Adding a DC at a remote site
Discussion
Hi Guys
I've just finished setting up a new AD domain controller at my Glasgow site. It's also doing DNS (AD integrated), DHCP and WINS. Glasgow subnet is 10.10.0.0/16. I need to add a replica DC to my Edinburgh site which is subnet 192.168.0.0/24. This DC will also be doing DNS, DHCP and WINS. I have 2Mbps WAN link between sites. I've created sites and subnets in AD Sites and Services.
New server is still in it's box while I try to ascertain the least problematic way of setting it up. Way I see it I've got two options:
1. Set up replica DC at my Glasgow site, join it to the domain, then change IP address details to match Edinburgh subnet and ship in to Edinburgh.
2. Ship it to Edinburgh, set it up on Edinburgh subnet and try and join it to the domain. I suspect LMHOSTS may come in to play if I choose this option.
Which option do think will cause me less grief? Changing the IP address of a DC, or trying to join a domain across a WAN link?
Cheers
Phil
I've just finished setting up a new AD domain controller at my Glasgow site. It's also doing DNS (AD integrated), DHCP and WINS. Glasgow subnet is 10.10.0.0/16. I need to add a replica DC to my Edinburgh site which is subnet 192.168.0.0/24. This DC will also be doing DNS, DHCP and WINS. I have 2Mbps WAN link between sites. I've created sites and subnets in AD Sites and Services.
New server is still in it's box while I try to ascertain the least problematic way of setting it up. Way I see it I've got two options:
1. Set up replica DC at my Glasgow site, join it to the domain, then change IP address details to match Edinburgh subnet and ship in to Edinburgh.
2. Ship it to Edinburgh, set it up on Edinburgh subnet and try and join it to the domain. I suspect LMHOSTS may come in to play if I choose this option.
Which option do think will cause me less grief? Changing the IP address of a DC, or trying to join a domain across a WAN link?
Cheers
Phil
m12_nathan said:
build DC in new site, set the dns client on it to point at glasgow, dcpromo, job done (apart from the initial replication over a small link).
Yeah I agree with this. Just make sure that the AD DNS partitions have replicated properly (the zones will appear in DNS Management on the new box) before you point it back to itself as primary DNS server.That seem pretty unanimous then. Thanks for the advice. My only concern is that the new server won't be able to "find" the DC across the WAN when I run DCPROMO and try to join the domain. Am I worrying needlessly?
I have bad memories of trying to add an NT4 BDC to a remote sight and not being able to find the PDC no matter how much I tinkered with LMHOSTS and WINS entries.
Also, where should I point WINS on the new server initially? At itself, or at the Glasgow DC? Or should I setup WINS replication and point it at itself before running DCPROMO?
I have bad memories of trying to add an NT4 BDC to a remote sight and not being able to find the PDC no matter how much I tinkered with LMHOSTS and WINS entries.
Also, where should I point WINS on the new server initially? At itself, or at the Glasgow DC? Or should I setup WINS replication and point it at itself before running DCPROMO?
Edited by pcwilson on Friday 15th February 09:48
Edited by pcwilson on Friday 15th February 09:50
Second everyone's thoughts on this.
Just to underline, do NOT (please!!) configure it at your original site, then change IP addresses! Having done this to get a "copy" of a live DC recently for use in proof of concept, this was painful in the extreme - having to go into AD and edit lots of settings.
For WINS, point it at itself, with the other site as a secondary.
Out if interest, unless you have some legacy apps, you shouldn't need WINS?
Just to underline, do NOT (please!!) configure it at your original site, then change IP addresses! Having done this to get a "copy" of a live DC recently for use in proof of concept, this was painful in the extreme - having to go into AD and edit lots of settings.
For WINS, point it at itself, with the other site as a secondary.
Out if interest, unless you have some legacy apps, you shouldn't need WINS?
Thanks again for the advice. I will take my new server to Edinburgh on Monday to set it up.
At the risk of hijacking my own threat, can I ask another question.
I have a two way external trust between my old NT4 domain and my new W2K3 AD domain. All my users are still logging on to the NT4 domain. I've created new user accounts and home folders for them in AD, and I've set up permissions on the home folders so they can all access their new home folder whilst logged on to the old domain. So far so good.
However, I'm now trying to move print queues over from NT to W2K3. I've installed my printers (and additional drivers) and shared them. However, I'm having bother granting access to the new printers and the print$ share. I've created a global group in NT4 containing all the users who need to print to printers on W2K3. I've created a domain local group in AD and added the global group from NT4 to it. I've tried adding this domain local group to the DACL for the printers and the print$ share but I still get Access Denied when trying to browse the print$ share, and can't install a printer on my workstation without being asked for drivers. I'm obviously being a complete muppet.
ETA: I can drop to a command prompt and do NET USE X: \\server\print$ and it connects successfully. But if I do Start -> Run and enter \\SERVER\PRINT$ I get access denied.
At the risk of hijacking my own threat, can I ask another question.
I have a two way external trust between my old NT4 domain and my new W2K3 AD domain. All my users are still logging on to the NT4 domain. I've created new user accounts and home folders for them in AD, and I've set up permissions on the home folders so they can all access their new home folder whilst logged on to the old domain. So far so good.
However, I'm now trying to move print queues over from NT to W2K3. I've installed my printers (and additional drivers) and shared them. However, I'm having bother granting access to the new printers and the print$ share. I've created a global group in NT4 containing all the users who need to print to printers on W2K3. I've created a domain local group in AD and added the global group from NT4 to it. I've tried adding this domain local group to the DACL for the printers and the print$ share but I still get Access Denied when trying to browse the print$ share, and can't install a printer on my workstation without being asked for drivers. I'm obviously being a complete muppet.
ETA: I can drop to a command prompt and do NET USE X: \\server\print$ and it connects successfully. But if I do Start -> Run and enter \\SERVER\PRINT$ I get access denied.
Edited by pcwilson on Friday 15th February 13:59
pcwilson said:
That seem pretty unanimous then. Thanks for the advice. My only concern is that the new server won't be able to "find" the DC across the WAN when I run DCPROMO and try to join the domain. Am I worrying needlessly?
I'd just make sure you can ping server and server.local before you start the dcpromo.As said above. Make sure you point it at the DNS server on the other DC and that its all working in DNS land. Dcpromo it and then use replmon (in the support tools download) to make sure replication is working. This will also let you force a replicate. Check that your local DNS server now has the zone info from AD and then point your new DC to its own local DNS (don't forget to set any forwarders you need for external queries).
Set WINS as a partner with the remote and set a manual replicate and check it gets the data.
Set DHCP to give out your new local DNS/WINS etc server address
Set WINS as a partner with the remote and set a manual replicate and check it gets the data.
Set DHCP to give out your new local DNS/WINS etc server address
Edited by malman on Saturday 16th February 12:19
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff