none
Active Directory at Remote Site

    Question

  • I have a Windows Server 2008 R2 at a remote site. I would like to allow it use authentication that we use at the local site. I'm just trying to understand my options because I've never dealt with a remote site before. My understanding to join it to the domain I need to run adprep since our domain is a 2003 level domain. Additionally, to join the domain I would need to change its DNS to match that of the local DCs. I'm just trying to decide between using something like a RODC or adding it as an additional DC to the existing domain. Is there any good reading on deciding between each scenario. What would adding an additional site accomplish? 

     

    Thanks!

    Wednesday, December 01, 2010 12:09 AM

Answers

All replies

  • 1) Define an AD site/subnet and site link connecting it to your main site - http://technet.microsoft.com/en-us/library/cc781496(WS.10).aspx

    2) Follow steps in http://technet.microsoft.com/en-us/library/cc733027(WS.10).aspx to promote a Windows Server 2008 R2-based domain controller in a Windows Server 2003-based domain

    If you decide to install an RODC in the remote site (rather than RWDC), make sure that you have at least one Windows Server 2008/2008 R2 based RWDC in your main site (http://technet.microsoft.com/en-us/library/cc731243(WS.10).aspx)

    In either case (RODC or RWDC) make sure that the DC in the remote site is also functioning as a Global Catalog and DNS server

    hth
    Marcin

    • Proposed as answer by Mike Kline Wednesday, December 01, 2010 3:45 AM
    • Marked as answer by Bruce-Liu Thursday, December 02, 2010 9:54 AM
    Wednesday, December 01, 2010 12:34 AM
  • If you have Windows 2008 R2 DC already in the domain, you don’t have to upgrade the Schema.  Verify the Schema version using the following procedure:

    http://portal.sivarajan.com/2010/03/active-directory-schema-version.html

    [image[11].png]

    If object version is not 47, you need to perform ADPREP to upgrade the schema. 

    If you have proper AD site configuration users will authenticate to the DC from the local site. 

    Here is a good article on “Where can you use an RODC”

    http://technet.microsoft.com/en-us/library/cc753348(WS.10).aspx

     

     

     

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    • Proposed as answer by Mike Kline Wednesday, December 01, 2010 3:45 AM
    • Marked as answer by Bruce-Liu Thursday, December 02, 2010 9:54 AM
    Wednesday, December 01, 2010 1:03 AM
  • Maybe I don't quite understand the requirements and the purpose of sites. So we have 2 DCs that are Server 2003 R2 and at a remote site there is a machine that is 2008 R2. This machine at the remote site isn't a DC yet. Can site-to-site replication occur if its not server 2003 r2? Also, what is replicated between the two exactly? Do I need to make the same domain at the remote site and then try site-to-site replication? The goal here more than anything is to be able to use authentication from the local site on any machine joined to the domain at the remote site. I have always done a very simple AD setup and have never dealt with remote sites so I'm not sure of the requirements to get this accomplished. 

     

    Thanks!

    Wednesday, December 01, 2010 4:30 PM
  • Start by setting up a Windows Server 2008 R2-based DC in your local site (by following  http://technet.microsoft.com/en-us/library/cc733027(WS.10).aspx)

    Once that's completed, create a site representing the remote location (assuming it does not exist yet) with the link to the main site and associate it with its local subnets.

    Considering that you have a single domain forest, the replication will include all of the Active Directory partitions

    hth
    Marcin

    Wednesday, December 01, 2010 4:40 PM
  • You can use Windows 2008 DC in Windows 2003 domain.  You need to upgrade the Schema using ADPREP before you can introduce the first Windows 2008 DC. 

    You can have Windows 2008 DCs in the remote location and AD replication will work.  Make sure to properly configure the AD site with correct subnet.  Also, keep in mind that by default AD replication uses RPC ports.  So if you have a firewall between 2 locations, you need open RPC ports for the AD communication.

    http://support.microsoft.com/kb/179442


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Wednesday, December 01, 2010 6:15 PM
  • I think I have all of the ports open because I'm not seeing any packets being blocked anymore between the 2 sides. I'm still getting an error when trying to join to the domain :

     

    The operation failed because: A domain controller could not be contacted for the domain that contained an account for this computer. Make the computer a member of a workgroup then rejoin the domain before retrying the promotion "Access is Denied"

     

    Thanks!

    Wednesday, December 01, 2010 8:27 PM
  • I have an article on port openings.  Check it out at:

    http://www.pbbergs.com/windows/articles.htm

    Select Firewall ports needed for replication

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, December 01, 2010 8:49 PM
    Moderator
  • I don't see anything being denied and I actually allowed any traffic going from the DCs to the new one so ports shouldn't be an issue. I'm just not sure what the error message means. I also made sure windows firewall is disabled. 
    Wednesday, December 01, 2010 9:00 PM
  • I figured it out. I had DNS configured before doing dcpromo and removed the role and tried it again and everything worked fine. Thanks for all of the help!
    • Marked as answer by Bruce-Liu Thursday, December 02, 2010 9:54 AM
    Wednesday, December 01, 2010 9:51 PM