ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Additional domain controller in remote site

    Scheduled Pinned Locked Moved IT Discussion
    dnsbranch officedomain controlldhcp
    77 Posts 5 Posters 24.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IT-ADMINI
      IT-ADMIN
      last edited by steve

      hi everybody

      i will begin by a brief introduction of my existing topology:

      i have 2 office : main and branch connected together via openVPN (site to site) using 2 pfSense Boxes

      i have a primary DC in the main office, and users in the branch login from this PDC.i

      i have 4 Mbs download and 0.5 Mbs upload

      because of my low bandwidth, i decided to setup an additional DC in the branch office so that the site link will be used only for file sharing and IP cameras ...

      i have 2 different subnet 192.168.1.0/24 and 192.168.5.0/24 for both main and branch

      i go to Active Directory Site and Services and add a new site Branch, and i configure the replication and the site link and the subnet, everything seem correct

      i setup an additional DC (global catalog and DNS server) and set up his ip configuration to use My PDC as his DNS server

      the ADC is added to the branch Site,

      i replaced the DNS ip of my Branch machines (it was before the PDC ip) with the DNS ip of my ADC

      The problem now with the branch machines, they are still loging from the PDC, i flushed the dns but no way, i disconnect the vpn connection then a message telling that no logon server available, which mean that branch machines didn't recognize ADC as a logon server

      please any help will be appreciated

      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender
        last edited by

        The AD box needs access to DNS too. You need to give the secondary DNS server pointing to itself.

        IT-ADMINI 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          Is the branch DNS getting its DNS from the primary?

          IT-ADMINI 1 Reply Last reply Reply Quote 0
          • IT-ADMINI
            IT-ADMIN @Dashrender
            last edited by

            @Dashrender said:

            The AD box needs access to DNS too. You need to give the secondary DNS server pointing to itself.

            the main DC need only his own ip as DNS server, but the branch DC need the DNS access of the main DC, do you mean that he need his own ip as a second DNS ??

            scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
            • IT-ADMINI
              IT-ADMIN @scottalanmiller
              last edited by IT-ADMIN

              @scottalanmiller said:

              Is the branch DNS getting its DNS from the primary?

              Yes Sir, the branch DC getting its DNS from the main DC,
              i have another problem regarding the replication, normally i set a schedule for the replication so that it will start at night and finish in the morning, but i get shocked to see that the replication take place in real time, it seems that the ADC feel that he is still in the main office,
              i think that i commit a mistake when i promote the ADC in the main office, i think i should promote it while i'm in the branch, so that he will be born in the branch and feel that he is a DC that belong to the branch office,

              i think i should demote it and promote it again in the branch office, any suggestion ???

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @IT-ADMIN
                last edited by

                @IT-ADMIN said:

                @Dashrender said:

                The AD box needs access to DNS too. You need to give the secondary DNS server pointing to itself.

                the main DC need only his own ip as DNS server, but the branch DC need the DNS access of the main DC, do you mean that he need his own ip as a second DNS ??

                Any DC should always point to itself for DNS first. Don't confuse the setup of DNS resolution (points to itself) with the setup if the DNS server. Two different things.

                The DNS server has to sync from and to the other DC.

                1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller @IT-ADMIN
                  last edited by

                  @IT-ADMIN said:

                  @scottalanmiller said:

                  Is the branch DNS getting its DNS from the primary?

                  Yes Sir, the branch DC getting its DNS from the main DC,
                  i have another problem regarding the replication, normally i set a schedule for the replication so that it will start at night and finish in the morning, but i get shocked to see that the replication take place in real time, it seems that the ADC feel that he is still in the main office,
                  i think that i commit a mistake when i promote the ADC in the main office, i think i should promote it while i'm in the branch, so that he will be born in the branch and feel that he is a DC that belong to the branch office,

                  i think i should demote it and promote it again in the branch office, any suggestion ???

                  I don't believe that that will do anything. It doesn't treat sites like that.

                  Is real time replication causing a network strain? It is usually extremely little traffic.

                  1 Reply Last reply Reply Quote 0
                  • alexntgA
                    alexntg
                    last edited by

                    A few things:

                    1. Each DC should only point to itself for DNS. After turning a member server into a DC, you may need to adjust its DNS settings accordingly.
                    2. Each site should have a Global Catalog (GC). Ensure that your new DC is also a GC.
                    3. Make sure that the client computers are set to use their local DC as the primary DNS server, with their secondary being offsite.
                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @alexntg
                      last edited by

                      @alexntg said:

                      A few things:

                      1. Each DC should only point to itself for DNS. After turning a member server into a DC, you may need to adjust its DNS settings accordingly.

                      I'll go on the record and say I disagree with this. At minimum every DC should have a secondary IP of another DNS server (assuming you have at least two). Furthermore I typically set my DC's to point to the other DNS server for the primary and itself as the secondary. This allows ADDS to have an active DNS source while booting since local DNS might not be completely up before ADDS starts (if this has been resolved on 2012 I might be a bit behind these days).

                      alexntgA 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @IT-ADMIN
                        last edited by

                        @IT-ADMIN said:

                        @Dashrender said:

                        The AD box needs access to DNS too. You need to give the secondary DNS server pointing to itself.

                        the main DC need only his own ip as DNS server, but the branch DC need the DNS access of the main DC, do you mean that he need his own ip as a second DNS ??

                        Yes. Now Scott and Alex are both saying it should point to itself first, but I prefer to point to another DNS server first, and itself second.

                        But - if the DC is only pointing to another source, and you remove that source you will find that the DC in question (in your case the branch DC) will have all kinds of problems since it doesn't have DNS to query about services.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • alexntgA
                          alexntg @Dashrender
                          last edited by

                          @Dashrender said:

                          @alexntg said:

                          A few things:

                          1. Each DC should only point to itself for DNS. After turning a member server into a DC, you may need to adjust its DNS settings accordingly.

