Announcement

Collapse
No announcement yet.

Synching with AD between states.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Synching with AD between states.

    Hi Everyone,

    I have read some answers here, but I'm still a bit confused. I read to setup VPN's across multiple sites, install a member server w/o dcpromo and it will automatically synch with the AD server in the midwest?

    Basically, I am doing this so users in the Calif office can log into the secondary AD server if the main one goes down in the midwest, but also I think it would speed up the logins instead of autheticating with the AD server in the midwest. How can I set this up?

    Here is what I need to do.
    1. Setup server in Calif (do I install as a member server?)
    2. I need it to synch with AD server in the midwest (synch happens automatically? if so, what about the bandwidth problems? I know you can change it manually)
    3. If someone has a manual or instructions on how to do this. I am a newbie and would like some help....very much appreciated.

  • #2
    Re: Synching with AD between states.

    Once your site-to-site VPN has been setup, providing you can ping computers in each site's subnet, connectivity should be ok. As you say, connectivity will also depend on the bandwidth. It also depends on the services used at the other site with regards to whether you disable GC lookup for Universal Groups, use Global caching or install the DC as a Gloabal Catalog.

    To create the sites, you would configure AD Sites and Services and associate each site's DC with its subnet.

    http://technet.microsoft.com/en-us/l.../cc730868.aspx

    What services or servers are used? Any Exchange etc? What AD version do you have? There is the possibility of using a system state backup to install the 2nd DC in Windows 2003. This will minimise any issues on the site-to-site VPN's bandwidth should you use the traditional method of DCPROMO on the new server where the site-to-site VPN would replicate AD in its entirity.

    http://www.petri.com/install_dc_from...erver_2003.htm

    BTW, how many users at each site (state)?

    I would also recommend making DNS AD integrated, if you haven't done so already. You can then install DNS on the 2nd DC.
    Last edited by Virtual; 19th March 2009, 21:14.

    Comment


    • #3
      Re: Synching with AD between states.

      Originally posted by Virtual View Post
      Once your site-to-site VPN has been setup, providing you can ping computers in each site's subnet, connectivity should be ok. As you say, connectivity will also depend on the bandwidth. It also depends on the services used at the other site with regards to whether you disable GC lookup for Universal Groups, use Global caching or install the DC as a Gloabal Catalog.

      To create the sites, you would configure AD Sites and Services and associate each site's DC with its subnet.

      http://technet.microsoft.com/en-us/l.../cc730868.aspx

      What services or servers are used? Any Exchange etc? What AD version do you have? There is the possibility of using a system state backup to install the 2nd DC in Windows 2003. This will minimise any issues on the site-to-site VPN's bandwidth should you use the traditional method of DCPROMO on the new server where the site-to-site VPN would replicate AD in its entirity.

      http://www.petri.com/install_dc_from...erver_2003.htm

      BTW, how many users at each site (state)?

      I would also recommend making DNS AD integrated, if you haven't done so already. You can then install DNS on the 2nd DC.
      Thanks for your input.

      1) How do I setup site-to-site VPN?
      2) So install the server in California as GC server? The server with AD in the midwest is not GC or install GS services on the server in the midwest???

      3) We are using Windows 2003 Servers. No Exchange servers. Not sure which ver of AD.
      4) System State means importing those settings to the new AD server in Calif?

      This stuff is so confusing to me. Thanks for your help

      Comment


      • #4
        Re: Synching with AD between states.

        Originally posted by wsantos_2008 View Post
        Thanks for your input.

        1) How do I setup site-to-site VPN?
        2) So install the server in California as GC server? The server with AD in the midwest is not GC or install GS services on the server in the midwest???

        3) We are using Windows 2003 Servers. No Exchange servers. Not sure which ver of AD.
        4) System State means importing those settings to the new AD server in Calif?

        This stuff is so confusing to me. Thanks for your help
        we have no users in the midwest. We're just using a server outsourcing company that takes care of all our servers. We just install the software and they take care of the hardware.

        We currently have 20 users in the California office, but the AD server is in the midwest.

        How do we install the DNS integrated setup?

        Comment


        • #5
          Re: Synching with AD between states.

          The setup of the site-to-site VPN would depend on your router hardware. I tend to use a SonicWall for a site-to-site VPN. Have a chat with the server hosting company to see what they can offer.

          I would recommend carrying out the dcpromo /adv switch and use the backup from the current DC. That is in Daniel's article.

          You can then review the other link with regards to AD Sites and Services and how that is setup. You effectively create subnet objects for each site (state) and associate the DC at each location with the appropriate subnet. When a user then logs onto the network, it's subnet (state) will be compared with the subnet object, so will be directed to the local DC.

          I would also configure the 2nd DC for Universal Group Membership caching. You don't have any services that rely on a GC. That will also reduce replication traffic across the site-to-site VPN.

          I would encourage you to review the linked articles to gain a better understanding and post back any other questions you have.

          BTW, is the hosted server just a DC? Have you considered having 2 DCs just at the Cal. office or is there another reason why it is hosted?

          Comment


          • #6
            Re: Synching with AD between states.

