Replication across sites

w^rl0rd

Does anyone know or have an article on how to set this up:

I have two Win2k3 servers in seperate offices that I want to be on the same domain. They will basically need to replicate Active Directory across the internet. They are both connected via broadband.

Now, I am familiar w/ promoting them to DCs, but do I need to create persistent VPN connections on both? Has anyone done this or does anyone have some articles I can read to learn how to do this? Thanks.

agustinchernitsky

Hello,

Yes, you must use a VPN... replication contains important info and must be protected

I would do this:

1.- Set the DC on the first site
2.- Configure VPN endpoint in the first site (RRAS)
3.- Setup win2k3 on the branch office
4.- configure VPN and establish a VPN to the other office
5.- DCPROMO (use branch office DNS first, then you create a local DNS)
6.- Configure two sites according to the IP subnets (remember both sites must have different subnets)
7.- Watch event log for errors.

If your broadband connection is slow, you can use offline replication by using a backup of the systemstate and then run dcpromo /adv

Once you have finished, install DNS on the branch office, and create the same zone (ie contoso.local) to be AD integrated.

You can try this on a VMWARE first... so you avoid trouble

w^rl0rd

Silly question:
I know I need to create 2 sites; one for OfficeA and one for OfficeB.
Do I create both sites on the DC at OfficeA and then go over to OfficeB and create both sites again on that DC?

Or do I create one site on each DC?

Danman32

Site configuration should replicate. It may take up to 15 minutes though for the 2 locations to agree on the AD state.

w^rl0rd

This seems awefully complicated.

I found this article on technet: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/depovg/advpnddd.mspx

Is this really the process I need to go through?
Has anyone actually done this?
Perhaps this is above my head at this point in my career.
I take it that this is some high level stuff here.

Danman32

This is a white paper, so it can have lots of verbage as it describes everything. If you are not using demand-dial routing, you can skip those parts. It's also assuming you are going to be using RRas to establish the VPN. If you have VPN appliances establishing the VPN, you can skip those parts too.

w^rl0rd

That was going to be my next question.
I currently have your typical home network setup: DSL modem to Router to Workstation. I guess I would have to set up RRAS as I don't
have a VPN router.

Danman32

You might have a problem with that then. Often the cheap routers won't let you forward VPN to a server behind the router. You can VPN out, but you can't VPN in.
But some can. They would probably have a preconfigured forwarding protocol or virtual server.

w^rl0rd

I have your standard 4-port Linksys switch/router.
I was hoping I could just open ports 1723 and 1701
to let the PPTP and L2TP traffic in.

blargoe

You would have to allow in IP protocol 47 for PPTP I believe, in addition to the TCP ports above. Your linksys might not let you do that.

Danman32

Linksys should have a predefined forwarder for that. Belkin though doesn't.

agustinchernitsky

If I were you, I would first setup the "physical" layout (VPN, DSL, etc)... try them very well... if you can, try them for a week (since DSL changes IP).

If everything runs smooth, then do the DC (Logical) part... if not, you will have problems with AD replication!

Danman32

I concur. Work in layers, one piece at a time. When building a house, first lay the foundation. Then add the outside walls, then the roof. Then the interior walls.

Your foundation here is a secure, reliable, unrestricted network link between the two sites.
Then reliable DNS resolution for AD domain.
Then joining remote servers to domain.
Then promoting one or more remote servers to DC
Then setting up sites.
Then optimizing DNS.