No announcement yet.

Resources for AD topology design?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Resources for AD topology design?

    Hey folks,
    I've been doing some digging around but have yet to find more than best practices etc which suggest what to do but give no details and certainly don't address problems I've seen before.

    Basically we deal mostly with single SBS 2003 environments and are shortly going to be impliment a two site AD setup.

    In the past, I have dealt with an SBS 2003 setup with a secondary 2003 standard server. The 2003 server kept failing but for some reason loads of the PCs insisted on trying to connect to the failed server instead of reverting to the online server which is something we never looked into fixing. We just decommisioned the standard server because it was pretty useless.

    Which brings me to our new project.

    The main office has a 2003 SBS server up and running with a 2003 Terminal server not running active directory.

    BT are installing a 10 meg link to a new building down the road. This will be running a few things, so we have been asked to set up a 2003 server with active directory at the new building.

    Easy enough, but what I have never looked into is how to ensure that the PCs at the new building connect to the controller that will be there and the current PCs at the main office stay connecting to the SBS domain controller.

    There's probably some guides already out there but I can't seem to find the right search for them!

  • #2
    Re: Resources for AD topology design?

    You should get two good firewalls that can support FW to FW Vpn - put both sides on the same network and you will be fine. Keep in mind if your link goes down for a long period of time your AD servers could get out of sync causing problems. Server 2008 has the ability to make a read only AD controller which would be a good fit for what you are wanting to do.

    Really you could simply set up the AD on one side (Main office) of the VPN and point the client's on the other side to your AD servers in the main office - make the DNS servers on the clients at the remote site be your AD DNS servers. As long as the VPN is up everything will work fine. (printer sharing, directory sharing, etc)


    • #3
      Re: Resources for AD topology design?

      Thanks for the reply but I think what we have is a little different.

      The link will be a fiber link with fxp modules straight into a switch so there's no external traffic to be concerned about thus no VPNs/firewalls needed.

      2008 is a no go. We have been far too busy to even do a test install yet and whilst we don't envisage it being much hassle we aren't about to use a customer as our test case!

      Besides, its not read only that is what we're really looking for - its how to structure a forest to ensure that clients either side only connect to the domain controller on their side. We have specifically been requested to put a domain controller at the remote site set up in this fashion and it is really something we could do with knowing for future reference.

      Essentially we're looking to minimise the amount of traffic that actually goes down the 10Mb pipe as a 10Mb pipe can quickly slow up when you've got all the PCs using it along with voip traffic and certain applications that will only run from 1 server.


      • #4
        Re: Resources for AD topology design?

        Originally posted by beddo View Post
        - its how to structure a forest to ensure that clients either side only connect to the domain controller on their side. .
        Almost - SITE is the keyword you were after..

        Create a separate site in AD for each of your, well, sites, and your clients will authenticate to the local DC.

        Each site is a separate network / subnet - so you'll need to consider your addressing methods (eg DHCP in each site), and routing between the two.

        You should also probably consider what you mean by 'connect' to when referring to your client <-> DC connection.. Are you just referring to authentication requests, or to where your users' files / profiles / email / etc are stored..



        • #5
          Re: Resources for AD topology design?

          Thanks for the response, My Docs, Profiles etc are easy enough with different group policies for each site. Emails, well they are unfortunately going to have to stay on the main site as I don't think the client will fork out for an Exchange license to run it at the second site.

          Our test setup has so far thrown us a complete curve ball. The 2003 standard machine simply refuses to connect to the SBS machine and tells us the forest isn't ready and to run adprep on it. I've checked the domain function level is 2003 and even tried running adprep which just says it has already been done and won't run again.

          I went for the rebuild option so we'll see what happens next week with that and then I can play about with setting up sites!


          • #6
            Re: Resources for AD topology design?

            OK, I thought I had this one sussed but something must have gone completely wonky.

            Here's what what have:

            2 sites in AD: MainOffice/Site2
            2 Subnets: and

            DHCP on MainOffice issuing in

            server1: (2003 SBS R2)
            server2: (2003 R2)

            I have tested it as far to make sure that PCs in the relevant subnet authenticate with the relevant server but am left with a few unknowns.

            1) If the link between the two servers goes down, site2 goes offline completely as DHCP and DNS are running off server1. I installed DNS on server2 but it won't replicate properly. Well, it replicates the reverse DNS zones but not the forward zones even if I add it as a nameserver and enable zone transfers to it.

            replmon tells me that server2 has replication set up on all AD 5 bits to pull from server1. It also tells me that server1 has replication for DC, Configuration and Schema but not for DomainDNSZones/ForestDNSZones. Am I missing something with DNS replication? I've set it up before and it just worked...

            Of course that doesn't help with DHCP, I think statically assigning the PCs would be the only way round that.

            2) AD replication. Should computers accounts and user accounts be replicated between the two servers? I attached a PC to the 2003 server and it hasn't shown up in Active Directory on the SBS server. If they only appear on the relevant server, does that mean you have to set up group policies etc on each server as opposed to setting them on different containers in the main server?

            3) Can you see why I was wondering if there were any guides for this stuff?

            EDIT: netdiag is OK, but I'm seeing these with dcdiag (on both servers with the names reversed where appropriate)

            DB2003: This replication path was preempted by higher priority work.
            from SERVER2 to SERVER1
            Reason: Win32 Error 0
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
            Progress is occurring normally on this path.
            DB2003: A full synchronization is in progress
            from SERVER2 to SERVER1
            Replication of new changes along this path will be delayed.
            The full sync is 0.00% complete.
            Last edited by beddo; 21st July 2009, 16:22.


            • #7
              Re: Resources for AD topology design?

              You need a DHCP server in both sites. Clients at site 2 can't boadcast a DHCP request to the main site.

              I suspect however there is something misconfigured in DNS or there's a routing issue. You shouldn't really need to manually configure anything in DNS - it should *just work* after you set it up on the second DC.

              What's the networking config of your DC's (eg IP / DNS / Default Gateway). Its probably time for a network diagram..
              Last edited by bunce; 22nd July 2009, 05:20.


              • #8
                Re: Resources for AD topology design?

                IS DNS AD integrated?


                • #9
                  Re: Resources for AD topology design?

                  In our case, the sites are logically on one network so DHCP will work across both sites.

                  It is, however possibly a completely irrelevant point now that BT have said they want three times the original price for the link now.

                  We might just go with SDSL and a terminal server as it'll be a damn site cheaper!