Also, when you set up your new DC on the other subnet, be sure to define a second site in AD and move the new DC into that site. Site topology affects replication and authentication, so you can use Sites and Services to minimize the amount of unnecessary WAN traffic.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[said07]

I created a site and a subnet for the rodc and that messed up my exchange environment. I couldn't open the exchange management console and the users were disconnected until i deleted the new site and subnet in my sites and services. Not sure how to get around that yet.

 

[58sniper]

Hmmm.. that shouldn't happen in theory. Assuming:
[ol][li]Writeable DCs in Exchange AD site[/li]
[li]RODC in DIFFERENT AD site[/li]
[li]Sites and subnets are properly defined (subnets are important)[/li][/ol]

It should work. Exchange should ignore RODCs.


Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.

 

[said07]

it did :0
what i could guess is:
I didn't have my site configured prior to that. No need for it until now. So I added the subnet for my site but only one vlan on which my servers are. Then I added the other site and its subnet and made the link.
That's when my exchange got messed up. Didn't have the time to improvise or test further since we needed email to flow, i got rid of the changes and reveted back.

 

[said07]

I was able to add the rodc but it is still on my site.All replicated and working fine.
I found out it was creating the subnet for the branch office that causes exchange server to cease communicating with the domain controllers. Why and how to prevent that is the question now.

 

[kmcferrin]

Is your site for the main office properly defined as well? Are there overlapping IP ranges somehow?

So I added the subnet for my site but only one vlan on which my servers are. Then I added the other site and its subnet and made the link.

When you define a site, define the entire site, not just one of the VLANs. The entire point of a site is that it is a collection of well-connected links, defined IP networks/subnets. When a device comes online the site that it is in is determined by the network/subnet that it is on. The site that it is in also determines which DCs it authenticates to, what DFS servers, and a host of other things. On the server side the sites will control how AD and ADFS replicates, and Exchange (in later versions) will utilize the site topology as well. When you set up sites you have to get it right, otherwise things won't work correctly.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[said07]

Funny that you posted 5 mn after a tested the rodc while it is on the other site.
We got everything working. Just tested replication and its happy.
What was the culprit is: one of my dbs on my exch 2010 was still pointing to a 2003 that was still on my network ready to be decommissioned. I overlooked that. That's why exchange 2010 took a dive as soon as I added the other site's subnet. I had to involve Microsoft.