Domain Controllers Accross a VPN

I have three sites that are connected via a Cisco 1811 router. Currently, at
the home office I have two domain controllers (all computers run Windows 2003
Server R2). One is the primary and the other is used as a backup (I
understand that pdc and bdc are retired terms for this version of Windows).
The two remote sites connect to the home office. There will be no need for
the remote offices to connect to each other for the foreseeable future.

I am going to place a server at each of the two remote locations. My
thinking is that I want to join that server to the domain. Then I want to
make that server a local DC for that remote site. I would expect that this
DC would be refreshed from the primary dc.

I have been able to join the server from the remote site to the domain so I
believe that the vpn is setup correctly. But I am having difficulty making
the server a DC because I cannot find the domain when I run the wizard.

I'm wondering if I need to create the dns server on the remote server and
then have a forwarder on the home office dns server (thinking out load here).

Any help would be great.

Dave

"dsfseattle" <(E-Mail Removed)> wrote in message
news:F471A0A0-F116-4ECF-B0E1-(E-Mail Removed)...

> I am going to place a server at each of the two remote locations. My
> thinking is that I want to join that server to the domain. Then I want to
> make that server a local DC for that remote site.

Fine. But you need to use the Active Directory Sites object. The Sites
Object is what controls and maintains DC Replication over the slow WAN link
(VPN).

> I have been able to join the server from the remote site to the domain so
> I
> believe that the vpn is setup correctly. But I am having difficulty
> making
> the server a DC because I cannot find the domain when I run the wizard.

Make sure that the only DNS listed in the TCP/IP Settings is the DC with the
PDC Emulator Role. Once the remote server is promoted to a DC then that
will be changed so that it points to itself. Make sure when you attempt to
Promote that you address the Domain by the FQDN, not the Netbios version of
the name. Also make sure this new DC has DNS installed on itself *first*
before it is DCPromo'ed. You may even want the Zone created in it,...it will
fill in the rest of the data via Replication later.

Once it is functioning, the Clients will set their DNS in the TCP/IP config
to point to their local DC. There should *never* be any other DNS listed
there. If you want redundancy there, then you need two DCs at each site.
Then the DC/DNS will contain the local ISP's DNS in the Forwarders list.
This is the only place the ISP's DNS should appear. Whatever is being used
as a firewall device at the Site needs to allow the local DC (and *only* the
local DC) to make outbound DNS queries to the ISP's DNS. The reason the
local DC should be the only one is so that this will root out any PCs that
may have rogue DNS entries. Rogue DNS entries on PCs *will* cause you
problems if not taken care of.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

I followed your advice, read up on it, and implemented. Worked like a charm
(after I disabled the firewall).

Dave

"Phillip Windell" wrote:

> "dsfseattle" <(E-Mail Removed)> wrote in message
> news:F471A0A0-F116-4ECF-B0E1-(E-Mail Removed)...
>
> > I am going to place a server at each of the two remote locations. My
> > thinking is that I want to join that server to the domain. Then I want to
> > make that server a local DC for that remote site.
>
> Fine. But you need to use the Active Directory Sites object. The Sites
> Object is what controls and maintains DC Replication over the slow WAN link
> (VPN).
>
> > I have been able to join the server from the remote site to the domain so
> > I
> > believe that the vpn is setup correctly. But I am having difficulty
> > making
> > the server a DC because I cannot find the domain when I run the wizard.
>
> Make sure that the only DNS listed in the TCP/IP Settings is the DC with the
> PDC Emulator Role. Once the remote server is promoted to a DC then that
> will be changed so that it points to itself. Make sure when you attempt to
> Promote that you address the Domain by the FQDN, not the Netbios version of
> the name. Also make sure this new DC has DNS installed on itself *first*
> before it is DCPromo'ed. You may even want the Zone created in it,...it will
> fill in the rest of the data via Replication later.
>
> Once it is functioning, the Clients will set their DNS in the TCP/IP config
> to point to their local DC. There should *never* be any other DNS listed
> there. If you want redundancy there, then you need two DCs at each site.
> Then the DC/DNS will contain the local ISP's DNS in the Forwarders list.
> This is the only place the ISP's DNS should appear. Whatever is being used
> as a firewall device at the Site needs to allow the local DC (and *only* the
> local DC) to make outbound DNS queries to the ISP's DNS. The reason the
> local DC should be the only one is so that this will root out any PCs that
> may have rogue DNS entries. Rogue DNS entries on PCs *will* cause you
> problems if not taken care of.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
>
>

Excellent!
Glad it worked out for you.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"dsfseattle" <(E-Mail Removed)> wrote in message
news:96ADBE37-8DC1-409F-B99D-(E-Mail Removed)...
>I followed your advice, read up on it, and implemented. Worked like a
>charm
> (after I disabled the firewall).
>
> Dave
>
> "Phillip Windell" wrote:
>
>> "dsfseattle" <(E-Mail Removed)> wrote in message
>> news:F471A0A0-F116-4ECF-B0E1-(E-Mail Removed)...
>>
>> > I am going to place a server at each of the two remote locations. My
>> > thinking is that I want to join that server to the domain. Then I want
>> > to
>> > make that server a local DC for that remote site.
>>
>> Fine. But you need to use the Active Directory Sites object. The Sites
>> Object is what controls and maintains DC Replication over the slow WAN
>> link
>> (VPN).
>>
>> > I have been able to join the server from the remote site to the domain
>> > so
>> > I
>> > believe that the vpn is setup correctly. But I am having difficulty
>> > making
>> > the server a DC because I cannot find the domain when I run the wizard.
>>
>> Make sure that the only DNS listed in the TCP/IP Settings is the DC with
>> the
>> PDC Emulator Role. Once the remote server is promoted to a DC then that
>> will be changed so that it points to itself. Make sure when you attempt
>> to
>> Promote that you address the Domain by the FQDN, not the Netbios version
>> of
>> the name. Also make sure this new DC has DNS installed on itself *first*
>> before it is DCPromo'ed. You may even want the Zone created in it,...it
>> will
>> fill in the rest of the data via Replication later.
>>
>> Once it is functioning, the Clients will set their DNS in the TCP/IP
>> config
>> to point to their local DC. There should *never* be any other DNS listed
>> there. If you want redundancy there, then you need two DCs at each site.
>> Then the DC/DNS will contain the local ISP's DNS in the Forwarders list.
>> This is the only place the ISP's DNS should appear. Whatever is being
>> used
>> as a firewall device at the Site needs to allow the local DC (and *only*
>> the
>> local DC) to make outbound DNS queries to the ISP's DNS. The reason the
>> local DC should be the only one is so that this will root out any PCs
>> that
>> may have rogue DNS entries. Rogue DNS entries on PCs *will* cause you
>> problems if not taken care of.
>>
>> --
>> Phillip Windell
>> www.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/IS...cessRules.html
>>
>> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
>> http://download.microsoft.com/downlo...7/ts_rules.doc
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>>
>> Microsoft ISA Server Partners: Partner Hardware Solutions
>> http://www.microsoft.com/forefront/e...epartners.mspx
>> -----------------------------------------------------
>>
>>
>>