Branch Domains

Hello there,

I'm trying to update our network and need a little info on the best
approach.

We have two company locations each with an ISA server creating site-to-site
vpn connection. At the main office we have a domain server with active
directory. In order to keep vpn traffic to a minimum, I would like to put a
second domain controller and active directory at the remote site and let the
two communicate on off-hours.

Being new to this I'm trying to decide on the best approach. I would like
to stay away from a child domain at the remote site as it seems like
overkill for what we need.

1. Am I supposed to disconnect the remote site from the domain, create a new
domain controller on the remote site, then create trusts between the two?

2. Or should I create an additional domain controller for an existing
domain? I tried this method but recieved an error that the domains are not
prepared (even though I ran adprep.exe /forestprep)

Any help would be appreciated!

Thank you ahead of time,
Chris

You don't need multiple domains. Domains are an administrative boundary not
a network or a geographical boundary.

1. Place a DC at each location.

2. Configure a Sites Object and a Subnets Object in AD and set the
Replication Update Rate. The DC's will automatically be in the correct Site
based on the IP# it uses. A Site is defined by the Subnet(s) that is
associated with them.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Chris Newald" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello there,
>
> I'm trying to update our network and need a little info on the best
> approach.
>
> We have two company locations each with an ISA server creating
> site-to-site vpn connection. At the main office we have a domain server
> with active directory. In order to keep vpn traffic to a minimum, I would
> like to put a second domain controller and active directory at the remote
> site and let the two communicate on off-hours.
>
> Being new to this I'm trying to decide on the best approach. I would like
> to stay away from a child domain at the remote site as it seems like
> overkill for what we need.
>
> 1. Am I supposed to disconnect the remote site from the domain, create a
> new domain controller on the remote site, then create trusts between the
> two?
>
> 2. Or should I create an additional domain controller for an existing
> domain? I tried this method but recieved an error that the domains are
> not prepared (even though I ran adprep.exe /forestprep)
>
> Any help would be appreciated!
>
> Thank you ahead of time,
> Chris
>
>

"Chris Newald" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> 2. Or should I create an additional domain controller for an existing
> domain? I tried this method but recieved an error that the domains are
> not prepared (even though I ran adprep.exe /forestprep)

There's no adprep to do. Just load the OS on a server,...install DNS (but
don't configure it) and run DCPromo. When finished transport the DC(s) to
the location they need to be in and adjust the IP Specs. DNS should
automatically adjust to the DCs new IP#s when it finished refreshing and
replicating.

In the TCP/IP Specs of the DCs they need to use themself as the DNS. They
are already "aware" of the other DCs via the AD Zone in their own local DNS
database.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Hello Chris,

1. No need for creating a new domain and trust, except you need a real security
boundary to your domain, otherwise install additional DC in the existing
domain with DNS and GC

2. Yes, create an additional DC, for the adprep error i assume you use 2003
R2 as the new DC and 2003 is installed with the running DC, then you have
to run adprep commands on the existing DC from the second R2 disk. If other
OS versions in use please post them


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello there,
>
> I'm trying to update our network and need a little info on the best
> approach.
>
> We have two company locations each with an ISA server creating
> site-to-site vpn connection. At the main office we have a domain
> server with active directory. In order to keep vpn traffic to a
> minimum, I would like to put a second domain controller and active
> directory at the remote site and let the two communicate on off-hours.
>
> Being new to this I'm trying to decide on the best approach. I would
> like to stay away from a child domain at the remote site as it seems
> like overkill for what we need.
>
> 1. Am I supposed to disconnect the remote site from the domain, create
> a new domain controller on the remote site, then create trusts between
> the two?
>
> 2. Or should I create an additional domain controller for an existing
> domain? I tried this method but recieved an error that the domains
> are not prepared (even though I ran adprep.exe /forestprep)
>
> Any help would be appreciated!
>
> Thank you ahead of time,
> Chris

Hello Meinolf,

Thank you so much for the information. You're absolutely right - one server
is our older server running windows 2003 standard 32bit. The new server is
running windows 2003 R2 standard 64bit. When I try to run DCPromo and try
to install the new domain controller on the existing domain I get an error
stating that the two versions of active directory are incompatible and that
I need to run adprep. When I run adprep it fails either way because one
disk is for 64bit while the other is for 32 bit (always something).

I tried to find a solution to the incompatability issue but can't seem to
get anywhere. Any ideas?

Thank again,
Chris




"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:(E-Mail Removed) .com...
> Hello Chris,
>
> 1. No need for creating a new domain and trust, except you need a real
> security boundary to your domain, otherwise install additional DC in the
> existing domain with DNS and GC
>
> 2. Yes, create an additional DC, for the adprep error i assume you use
> 2003 R2 as the new DC and 2003 is installed with the running DC, then you
> have to run adprep commands on the existing DC from the second R2 disk. If
> other OS versions in use please post them
>
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hello there,
>>
>> I'm trying to update our network and need a little info on the best
>> approach.
>>
>> We have two company locations each with an ISA server creating
>> site-to-site vpn connection. At the main office we have a domain
>> server with active directory. In order to keep vpn traffic to a
>> minimum, I would like to put a second domain controller and active
>> directory at the remote site and let the two communicate on off-hours.
>>
>> Being new to this I'm trying to decide on the best approach. I would
>> like to stay away from a child domain at the remote site as it seems
>> like overkill for what we need.
>>
>> 1. Am I supposed to disconnect the remote site from the domain, create
>> a new domain controller on the remote site, then create trusts between
>> the two?
>>
>> 2. Or should I create an additional domain controller for an existing
>> domain? I tried this method but recieved an error that the domains
>> are not prepared (even though I ran adprep.exe /forestprep)
>>
>> Any help would be appreciated!
>>
>> Thank you ahead of time,
>> Chris
>
>

Hello Phillip,

Thank you for your reply. I really appreciate the help and this totally
gets me on the right track. Of course as always I have one more issue.

