No announcement yet.

AD Roles with isolated domain controllers

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Roles with isolated domain controllers

    I have a domain where some domain controllers are isolated from eachother by firewalls. In this network I have one primary domain controller wich holds all of the FSMO roles since the domaincontrollers in site A are unable to communicate with domain controllers in site B. And, in this setup only one domaincontroller in site A can replicate changes to the primary domain controller.

    However, when i ran dcpromo to add another domain controller to site A, I got the message that i could not install a domain controller since the RID master was offline. That makes kind of sense, since the subnet the domain controller should be in has no contact to the primary domain controller, only to another domain controller. (And, that one handles the replication to the primary one. )

    Is there any solution to my problem? Can I temporarily transfer the RID master role to a Domain Controller that the new one can access, and then safely transfer the role back to the primary one. Or, do I have to open access to the primary domain controller through the firewall just to run dcpromo? Or, is it some other way to handle this?

  • #2
    Re: AD Roles with isolated domain controllers

    More importantly, why are DCs blocked from communicating?
    You may be able to fix DCPROMO but will run into other AD issues sooner rather than later.

    By design, all DCs are supposed to be able to communicate
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: AD Roles with isolated domain controllers

      Not all dc's need to talk to each other. Only dc's within a site need to be able to communicate. A minimum of one domain controller in a site needs to be able to talk to another site.

      So, are your site settings configured correctly?

      MCITP sa, ea & va, [email protected]


      • #4
        Re: AD Roles with isolated domain controllers

        The reason for the isolation is that we have a system that is ad integrated and runs in an isolatet network. That system runs at several locations wich is geographicaly separated. And, each location has four subnets (separate networks for redundancy). And also, two of thos network has no connection to the outside world. We are in the process right now to bind this together in one domain over the geographical locations also.

        I have separated that location in to two sites (we call it B and C), with two subnets on each site. Each site will have two DCs. All the dcs within this two sites will be able to replicate. But, only one will replicate to the primary, who will have the task to replicate between the geographical locations.

        I have setup site links between site B and site C.

        And, i have created a link to the primary domain controller wich have is own site (we can call it A) from site C.

        The problem now is that the new DC will be in site B and has no connection to the primary. Only to another DC. That DC on the other hand can "speak" to the primary, but that does not seem to help.

        Does this description clarify things?


        • #5
          Re: AD Roles with isolated domain controllers

          It's quite simple: Site B needs to be able to talk to Site A (where the RID Master resides). That means the Bridgehead Server from Site B needs to have a working Site Link to the Bridgehead Server from Site A.

          KCC does this automatically as long as it can... if it is blocked by Firewall or other network settings it won't.

          dcpromo creates the Computer Object for the new DC, that new Object needs a new Relative Identifier. If site B can't talk to Site A, a RID can't be allocated.

          If Site B can't talk to Site A you can't transfer the RID Master to a DC in Site B either... I'm wondering if the DCs in Site B are even replicating their Configuration Partition.

          Maybe I didn't understand your post... (you can check if Site A has inbounds from B with "repadmin /showreps" and see if you have any inbound connections from a DC in Site B)


          • #6
            Re: AD Roles with isolated domain controllers

            Run a DCDIAG as well on both sites and compare the results.