demote then promote a DC in remote location on a site-to-site VPN 1

[ttrsux]

Hello all,

I have two sites connected via persistent site-to-site VPN.

West Coast is the "main" site --> domain.local
East Coast is the "remote" site --> subdomain.domain.local

For some reason, the remote site was created as a subdomain and a DC was put in place as dc.subdomain.domain.local.
The remote side's DC has a E:\ drive with shares on it. Each share has permissions applied as such:

\\eastcoastDC\share1
shared to:
user@domain.local
user@subdomain.domain.local (<-- this probably does nothing as user's computers are joined to the domain.local site and everyone logs into their computers as user@domain.local)

Weird, I know.

My plan is to demote the remote DC and just join it to the main site's domain "domain.local". When I do this, I assume the user SIDs in the Security tab (for shares) that reference users in the subdomain AD will turn to "UNKNOWN", and look like this: s-1-5-21-3297075987-357820935-4141682199-1000.

Will the user@domain.local references (in the shares) stay in-tact since those users have nothing to do with subdomain.domain.local?

The reason I'm bringing the remote DC into the main site's domain is because all the computers at the remote site were originally joined to the domain.local domain and then shipped to the East cost remote site, so it's not like they even contact the DC that's on their same subnet... they all contact the main site DC for authentication/etc...

Finally, after all said and done with the remote site's DC on the same domain as the main site, do I need to mess with AD Sites and Services? I have worked with companies with multiple sites, all on the same domain with different subnets and I've never seen AD Sites and Services deployed.

Thanks anyone for your feedback. This is a fairly simple setup but took longer than I thought to explain.

 

[ttrsux]

I forgot to mention, AD Sites and Services is currently set up so I imagine I'd need to decommission it or remove the site from the main site's side first? Not sure how to "turn off" AD Sites and Services properly. Can I just go into the snap-in and delete the west coast site?

 

[ttrsux]

[bump] ♫♪ hello hello helloooooo is there anybody out there.... just nod if you can hear me.... ♪♫

 

[ShackDaddy]

I think your project is a good idea. Better to have a flat domain structure.

The share/file ACLs that reference user accounts in the root domain will not be screwed up. Only accounts from the subdomain will be marked as unknown.

Once you have readded the DC as a member of the root domain and promoted it, you will want to define an additional site in AD Sites and Services and define the subnets for both of your sites.

I think you are good-to-go.

Dave Shackelford
ThirdTier.net
TrainSignal.com

 

[ttrsux]

Thanks ShackDaddy! I agree, a flat domain structure is always nice. I tried to demote the server dc.subdomain.domain.local and got an error immediately after it started:

"8614 The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."

Is there a way to um... untombstone it?

So, I tried this:

http://social.technet.microsoft.com...o-primary-domain-controller-force-replication

And got an error "The following error occurred during the attempt to synchronize naming context Configuration from Domain Controller dc to Domain Controller DC02: Replication access was denied. The operation will not continue".

A very basic explanation of our topology is:
West Coast site has 2 DCs (DC01 and DC02) on domain.local on 192.168.100.x
East Coast site has 1 DC (dc) on subdomain.local on 192.168.200.x

The two DCs at the West Coast (main) site replicate with each other fine. Based on the error, the remote site's DC (East Coast) can replicate to DC01, but not DC02.

Am I going to have to manually remove the DC?

Thanks ALL!