The DCPromo installation fails because one server is running windows 2003
standard 32bit and the new server is running windows 2003 standard R2 64bit.
It give an incompatibility error stating that I need to run adprep. When I
do I can't get it to work on the first machine as it thinks everything is
ready. Apparently I'm supposed to use the R2 disk but this fails for me as
the 64bit version won't work on a 32bit system.

I'm trying to find a solution to this or to see if adprep is available for
download on the microsoft site.

Thanks again for the help,

Chris

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Chris Newald" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> 2. Or should I create an additional domain controller for an existing
>> domain? I tried this method but recieved an error that the domains are
>> not prepared (even though I ran adprep.exe /forestprep)
>
> There's no adprep to do. Just load the OS on a server,...install DNS (but
> don't configure it) and run DCPromo. When finished transport the DC(s) to
> the location they need to be in and adjust the IP Specs. DNS should
> automatically adjust to the DCs new IP#s when it finished refreshing and
> replicating.
>
> In the TCP/IP Specs of the DCs they need to use themself as the DNS. They
> are already "aware" of the other DCs via the AD Zone in their own local
> DNS database.
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

Got it to work. Downloaded the R2 Trial CD for adprep from:
https://profile.microsoft.com/RegSys...16ec&lcid=1033

Thanks



"Chris Newald" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Phillip,
>
> Thank you for your reply. I really appreciate the help and this totally
> gets me on the right track. Of course as always I have one more issue.
>
> The DCPromo installation fails because one server is running windows 2003
> standard 32bit and the new server is running windows 2003 standard R2
> 64bit. It give an incompatibility error stating that I need to run adprep.
> When I do I can't get it to work on the first machine as it thinks
> everything is ready. Apparently I'm supposed to use the R2 disk but this
> fails for me as the 64bit version won't work on a 32bit system.
>
> I'm trying to find a solution to this or to see if adprep is available for
> download on the microsoft site.
>
> Thanks again for the help,
>
> Chris
>
> "Phillip Windell" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> "Chris Newald" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> 2. Or should I create an additional domain controller for an existing
>>> domain? I tried this method but recieved an error that the domains are
>>> not prepared (even though I ran adprep.exe /forestprep)
>>
>> There's no adprep to do. Just load the OS on a server,...install DNS
>> (but don't configure it) and run DCPromo. When finished transport the
>> DC(s) to the location they need to be in and adjust the IP Specs. DNS
>> should automatically adjust to the DCs new IP#s when it finished
>> refreshing and replicating.
>>
>> In the TCP/IP Specs of the DCs they need to use themself as the DNS.
>> They are already "aware" of the other DCs via the AD Zone in their own
>> local DNS database.
>>
>> --
>> Phillip Windell
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>>
>
>

Got it to work. Downloaded the R2 Trial CD for adprep from:
https://profile.microsoft.com/RegSys...16ec&lcid=1033

Thanks



"Chris Newald" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Meinolf,
>
> Thank you so much for the information. You're absolutely right - one
> server is our older server running windows 2003 standard 32bit. The new
> server is running windows 2003 R2 standard 64bit. When I try to run
> DCPromo and try to install the new domain controller on the existing
> domain I get an error stating that the two versions of active directory
> are incompatible and that I need to run adprep. When I run adprep it
> fails either way because one disk is for 64bit while the other is for 32
> bit (always something).
>
> I tried to find a solution to the incompatability issue but can't seem to
> get anywhere. Any ideas?
>
> Thank again,
> Chris
>
>
>
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:(E-Mail Removed) .com...
>> Hello Chris,
>>
>> 1. No need for creating a new domain and trust, except you need a real
>> security boundary to your domain, otherwise install additional DC in the
>> existing domain with DNS and GC
>>
>> 2. Yes, create an additional DC, for the adprep error i assume you use
>> 2003 R2 as the new DC and 2003 is installed with the running DC, then you
>> have to run adprep commands on the existing DC from the second R2 disk.
>> If other OS versions in use please post them
>>
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> Hello there,
>>>
>>> I'm trying to update our network and need a little info on the best
>>> approach.
>>>
>>> We have two company locations each with an ISA server creating
>>> site-to-site vpn connection. At the main office we have a domain
>>> server with active directory. In order to keep vpn traffic to a
>>> minimum, I would like to put a second domain controller and active
>>> directory at the remote site and let the two communicate on off-hours.
>>>
>>> Being new to this I'm trying to decide on the best approach. I would
>>> like to stay away from a child domain at the remote site as it seems
>>> like overkill for what we need.
>>>
>>> 1. Am I supposed to disconnect the remote site from the domain, create
>>> a new domain controller on the remote site, then create trusts between
>>> the two?
>>>
>>> 2. Or should I create an additional domain controller for an existing
>>> domain? I tried this method but recieved an error that the domains
>>> are not prepared (even though I ran adprep.exe /forestprep)
>>>
>>> Any help would be appreciated!
>>>
>>> Thank you ahead of time,
>>> Chris
>>
>>
>
>

"Chris Newald" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Got it to work. Downloaded the R2 Trial CD for adprep from:
> https://profile.microsoft.com/RegSys...16ec&lcid=1033
>

Ok
Sounds like you have it under control.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------