none
Remote Aditional Domain Controller

    Question

  • I have one Active Directory and one Aditional Domain Controller in one Location. I have cretaed anaother adtional domain controller in a remote site with the idea that the users of the remote user can logon locally with that aditional Domain. But now the problem is the local users are sometime wnats to get connected with the remote Aditional Domain Controller. How Can I Ensure that the local user will not at all try to take the authentication from the remote aditional domain controller.
    Tuesday, November 02, 2010 4:47 AM

Answers

  • I think you are making this more complicated than what already is, and hopefully my long explanation wont confuse you more.......

     

    Your goal is to have remote site users to log into separate domain controller , perhaps you do not want authentication traffic pass via network connection from remote users to your main site, which is perfect. You did the right thing and installed DC on the second location. Now if you did install second DC into remote location, you have to have "A Subnet"  meaning two separate network segment but they are aware of each other. If you have done this correctly the client on the remote site need to authenticated against the DC within the site as the DC becomes SITE domain controller.( Assuming your clients and DC are in the same subnet, your DHCP etc is configured correctly and providing correct subnet to your site clients) If the SITE specific DC is not available , yes your clients will get authenticated by any available live DC within any AD SITE, which is  multi master replication model.

     

     

    • Go back and make sure the DC in remote site is configured correctly ( DC/DNS/DHCP etc)
    • AD Site and services configured correctly 
    • Subnet in AD is configured correctly 
    • Remote DC is placed into Its own site
    • Replication from SITE A is working corectly to SITE B DC ( both way)
    • Once all these done Exchange should not be going banana and all should work fine

     

     

    Do some binging for creating AD Site if necessary.

    Good luck

    ocd



    Oz Casey, Dedeal MVP (Exchange) MCITP (EMA), MCITP (SA) MCSE 2003, M+, S+, MCDST Security+, Project +, Server + Http://smtp25.blogspot.com (Blog Http://telnet25.spaces.live.com (Blog) Http://telnet25.wordpress.com (Blog)
    • Marked as answer by Alan.Gim Monday, November 22, 2010 5:21 AM
    Wednesday, November 03, 2010 4:14 PM

All replies

  • go for different subnet .

     

    -bpara

    Tuesday, November 02, 2010 5:17 AM
  • I have tried with a different subnet also. We are running exchange 2007 server. If I am creating different subnet the exchange is giving owa proxying err and the mail flow is getting stopped and also owa cannot be opened.

     

    The remote adtional AD is in remote place so by default it is having different range of ip address. Through routing it can ping our Local AD.

    Tuesday, November 02, 2010 5:39 AM
  • Hi,

    Do I understand this correctly?

    1. You have a primary site where you have two domain controllers and Exchange located?

    2. You have a secondary site with only a domain controller for local authentication?

    If this is the case you should use Active Directory Sites and Services to configure a different subnet for the secondary site so that clients will use the local DC for authentication. Also remember to give the primary site a subnet since this is not done when you deploy Active Directory.

    /Martin


    Exchange is a passion not just a collaboration software.
    Tuesday, November 02, 2010 9:29 AM
  • 1) Create a different subnet for the new DC - 10.10.10.0/24 - and and deploy a DHCP associated with the subnet. Make sure the DC obtains a static IP from this scope.

    2) In Active Directory Sites and Services, create a site and associate the new server with this site.

    3) Make sure the client(s) and new server are on same subnet, and  can talk to the new DC using DNS. Clients locate DC, Global Catalog, etc. through SRV records using DNS.

    Tuesday, November 02, 2010 5:17 PM
  • Yes I have created seperate site at first. Bur I had to disolv it because the exchange server stopped working with the err OWA Proxying err. Then I decided to create the remote additional domain in the default site only.

    Now some local users are autometically trying to connect to the remote ad and cannot login as the users cannot get the ip connectivity to the remote site. This problem I want to stop. Is there anyway so that local users in Ho only connect to the local Domain server and will not ask for the remote ad.

    Is ther any way defaine the cost. Pls help.

     


    Udayan Lahiri Ast Manager It Mcnally Bharat
    Wednesday, November 03, 2010 12:27 PM
  • I am a bit confused about your terms and explanations to domains and sites.

    Did you create a new AD domain in the remote location or did you create an new domain controller in the location and create a new AD site?

    Users authenticate to the nearest domain controller based on the setup in "Active Directory Sites and Services", so it sounds like the subnet isn't defined properly there.

    Is this problem only in reference to Exchange OWA or also Windows authentication?

    /Martin


    Exchange is a passion not just a collaboration software.
    Wednesday, November 03, 2010 12:32 PM
  • 1. I have created one Aditiona Domain Controller for the remote location. It is not a new domain.

    2. The problem is for only OWA Proxying when I am configuring seperate site with seperate subnet. For this mail getting complete stop. Then I removed the site and the subnet also. I created the aditional domain controller in default site.

    3. After this every thing is running ok. Only sometime the local users are trying to connected to the remote aditional domain controller. This I want to stop


    Udayan Lahiri Ast Manager It Mcnally Bharat
    Wednesday, November 03, 2010 12:40 PM
  • How does OWA proxying come into play here? As far as I can read you haven't moved any Exchange servers so they should still be at the main site and authenticate users on the domain controllers already setup for the default subnet.

    Did you define a subnet for the default site?

    /Martin


    Exchange is a passion not just a collaboration software.
    Wednesday, November 03, 2010 1:05 PM
  • I think you are making this more complicated than what already is, and hopefully my long explanation wont confuse you more.......

     

    Your goal is to have remote site users to log into separate domain controller , perhaps you do not want authentication traffic pass via network connection from remote users to your main site, which is perfect. You did the right thing and installed DC on the second location. Now if you did install second DC into remote location, you have to have "A Subnet"  meaning two separate network segment but they are aware of each other. If you have done this correctly the client on the remote site need to authenticated against the DC within the site as the DC becomes SITE domain controller.( Assuming your clients and DC are in the same subnet, your DHCP etc is configured correctly and providing correct subnet to your site clients) If the SITE specific DC is not available , yes your clients will get authenticated by any available live DC within any AD SITE, which is  multi master replication model.

     

     

    • Go back and make sure the DC in remote site is configured correctly ( DC/DNS/DHCP etc)
    • AD Site and services configured correctly 
    • Subnet in AD is configured correctly 
    • Remote DC is placed into Its own site
    • Replication from SITE A is working corectly to SITE B DC ( both way)
    • Once all these done Exchange should not be going banana and all should work fine

     

     

    Do some binging for creating AD Site if necessary.

    Good luck

    ocd



    Oz Casey, Dedeal MVP (Exchange) MCITP (EMA), MCITP (SA) MCSE 2003, M+, S+, MCDST Security+, Project +, Server + Http://smtp25.blogspot.com (Blog Http://telnet25.spaces.live.com (Blog) Http://telnet25.wordpress.com (Blog)
    • Marked as answer by Alan.Gim Monday, November 22, 2010 5:21 AM
    Wednesday, November 03, 2010 4:14 PM