                          I'll go on the record and say I disagree with this. At minimum every DC should have a secondary IP of another DNS server (assuming you have at least two). Furthermore I typically set my DC's to point to the other DNS server for the primary and itself as the secondary. This allows ADDS to have an active DNS source while booting since local DNS might not be completely up before ADDS starts (if this has been resolved on 2012 I might be a bit behind these days).

                          It's a bit of a catch 22. There have been a few times that I've had to put a second DNS server in due to boot hanging. The flip side is that if you have a 2nd DNS server in and its own DNS server fails, how would you know to correct it? You may not notice the issue until the other DNS fails.

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender
                            last edited by

                            Assuming the links between locations can handle it, I'd have the another server pointing at this one. As for knowing if there are problems, the local clients will be using the DNS of the local server, in the case of the OP, both servers DNS server will be being used by clients. If there are problems you should find out through complaints from them.

                            alexntgA 1 Reply Last reply Reply Quote 0
                            • alexntgA
                              alexntg @Dashrender
                              last edited by

                              @Dashrender said:

                              Assuming the links between locations can handle it, I'd have the another server pointing at this one. As for knowing if there are problems, the local clients will be using the DNS of the local server, in the case of the OP, both servers DNS server will be being used by clients. If there are problems you should find out through complaints from them.

                              The clients should be set up to use a second DNS server at a different site. If the first one is unavailable, the clients wouldn't notice.

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @alexntg
                                last edited by

                                @alexntg said:

                                @Dashrender said:

                                Assuming the links between locations can handle it, I'd have the another server pointing at this one. As for knowing if there are problems, the local clients will be using the DNS of the local server, in the case of the OP, both servers DNS server will be being used by clients. If there are problems you should find out through complaints from them.

                                The clients should be set up to use a second DNS server at a different site. If the first one is unavailable, the clients wouldn't notice.

                                Assuming that strain isn't to much on the connection..

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  @IT-ADMIN said:

                                  @Dashrender said:

                                  The AD box needs access to DNS too. You need to give the secondary DNS server pointing to itself.

                                  the main DC need only his own ip as DNS server, but the branch DC need the DNS access of the main DC, do you mean that he need his own ip as a second DNS ??

                                  Yes. Now Scott and Alex are both saying it should point to itself first, but I prefer to point to another DNS server first, and itself second.

                                  But - if the DC is only pointing to another source, and you remove that source you will find that the DC in question (in your case the branch DC) will have all kinds of problems since it doesn't have DNS to query about services.

                                  Microsoft has always stated that it needs to point to itself first. There is no benefit to pointing to the other first but many downsides like higher latency and increased traffic.

                                  1 Reply Last reply Reply Quote 0
                                  • IT-ADMINI
                                    IT-ADMIN
                                    last edited by IT-ADMIN

                                    what about the replication that take place in time, it seems that the branch DC don't respect the Active Directory Sites and Services at all, because i configure the replication to take place at night and finish in the morning

                                    and how to force branch machines to login from their local DC, ???

                                    alexntgA 1 Reply Last reply Reply Quote 0
                                    • alexntgA
                                      alexntg @IT-ADMIN
                                      last edited by

                                      @IT-ADMIN said:

                                      what about the replication that take place in time, it seems that the branch DC don't respect the Active Directory Sites and Services at all, because i configure the replication to take place at night and finish in the morning

                                      and how to force branch machines to login from their local DC, ???

                                      The default replication schedule of a couple hours should be sufficient for most needs. Any more than that could leave the two sites rather out of sync. Less than that's a waste of bandwidth.

                                      Is their local DC a GC as well?

                                      IT-ADMINI 1 Reply Last reply Reply Quote 0
                                      • IT-ADMINI
                                        IT-ADMIN @alexntg
                                        last edited by

                                        @alexntg said:

                                        @IT-ADMIN said:

                                        what about the replication that take place in time, it seems that the branch DC don't respect the Active Directory Sites and Services at all, because i configure the replication to take place at night and finish in the morning

                                        and how to force branch machines to login from their local DC, ???

                                        The default replication schedule of a couple hours should be sufficient for most needs. Any more than that could leave the two sites rather out of sync. Less than that's a waste of bandwidth.

                                        but at lease the branch DC should respect the schedule, \

                                        Is their local DC a GC as well?

                                        Yes it is both a global catalog and DNS server

                                        alexntgA 1 Reply Last reply Reply Quote 0
                                        • alexntgA
                                          alexntg @IT-ADMIN
                                          last edited by

                                          @IT-ADMIN said:

                                          @alexntg said:

                                          @IT-ADMIN said:

                                          what about the replication that take place in time, it seems that the branch DC don't respect the Active Directory Sites and Services at all, because i configure the replication to take place at night and finish in the morning

                                          and how to force branch machines to login from their local DC, ???

                                          The default replication schedule of a couple hours should be sufficient for most needs. Any more than that could leave the two sites rather out of sync. Less than that's a waste of bandwidth.

                                          but at lease the branch DC should respect the schedule, \

                                          Is their local DC a GC as well?

                                          Yes it is both a global catalog and DNS server

                                          Ok, and what is the primary DNS on each client set to?

                                          IT-ADMINI 1 Reply Last reply Reply Quote 0
                                          • IT-ADMINI
                                            IT-ADMIN @alexntg
                                            last edited by

                                            @alexntg said:

                                            Ok, and what is the primary DNS on each client set to?

                                            i set client in the main office to use the main DC for DNS resolving and set branch client to use branch DC for DNS resolving

                                            alexntgA 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 2 / 4
                                            • First post
                                              Last post