Replication across sites

w^rl0rdw^rl0rd Member Posts: 329
Does anyone know or have an article on how to set this up:

I have two Win2k3 servers in seperate offices that I want to be on the same domain. They will basically need to replicate Active Directory across the internet. They are both connected via broadband.

Now, I am familiar w/ promoting them to DCs, but do I need to create persistent VPN connections on both? Has anyone done this or does anyone have some articles I can read to learn how to do this? Thanks.

Comments

  • agustinchernitskyagustinchernitsky Member Posts: 299
    Hello,

    Yes, you must use a VPN... replication contains important info and must be protected :)

    I would do this:

    1.- Set the DC on the first site
    2.- Configure VPN endpoint in the first site (RRAS)
    3.- Setup win2k3 on the branch office
    4.- configure VPN and establish a VPN to the other office
    5.- DCPROMO (use branch office DNS first, then you create a local DNS)
    6.- Configure two sites according to the IP subnets (remember both sites must have different subnets)
    7.- Watch event log for errors.

    If your broadband connection is slow, you can use offline replication by using a backup of the systemstate and then run dcpromo /adv

    Once you have finished, install DNS on the branch office, and create the same zone (ie contoso.local) to be AD integrated.

    You can try this on a VMWARE first... so you avoid trouble :)
  • w^rl0rdw^rl0rd Member Posts: 329
    Silly question:
    I know I need to create 2 sites; one for OfficeA and one for OfficeB.
    Do I create both sites on the DC at OfficeA and then go over to OfficeB and create both sites again on that DC?

    Or do I create one site on each DC?
  • Danman32Danman32 Member Posts: 1,243
    Site configuration should replicate. It may take up to 15 minutes though for the 2 locations to agree on the AD state.
  • w^rl0rdw^rl0rd Member Posts: 329
    This seems awefully complicated.

    I found this article on technet: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/depovg/advpnddd.mspx

    Is this really the process I need to go through?
    Has anyone actually done this?
    Perhaps this is above my head at this point in my career.
    I take it that this is some high level stuff here.
  • Danman32Danman32 Member Posts: 1,243
    This is a white paper, so it can have lots of verbage as it describes everything. If you are not using demand-dial routing, you can skip those parts. It's also assuming you are going to be using RRas to establish the VPN. If you have VPN appliances establishing the VPN, you can skip those parts too.
  • w^rl0rdw^rl0rd Member Posts: 329
    That was going to be my next question.
    I currently have your typical home network setup: DSL modem to Router to Workstation. I guess I would have to set up RRAS as I don't
    have a VPN router.
  • Danman32Danman32 Member Posts: 1,243
    You might have a problem with that then. Often the cheap routers won't let you forward VPN to a server behind the router. You can VPN out, but you can't VPN in.
    But some can. They would probably have a preconfigured forwarding protocol or virtual server.
  • w^rl0rdw^rl0rd Member Posts: 329
    I have your standard 4-port Linksys switch/router.
    I was hoping I could just open ports 1723 and 1701
    to let the PPTP and L2TP traffic in.
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    You would have to allow in IP protocol 47 for PPTP I believe, in addition to the TCP ports above. Your linksys might not let you do that.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • Danman32Danman32 Member Posts: 1,243
    Linksys should have a predefined forwarder for that. Belkin though doesn't.
  • agustinchernitskyagustinchernitsky Member Posts: 299
    If I were you, I would first setup the "physical" layout (VPN, DSL, etc)... try them very well... if you can, try them for a week (since DSL changes IP).

    If everything runs smooth, then do the DC (Logical) part... if not, you will have problems with AD replication!
  • Danman32Danman32 Member Posts: 1,243
    I concur. Work in layers, one piece at a time. When building a house, first lay the foundation. Then add the outside walls, then the roof. Then the interior walls.

    Your foundation here is a secure, reliable, unrestricted network link between the two sites.
    Then reliable DNS resolution for AD domain.
    Then joining remote servers to domain.
    Then promoting one or more remote servers to DC
    Then setting up sites.
    Then optimizing DNS.
Sign In or Register to comment.