Jump to content

Remote Site Design and DC Configuration

Guest Neil

By Guest Neil
in Windows 2003 Server

 Share

Recommended Posts

Guest Neil

Guest Neil

Posted
Posted

Hi,

 

I came across this new design for DC's in remote sites. I have not done

anything like this, but I am not sure whether it is the correct way to have

done it. Correct me if I am wrong.

 

There are 4 remote sites. Each remote site has a single domain controller

and the workstations are getting their DHCP address from the domain

controller through a helper address via the router. The workstations gateway

is the router and not the domain controller.

 

I am not sure how will the following be:

 

1. Authentication for users in remote sites? Will it be local authentication

or they will it be via the WAN to the main site

2. How will the Group Policy be applied?

 

 

Is this the way it should be in design for redundancy if the remote domain

controllers fail?

 

Earlier what I had done is the remote sites workstations gateway is to the

DC and they authenticate to the remote domain controller, get their policies

and scripts from remote domain controllers. And, I know with this, that if

the remote DC goes down then users will not be able to authenticate and

login. But, I had another domain controller in remote sites which I could

easily turn on the Global Catalog and they should be able to login through

that and the KCC will be built from that domain controller to the main site.

 

Your design help would be much appreciated.

 

thanks in advance

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Mathieu CHATEAU

Guest Mathieu CHATEAU

Posted
Posted

Re: Remote Site Design and DC Configuration

 

Hello,

 

Do you have only one AD domain/forest ? I guess so

 

in the AD sites (dssites.msc), create as many sites as IP subnet (one should

match on remote site)

Attach each DC of each site to its AD Site. So computers in remote site will

connect to it all time if available.

 

On each remote site, make the DC DHCP + DNS.

 

On remote workstation, give them their local DC as primary dns, and the head

office dc as secondary. All through local DHCP.

 

GPO will be sync between DC and will be applied.

 

Now about problems that can occur:

The wan link can be down => local dc has the necessary to maintain service

for some time

the remote dc can be down => workstation will go to the head office dc if

still valid dhcp lease

the head office may be down => same as link down

 

So to protect, you will:

-give long lease time, say one even 2 days

-maybe put two dc if remote site is big

 

You may have an issue with fsmo roles if only one dc at head office. The

operation master must'nt be on a DC which is Global catalog, or all DC must

be Global catalog

 

Do you use exchange ?

 

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Neil" <Neil@discussions.microsoft.com> wrote in message

news:522D1B24-5AB6-42F0-B95B-AD1C6FEB17CF@microsoft.com...

> Hi,

>

> I came across this new design for DC's in remote sites. I have not done

> anything like this, but I am not sure whether it is the correct way to

> have

> done it. Correct me if I am wrong.

>

> There are 4 remote sites. Each remote site has a single domain controller

> and the workstations are getting their DHCP address from the domain

> controller through a helper address via the router. The workstations

> gateway

> is the router and not the domain controller.

>

> I am not sure how will the following be:

>

> 1. Authentication for users in remote sites? Will it be local

> authentication

> or they will it be via the WAN to the main site

> 2. How will the Group Policy be applied?

>

>

> Is this the way it should be in design for redundancy if the remote domain

> controllers fail?

>

> Earlier what I had done is the remote sites workstations gateway is to the

> DC and they authenticate to the remote domain controller, get their

> policies

> and scripts from remote domain controllers. And, I know with this, that if

> the remote DC goes down then users will not be able to authenticate and

> login. But, I had another domain controller in remote sites which I could

> easily turn on the Global Catalog and they should be able to login through

> that and the KCC will be built from that domain controller to the main

> site.

>

> Your design help would be much appreciated.

>

> thanks in advance

Guest Neil

Guest Neil

Posted
Posted

Re: Remote Site Design and DC Configuration

 

Hi Mathieu,

 

Thanks for the great tips. Yes, we have single domain single forest.

 

My question is should the remote workstations have router and not the DC as

the gateway?

 

 

 

 

 

"Mathieu CHATEAU" wrote:

> Hello,

>

> Do you have only one AD domain/forest ? I guess so

>

> in the AD sites (dssites.msc), create as many sites as IP subnet (one should

> match on remote site)

> Attach each DC of each site to its AD Site. So computers in remote site will

> connect to it all time if available.

>

> On each remote site, make the DC DHCP + DNS.

>

> On remote workstation, give them their local DC as primary dns, and the head

> office dc as secondary. All through local DHCP.

>

> GPO will be sync between DC and will be applied.