            Originally posted by Virtual View Post
            The setup of the site-to-site VPN would depend on your router hardware. I tend to use a SonicWall for a site-to-site VPN. Have a chat with the server hosting company to see what they can offer.

            I would recommend carrying out the dcpromo /adv switch and use the backup from the current DC. That is in Daniel's article.

            You can then review the other link with regards to AD Sites and Services and how that is setup. You effectively create subnet objects for each site (state) and associate the DC at each location with the appropriate subnet. When a user then logs onto the network, it's subnet (state) will be compared with the subnet object, so will be directed to the local DC.

            I would also configure the 2nd DC for Universal Group Membership caching. You don't have any services that rely on a GC. That will also reduce replication traffic across the site-to-site VPN.

            I would encourage you to review the linked articles to gain a better understanding and post back any other questions you have.

            BTW, is the hosted server just a DC? Have you considered having 2 DCs just at the Cal. office or is there another reason why it is hosted?
            1) I need to configure the 2nd DC for Universal Group Membership caching since we do not have services that rely on GC. - Thanks

            2) Reviewing Articles and will get back to you in a few weeks. I'll keep posting if I run into any problems. Hopefully, it all goes smooth and I come back and say a big "THANK YOU"

            3) We have multiple server with the hosting companies. It makes it cheaper for us since since we are a small company and we do not have to purchase hardware. We just pay the hosting company a monthly fee.

            4) Having 2 DC's here mean what? purchase our own hardware (server) and make it the DC? if we do that, what are the benefits? By having it with the hosting company we only pay like $50 a month, yet we control the OS and any installs remotely vs 3k to 5k for a server.?

            Comment


            • #7
              Re: Synching with AD between states.

              (1) This is done via AD Sites and Services.
              • Right click the 'Sites' container and then select 'new site'.
              • Type in the name of the Cali. site and select the 'routing group connector' listed below.
              • Right click the 'subnets' container and then select 'new subnet'.
              • Type in the 'subnet', so maybe 10.0.0.0/8 (depending on your subnet class) You may have to do the same for the hosted subnet. Associate each subnet with the relevant 'site'. (usually listed below when creating the subnet)
              • Now expand the sites. In the 'Servers' container, ensure each server is in the correct container. Drag the server object to the correct container. You will probably find that your Cali. Office's DC is in the Default-First-Site-Name site container.
              • Select the Cali. site and view the Properties of the 'NTDS Site Settings' that appears on the right. Select the 'Enable Universal Group Membership Caching'.
              Your server at the Cali. office needs to be a DC before carrying out the above. It has to be a DC and DNS to achieve your original aim.

              (2) Please do and good luck.

              (3) I see. There must already be a connection to their office, so you may not need to worry about the site-to-site VPN. Ask them about the security of the current connection. It should already be secure as they already host a DC that your Cali. office connects to and other servers.

              (4) You mention in your original post about seting up a 2nd server in the Calif office and whether to set it up as a member server. Yes, first set it up as a member server and then DCPROMO it using just DCPROMO, more bandwidth used during initial replication, or using DCPROMO /ADV switch. Make it a DNS server after ensuring DNS is AD integrated on the current DC.

              This achieves your aim of:

              Basically, I am doing this so users in the Calif office can log into the secondary AD server if the main one goes down in the midwest, but also I think it would speed up the logins instead of autheticating with the AD server in the midwest. How can I set this up?

              It is recommended to always have 2 DCs for redundancy at each site but in your situation, you now have 2 DCs, so should 1 fail, reswtore is easy.

              Comment


              • #8
                Re: Synching with AD between states.

                ok, got it! the only thing I am confused about is the

                1) What do you mean? Make it a DNS server after ensuring DNS is AD integrated on the current DC.

                I understand installing DNS on the member server in Cali, but wouldn't copying the system state on the AD controller in the midwest and then restoring on the Cali server fix this? all the settings will be copied right?

                Comment


                • #9
                  Re: Synching with AD between states.

                  Originally posted by wsantos_2008 View Post
                  ok, got it! the only thing I am confused about is the

                  1) What do you mean? Make it a DNS server after ensuring DNS is AD integrated on the current DC.

                  I understand installing DNS on the member server in Cali, but wouldn't copying the system state on the AD controller in the midwest and then restoring on the Cali server fix this? all the settings will be copied right?
                  If the DNS server is AD integrated then the DNS data will be in the AD partitions, so yes, it will have DNS present. However, your not restoring the system state. Just using a backup during the DCPROMO /ADV promotion in Cali. In order for your Cali. server to function as a DNS, so your clients can point to there as their Primary, you need to just install the DNS component. After 15 minutes or less, the DNS zones should become populated without anything else to be done.

                  Comment


                  • #10
                    Re: Synching with AD between states.

                    Hi,

                    Thanks alot virtual!! I followed your instructions and was able to set it up. It took some time because I am not familiar with the networking terms, but I was able to get it setup with my partner's help.!!

                    My next question is going to be on EFS....lol

                    1. Send me a link to get started. I know you find stuff that helps much more than what I find.

                    Comment

                    Working...
                    X