Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sites and Services HELP Please!

Status
Not open for further replies.
bran2235

bran2235

IS-IT--Management
Feb 13, 2002
703
US
Hello everyone...

Single Domain / 2003 AD /
We are a Data Center (hub and spoke) with 35 remote sites. They are all on their own network:

Remote 1: 192.168.70.0 /24
Remote 2: 192.168.80.0 /24
etc.

Our entire domain has two DCs which sit here at our Data Center (192.168.60.0 /24) All servers are here at the data center- nothing in the remotes except laptops and thin clients.

My Situation:
In Sites and Services, both DCs have always sat inside the 'default' site (first site) or something like that. No subnets were ever added, etc. I think only because we didn't have any other 'sites' to move a DC to.

NEW DC:
I have built another (3rd) DC which for now is here at the Data Center. We have a bonded T-1 to a remote site for DR. My plan is to take this new DC to the remote site so that we will have a working replica of our AD in the case of a DR situation. I want to schedule replication to this DC like every 3 or so hours...

What do I do here...?
1) I need to create a new 'site' in Sites and Services (DR SITE), correct?
2) Do I need to create a 'subnet' for all my remotes and assign them to the default site (first site)?
3) Is authentication against the DC controlled by which subnet the user is in? For example, If I am in a remote site and logging in, will I authenticate against the DC that my respective subnet is assigned to?? Does that make sense??


Many Thanks!
Brandon
 
Sort by date Sort by votes
bran2235,

Yes. You will need to create a new Site (i.e. remote site).
If you are going to use the remote DC for DR only, you don’t need to create subnet for all remote clients.
Yes. The authentication is determined by the subnet. This is the whole point of Sites and services. Lets presume you have main datacentre and 5 remote sites with DCs. How can you tell which DC a client machine is going to authenticate to? Each client will try to authenticate to a nearest DC (on its own subnet). If it cannot contact DC in its own subnet, it will try any available DC in the domain.
So if you want to have a DR DC, put it in its own subnet, create new Site and move the DC into that site. Then create new site link to replicate as you wish.

Hope it helps.

Regards,

Michael.
 
Upvote 0 Downvote
YES! Thank you..

You say I don't need to create a subnet for each remote site- Why not?

I was thinking I needed to because I wanted to control authentication so that NOBODY authenticated against the DR Site's DC... I was going to do this by having two Sites (in sites and services):

1) First Site / Default Site; and
2) DR Site

a) Assign all subnets (except my DR subnet) in the Default Site
b) Assign / Create a new Subnet for my DR Site and assign it to the DR SITE site.

Am I understanding this correctly?

MANY THANKS!!
Brandon

 
Upvote 0 Downvote
Remove the DR domain controllers service locator record and clients won't logon against it. There is a registry tweak that will stop the server registering this on startup or you can manually delete the dns record. Theres a kb article on how to do it but i dont have a ref number for you

It will only take you a short period of time to create the subnets so i would do it regardless. Pretty much all the new generation m$ products use this info somehow and it will stop your dc's logging a million error about clients not being in a subnet.

 
Upvote 0 Downvote
Please, just let me make sure I understand this right!?

OK, so:

I have a DR SITE (one DC) MyDomain.local 60.x /24
I have a HQ SITE (two DCs) MyDomain.local 61.x /24

In AD Sites and Services, I have created my two sites:

1)HQ; and
2)DR

I have created the two subnets (192.168.60.x AND 61.x)
I have assigned each subnet to its respective SITE

Now, why are my users on the 60.x subnet (assigned to HQ) actually being authenticated by the DC at the DR site????? I DON'T want this to happen- I thought they would be assigned by one of the 2 DCs at HQ since that is the way I set it up in AD Sites and Services...?!?

Please help me understand this?


Many thanks,
Brandon
 
Upvote 0 Downvote
You need to place the domain controller also into the sites.

Any workstation can also log on any domain controller but they will usually logon to the one in the local site unless you configure a specific server to not lodge server locator records in dns (i.e. DNS does not return the DC as a logon server when a client querys).

 
Upvote 0 Downvote
Theravager,

I forgot to mention this- I have placed the DCs in their respective site- but still people in the other site are using this DC to authenticate...

You mentioned:
"...not lodge server locator records in dns..."

HOW do I do this?
Is there a KB article that explains how to do this?

THANK YOU!
Brandon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
809
gbaughma
gbaughma
Fireksf
  • Locked
  • Question
Avaya IPOCC not generate Report, Please any body if you a have any idea help me.
Replies
1
Views
360
MarkSweetland
MarkSweetland
bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
322
DrB0b
DrB0b
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
321
on3mansh0w
on3mansh0w
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
203
geneg28
geneg28

Part and Inventory Search

Sponsor

Back
Top