none
Multiple DHCP Server DC's in same Default-First-Site-Name Container

    Question

  • Hi

    We have a number of replication issues and incorrect configurations in our Windows 2003 Active Directory. Some of them are the creation of Multiple Sites and Manual Connection links without any design.

    Now in our network we have multiple DHCP servers in various physical sites. Some are windows and some are other network appliances and all our sites are connected by 100MB links and underutilsied. . My questions is as follows

    1) If we move all of our servers in to the Default-First-Site-Name sites and services container and we have multiple DHCP servers [currently spread across the different AD Sites to server the local sites]   - will this cause a problem? Naturally, the current configuration has subnets defined to sites etc and if we were to move them to ONE Container - then all subnets would be part of that container.

    We do have 5 DHCP servers authorized in AD

    Thoughts?

    J


    • Edited by Jayuk76 Saturday, January 12, 2013 1:49 PM
    Saturday, January 12, 2013 1:49 PM

Answers

All replies

  • Jayuk,

    I think I can help a bit on this. 

    Until a few months ago, we ran multiple DHCP servers all within one site - we had a setup where we had multiple buildings separated by layer 3 routing - each building had its own DHCP server and served that building.

    These layer 3 routing boundaries prevented our clients from getting a DHCP response from unexpected DHCP servers.  IF your physical sites are on different networks (that prevent DHCP packets from crossing) then your DHCP servers' site membership doesn't matter.  Easy way to test this - if you down all your DHCP servers at a physical location, do your clients still get an IP address?  If not, then using the single Default Site won't matter.

    Make any sense?  I can try to help with the replication issues, but two issues there: 1) we ended up pulling in a consultant on this and 2) we're running 2008 DC's, so there could be something with 2003 replication that I wouldn't know to check.

    Good luck.  Replication issues have been my most challenging MS network / DC problem I've faced. 

    Damian

    Friday, January 18, 2013 2:01 AM
  • FYI, just to let you know this is the NIS forum and not the AD (DS) forum. Maybe we can ask a moderator to move this thread to the DS (Directory Services) forum for specific AD exposure. Don't worry, once it's moved, we will still receive email notifications and the link to the new location. In the meantime, let's take a look at this...

    .

    Moving all the DCs to the Default site container will not affect  DHCP services. Sites are used to control two things: Replication between DCs, and localizing logon & authentication traffic.

    Therefore DHCP wouldn't have anything to do with replication issues, unless of course they are handing out external DNS addresses to the clients (meaning not handing out ONLY the internal DC/DNS IPs), which of couse we all know that will cause havoc with AD communications.

    .

    To better help with the replication issues, we'll need some configuration and other information to diagnose this. If you can post the following, it will help us:

    1. How many DCs?
    2. How many domains in the forest? If more than one domain, what is the DNS design handling parent domain to child domain resolution (parent-child delegation or is the zone set to forest-wide)?
    3. How many locations?
    4. Do each location correspond to an AD site created in SItes and Services?
    5. Is the physical network connectivity between each site a MESH or HUB and SPOKE?
      A MESH means that all locations have direct physical network connectivity to each other
      A Hub and Spoke means that each Site can only communicate to the central (HQ) site and can't communicate to ech other.
    6. If Hub and Spoke, has BASL been disabled?
      Note: A Hub and spoke requires BASL disabled as well as individual site links created for each specific site to HQ, otherwise the KCC tries to partner DCs that do not have direct communications between each other and causes major AD issues.
    7. What's the replication frequency set to on the DefaultIPLink - the default 180 min or chopped down to 15 minutes (recommended)?
    8. Are all DCs GCs (if not, that's recommended).
    9. Unedited ipconfig /all of two sample DCs in the central site.
    10. Event log errors:
      Please check all Event log errors (Application, System, and under Application and Services Logs on a DC for the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.

    .

    Sorry about all the questions, but when it comes to AD replication troubleshooting in a diverse Site based infrastructure requires specific information about the infrastructure. I've fixed multiple customer sites that have contacted me with similar situations, and I can only say it can either be a simple fix that may take a few minutes on your part, or a complicated fix that may take hours by a qualified consultant.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn



    • Edited by Ace Fekay [MCT]MVP Friday, January 18, 2013 9:38 PM - changed to a numbered list
    Friday, January 18, 2013 9:37 PM
  • Hi All

    Thanks for the replies

    However - I had to complete the consolidation last Saturday and it all went well

    Through some heaving reading and going over technet I found the AD related answers.

    I then used tools such as DHCP Loc from client machines at the different sites to see wht DHCP Requests were being sent and where the responses came from

    Suffice to say - the networks were all separate with routers and hence BOOTP was not enabled and so DHCP could only be serviced from the site

    The consolidation went well - and 95% of my replication issues have now gone which was excellent!

    My only issue now is that I ran GPOTOOL and I have GP Mismatches amongst DC's and this is because the previous IT guys decided to change permissions on Sysvol manually! so certainly policy folders cant access each other....crazy i know!!!

    Friday, January 18, 2013 10:01 PM
  • Good to hear. Did you reset the Sysvol permissions?

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, January 18, 2013 10:43 PM
  • Hi Ace

    Not yet - I did a Verbose GPOTOOL and have a very large output to text file :-)

    I am literally going through it all now and dumping it to Excel to see which and where the issues are.

    I know from obvservation that the incumbent support teams have done some questionable changes on sysvol and so I need to understand how I reset them and ensure its all replicate out

    Any suggestions?

    To give you an example...when I started a few months back I saw a 2nd line support guy log in to a DC and set permissions on  Policy folder within Sysvol......my jaw nearly dropped!! But couldnt say anything as it was my first day!

    Saturday, January 19, 2013 11:24 AM
  • Check the Status of the SYSVOL and Netlogon Shares
    http://technet.microsoft.com/en-us/library/cc816833(v=ws.10).aspx

    Reapply Default SYSVOL Security Settings
    http://technet.microsoft.com/en-us/library/cc816750(v=ws.10).aspx

    .

    And strip those admin rights from everyone except the few that need it. Make them create a support ticket for whatever changes they need and evaluate and ask why.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, January 19, 2013 6:20 PM