>

> Now about problems that can occur:

> The wan link can be down => local dc has the necessary to maintain service

> for some time

> the remote dc can be down => workstation will go to the head office dc if

> still valid dhcp lease

> the head office may be down => same as link down

>

> So to protect, you will:

> -give long lease time, say one even 2 days

> -maybe put two dc if remote site is big

>

> You may have an issue with fsmo roles if only one dc at head office. The

> operation master must'nt be on a DC which is Global catalog, or all DC must

> be Global catalog

>

> Do you use exchange ?

>

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

>

>

> "Neil" <Neil@discussions.microsoft.com> wrote in message

> news:522D1B24-5AB6-42F0-B95B-AD1C6FEB17CF@microsoft.com...

> > Hi,

> >

> > I came across this new design for DC's in remote sites. I have not done

> > anything like this, but I am not sure whether it is the correct way to

> > have

> > done it. Correct me if I am wrong.

> >

> > There are 4 remote sites. Each remote site has a single domain controller

> > and the workstations are getting their DHCP address from the domain

> > controller through a helper address via the router. The workstations

> > gateway

> > is the router and not the domain controller.

> >

> > I am not sure how will the following be:

> >

> > 1. Authentication for users in remote sites? Will it be local

> > authentication

> > or they will it be via the WAN to the main site

> > 2. How will the Group Policy be applied?

> >

> >

> > Is this the way it should be in design for redundancy if the remote domain

> > controllers fail?

> >

> > Earlier what I had done is the remote sites workstations gateway is to the

> > DC and they authenticate to the remote domain controller, get their

> > policies

> > and scripts from remote domain controllers. And, I know with this, that if

> > the remote DC goes down then users will not be able to authenticate and

> > login. But, I had another domain controller in remote sites which I could

> > easily turn on the Global Catalog and they should be able to login through

> > that and the KCC will be built from that domain controller to the main

> > site.

> >

> > Your design help would be much appreciated.

> >

> > thanks in advance

>

>

Guest Mathieu CHATEAU

Guest Mathieu CHATEAU

Posted
Posted

Re: Remote Site Design and DC Configuration

 

yes off course.

The DC is not a router.

If you do so, it won't work.

 

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Mathieu CHATEAU" <gollum123@free.fr> wrote in message

news:uIGR0kw5HHA.1204@TK2MSFTNGP03.phx.gbl...

> Hello,

>

> Do you have only one AD domain/forest ? I guess so

>

> in the AD sites (dssites.msc), create as many sites as IP subnet (one

> should match on remote site)

> Attach each DC of each site to its AD Site. So computers in remote site

> will connect to it all time if available.

>

> On each remote site, make the DC DHCP + DNS.

>

> On remote workstation, give them their local DC as primary dns, and the

> head office dc as secondary. All through local DHCP.

>

> GPO will be sync between DC and will be applied.

>

> Now about problems that can occur:

> The wan link can be down => local dc has the necessary to maintain service

> for some time

> the remote dc can be down => workstation will go to the head office dc if

> still valid dhcp lease

> the head office may be down => same as link down

>

> So to protect, you will:

> -give long lease time, say one even 2 days

> -maybe put two dc if remote site is big

>

> You may have an issue with fsmo roles if only one dc at head office. The

> operation master must'nt be on a DC which is Global catalog, or all DC

> must be Global catalog

>

> Do you use exchange ?

>

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

>

>

> "Neil" <Neil@discussions.microsoft.com> wrote in message

> news:522D1B24-5AB6-42F0-B95B-AD1C6FEB17CF@microsoft.com...

>> Hi,

>>

>> I came across this new design for DC's in remote sites. I have not done

>> anything like this, but I am not sure whether it is the correct way to

>> have

>> done it. Correct me if I am wrong.

>>

>> There are 4 remote sites. Each remote site has a single domain controller

>> and the workstations are getting their DHCP address from the domain

>> controller through a helper address via the router. The workstations

>> gateway

>> is the router and not the domain controller.

>>

>> I am not sure how will the following be:

>>

>> 1. Authentication for users in remote sites? Will it be local

>> authentication

>> or they will it be via the WAN to the main site

>> 2. How will the Group Policy be applied?

>>

>>

>> Is this the way it should be in design for redundancy if the remote

>> domain

>> controllers fail?

>>

>> Earlier what I had done is the remote sites workstations gateway is to

>> the

>> DC and they authenticate to the remote domain controller, get their

>> policies

>> and scripts from remote domain controllers. And, I know with this, that

>> if

>> the remote DC goes down then users will not be able to authenticate and

>> login. But, I had another domain controller in remote sites which I could

>> easily turn on the Global Catalog and they should be able to login

>> through

>> that and the KCC will be built from that domain controller to the main

>> site.

>>

>> Your design help would be much appreciated.

>>

>> thanks in advance

>

 Share
Go to topic listing
×
×
  • Create New...