none
分公司Site-B的所有DC(共兩台)要從高雄搬到台南,請問搬移時user會自動向台北(Site-A)作logon嗎? RRS feed

  • 問題

  • 小弟向各位先進請教二個問題,先說明環境:

    台北(Site-A)有四台DC,其中兩台是DNS,另兩台是GC。

    高雄(Site-B)有二台DC,都是DNS及GC。

    因網路結構變動,要把高雄的DC移到南部的LAN中心點台南。

     

    1.如標題的疑問,搬動時南部的user (Site-B)登入認證會不會出問題?

       還是會自動向Site-A的GC作認證?

    2.搬移後DC要改成台南的網段及IP,請問有什麼要特別注意的地方?

       或是直接改tcp/ip相關設定後上線就可以?

     

    謝謝各位!

     

    Gavin.

    2008/01/21

    2008年1月21日 上午 09:23

解答

  •  

    Hi Gavin,

     

    Site-B 的用戶端這段空窗期會連絡不上隸屬於該 Site 的 DC,但是會找到 Site-A 的 DC 登入。

    (有關 Client 如何選擇 DC 登入,請您參考之前提供給您的 KB)

     

    Hope this helps.

    Marty

    2008年1月22日 上午 12:53
  • Hi Gavin,

     

    Yes, please make sure that the site-b clients can resolve SRV records while the DCs in site-b are offline.

     

    Changing the IP address of a domain controller is simple, we just need to change the IP address and relevant TCP/IP configurations of the domain controller and then restart the Net Logon service. However, there are some other points you may need to consider if you plan to move the DCs to another network.

     

    1. DNS/WINS:
       - You need to change the TCP/IP settings accordingly on all clients.

    2. DHCP:
      - You need to recreate the scopes in DHCP servers to reflect the change of the IP subnet
      - You may need to add a new DHCP server on the source network.
      - You need change the DHCP DNS option to the new IP address

    3. You may need to change the Sites configurations of these DCs to reflect the change of the physical location.

    4. If these DCs will be disconnected from other DCs for a long time, you may need to consider the tombstone lifetime for the forest.

     

    After you have changed IP address on all DCs, you may consider the following tasks:

     

    5. Check if the DHCP Client service is started in the domain controller. This service is responsible in registering the host records in DNS server.

    6. Check the DNS server if the domain controller's A record is changed to new IP address. If not, we need to change it manually.

    7. Make sure whether the DC has registered the IP Address change successfully.
       a. Type "Net Stop Netlogon"
       b. Type "Ipconfig /flushdns"
       c. Type "Ipconfig /registerdns"
       d. Type "Net Start Netlogon"

    8. Check the DNS entry for the new address change registration on the DNS Zone authoritative for the domain where you changed the IP Address of the Domain Controller and ensure that the correct Address is listed. (You may also see the old address listed there, please delete this old address)

    9. Pinging the Domain Controller to see if the new IP Address is being reported in the PING test.

       To ping the Domain Controller properly, please locate the registered IP Address in the DNS management console, in the _msdcs folder of the Zone authoritative for the domain where the DC exists. 
       a. Right click the registered DNS record for the Domain Controller and select properties
       b. Highlight and copy the FQDN that contains a long GUID._msdcs.domain_name.com
       c. Either paste or type the GUID._msdcs.domain_name.com record that you found register for the DC in the DNS manager on the _msdcs folder.

       If you are able to ping and resolve this GUID._msdcs.domain_name.com successfully then the Domain Controller has successfully registered the new IP Address within the Zone Authoritative for the domain where the Domain Controller exists.

    2008年1月22日 上午 05:33

所有回覆

  • Hi Gavin,

     

    請問這是否意味沒有 DC 被配置到高雄的網段?

     

    有關於 Client 電腦如何在使用者登入網域時找到適當的 DC 請參考以下資訊。

     

    When a client logs on or joins the network, the client must be able to locate a domain controller. The client sends a DNS Lookup query to DNS to find domain controllers, preferably in the client's own subnet. Therefore, clients find a domain controller by querying DNS for a record of the form:

    _LDAP._TCP.dc._msdcs.domainname

    After the client locates a domain controller, the client establishes communication by using Lightweight Directory Access Protocol (LDAP) to gain access to Active Directory. As part of that negotiation, the domain controller identifies which site the client is in, based on the IP subnet of that client. If the client is communicating with a domain controller that is not in the closest (most optimal) site, the domain controller returns the name of the client's site.

