No announcement yet.

Site to Site Domain Setup

  • Filter
  • Time
  • Show
Clear All
new posts

  • Site to Site Domain Setup


    I have a win 2008 domain with only one domain controller at the main site. I have about 30 additional sites that are in a workgroup with vpn connections back to the main site. The main role of these sites is to transfer data at the end of day back to main site. I want to setup a domain controller in the region where most of these sites reside with site to site setup on new Domain Controller. These sites right now have static Ips and they use a router in order to establish vpn connections back to main site. I want to migrate all these sites and have the client computers join the Domain. I would like to have them authenticate with the new Domain Controller first and if for any reason the 2nd DC goes down, the clients authenticate back to main site. I believe that's possible configuring WINS and setup on the clients NIC. Based on this Senerio I would like some feed back if possible on the questions below. Or if anyone has a better Idea please advice. BTW I do not have the funds to add DCs

    1. Can I have clients authenticate to the new DC if the new DC does not run DHCP and DHCP is issued by the router instead. The DC will have DNS and Active Dir from Parent DC. Also not entirely sure if the DC must provide DHCP.

    2. Can Clients on remote site authenticate even if there is a break on the internet connection..meaning they wont be able to talk with DC until internet connection comes up.

  • #2
    Re: Site to Site Domain Setup

    Answer 1: Your DHCP provision has nothing to do with domain authentication, itself. Your client's access to authenticating to the domain is based on the lookup of the domain services in DNS. As long as the DHCP lease info correctly points to DNS (which also doesn't have to be on the DC, but it makes sense), the client will find the DC and talk to the domain. As for which DC is used by the remote clients, have a look at Active Directory Sites and Services. Each Site has it's own address range(s), and nearness of DCs is based on the site you're in.

    Answer 2: Obviously if you're talking about remote locations trying to authenticate to a DC thru a VPN and that's down, then authentication can't happen. But if the user's profile & credentials are cached on the same PC, it shouldn't be an issue. However, if a person at Site D (for example) usually authenticates from PC#17 and the VPN goes down, he/she won't be able to authenticate on a PC they've never been on before. Once the tunnel comes back up, you're fine.
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **


    • #3
      Re: Site to Site Domain Setup

      Ditto what Rickles says.

      I also want to add that WINS isn't required. What is required is DNS and the clients need to be able to resolve the local domain. Like Rick said, setup your sites in ADSS. You will then need to configure the site links and the cost between them. The simply place your DC's in their respective sites.

      The closest DC will advertise itself for authentication for each site based on the site link costs.

      More info:

      Network Consultant/Engineer
      Baltimore - Washington area and beyond


      • #4
        Re: Site to Site Domain Setup

        I'm familiar with your request.
        Here are my recommedations:

        1. Assign each site to its own subnet. Its depend how big/small each site is.. but I think you can get away with class C.
        i.e HQ.

        2. On your VPN firewall.. set the rules/policy to prevent each site authenticate to each other. Another word. all sites replicate/authenticate to HQ. Then HQ replicate to the rest.

        3. Keep it simple. Use a single domain. Promote each site as a member DC. ie. HQ yourcompany-DC1, Site1 Sitename-DC1, Site2 SITEname-DC2 etc...

        4. all site DC contain DHPC/DNS/Global Cat roles

        5. Assign each sites to its own subnet from Sites and Service..

        Give it a thought.. You might like it.



        • #5
          Re: Site to Site Domain Setup

          And if you do not have a DC in each site, the time it takes for the users to logon to their local machines will take a lot longer- the longer the PING time from external site to main site (where the DC is located) the longer the logon.

          We found this out when our Malaysian site's DC went offline and the MAL users had to authenticate with our Sydney DCs- it took the users around 6 to 9 minutes to logon to their machines. When the Malaysian DC was online again, logons were around 10 seconds!
          +-- JDMils
          +-- Regional Systems Engineer, DotNet programmer & Jack of all trades