     

    For more information please refer KB article 314861 "How Domain Controllers Are Located in Windows XP" http://support.microsoft.com/kb/314861

     

    2008年1月21日 上午 09:37
  •  

    Marty,

     

    謝謝您的回覆。

    首先,高雄與台南皆屬Site-B,但網段不同,

    所以DC搬移後高雄網段仍屬Site-B,應該是有DC的。

    只是在搬移過程中就沒有DC存在,故不知這段空窗期user能否Logon。

     

    謝謝~

     

    Gavin.

    2008/01/21

    2008年1月21日 上午 11:28
  •  

    Hi Gavin,

     

    Site-B 的用戶端這段空窗期會連絡不上隸屬於該 Site 的 DC,但是會找到 Site-A 的 DC 登入。

    (有關 Client 如何選擇 DC 登入,請您參考之前提供給您的 KB)

     

    Hope this helps.

    Marty

    2008年1月22日 上午 12:53
  • Dear Marty,

     

    謝謝您的解釋!

    所以我在搬移前應先將高雄(Site-B) 的DHCP-Server中的DNS指向台北(Site-A)的DNS囉?

     

    另外請問,搬移後的兩部DC只要改TCP/IP相關設定就可正常運作嗎?

    因這兩部也是DNS角色,不知有什麼要特別注意?

    謝謝~

     

    Gavin.

    2008/01/22

    2008年1月22日 上午 05:22
  • Hi Gavin,

     

    Yes, please make sure that the site-b clients can resolve SRV records while the DCs in site-b are offline.

     

    Changing the IP address of a domain controller is simple, we just need to change the IP address and relevant TCP/IP configurations of the domain controller and then restart the Net Logon service. However, there are some other points you may need to consider if you plan to move the DCs to another network.

     

    1. DNS/WINS:
       - You need to change the TCP/IP settings accordingly on all clients.

    2. DHCP:
      - You need to recreate the scopes in DHCP servers to reflect the change of the IP subnet
      - You may need to add a new DHCP server on the source network.
      - You need change the DHCP DNS option to the new IP address

    3. You may need to change the Sites configurations of these DCs to reflect the change of the physical location.

    4. If these DCs will be disconnected from other DCs for a long time, you may need to consider the tombstone lifetime for the forest.

     

    After you have changed IP address on all DCs, you may consider the following tasks:

     

    5. Check if the DHCP Client service is started in the domain controller. This service is responsible in registering the host records in DNS server.

    6. Check the DNS server if the domain controller's A record is changed to new IP address. If not, we need to change it manually.

    7. Make sure whether the DC has registered the IP Address change successfully.
       a. Type "Net Stop Netlogon"
       b. Type "Ipconfig /flushdns"
       c. Type "Ipconfig /registerdns"
       d. Type "Net Start Netlogon"

    8. Check the DNS entry for the new address change registration on the DNS Zone authoritative for the domain where you changed the IP Address of the Domain Controller and ensure that the correct Address is listed. (You may also see the old address listed there, please delete this old address)

    9. Pinging the Domain Controller to see if the new IP Address is being reported in the PING test.

       To ping the Domain Controller properly, please locate the registered IP Address in the DNS management console, in the _msdcs folder of the Zone authoritative for the domain where the DC exists. 
       a. Right click the registered DNS record for the Domain Controller and select properties
       b. Highlight and copy the FQDN that contains a long GUID._msdcs.domain_name.com
       c. Either paste or type the GUID._msdcs.domain_name.com record that you found register for the DC in the DNS manager on the _msdcs folder.

       If you are able to ping and resolve this GUID._msdcs.domain_name.com successfully then the Domain Controller has successfully registered the new IP Address within the Zone Authoritative for the domain where the Domain Controller exists.

    2008年1月22日 上午 05:33
  • Dear Marty,

     

    超詳細!

    感恩啦~

     

    Gavin.

    2008/01/22

    2008年1月22日 上午 05:45