Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Urgent -AD change site disconnect
Urgent -AD change site disconnect [message #377724] Tue, 26 January 2010 13:24 Go to next message
James H  is currently offline James H
Messages: 5
Registered: May 2009
Junior Member
I could really use some input regarding a change to our AD configuration. In
a cost cutting measure we are going to terminate our site to site VPN service
with our provider. It is just too expensive to maintain. Currently we use
data and phone services over this link. For phone services we will be
forwarding calls to cell phones. I'm not sure however how AD will handle
this change. At this site we currently have one DC. I'm fine with it being
a separate network for now, but I'm not sure what the best configuration is.
Can I just break the link between sites? These users will still have an
internet connection using wireless broadband service. Then be running VPN
clients to connect to the corporate office. Currently we only have one user
aat this site? Any insight into how this will impact services will be
greatly appreciated.
Re: Urgent -AD change site disconnect [message #377748 is a reply to message #377724] Tue, 26 January 2010 12:48 Go to previous messageGo to next message
RCan  is currently offline RCan
Messages: 248
Registered: January 2010
Senior Member
Hi James,

generally if the clients don't have a valid network path to the domain
controller they can't authentificate anymore against your AD :-(

If you want to "offer" your branch site, domain services you need to :
1. Site-2-Site VPN (on demand)
many routers support site-2-site tunnels via your normal internet connection
to your corporate network. Then the traffic will be routed trough the tunnel
to your domain controller.
AD sites and services :
many subnets, but 1 site

2. Remote DC (RODC)
you can also install an own domain controller which only makes sense when
you have a high number of users in the office. If you are already running
windows 2008 you can also use the new functionality called read only domain
controller (RODC).
AD sites and services:
2 sites, 2 subnets assigned to each site
The replication can then be fully controlled via link costs and replication
interval. but again also here you would require a valid network path between
each networks / subnets.

BUT there are also so many other important factors which you need to take
into your design decisions. Therefore I hope this gives you a general idea
what options you could run....

Regards
Ramazan

"James H" <JamesH@discussions.microsoft.com> wrote in message
news:1DED797C-13A5-4693-86A6-5C1FA9C17F14@microsoft.com...
> I could really use some input regarding a change to our AD configuration.
> In
> a cost cutting measure we are going to terminate our site to site VPN
> service
> with our provider. It is just too expensive to maintain. Currently we
> use
> data and phone services over this link. For phone services we will be
> forwarding calls to cell phones. I'm not sure however how AD will handle
> this change. At this site we currently have one DC. I'm fine with it
> being
> a separate network for now, but I'm not sure what the best configuration
> is.
> Can I just break the link between sites? These users will still have an
> internet connection using wireless broadband service. Then be running VPN
> clients to connect to the corporate office. Currently we only have one
> user
> aat this site? Any insight into how this will impact services will be
> greatly appreciated.
>
Re: Urgent -AD change site disconnect [message #377772 is a reply to message #377748] Tue, 26 January 2010 14:13 Go to previous messageGo to next message
James H  is currently offline James H
Messages: 5
Registered: May 2009
Junior Member
Thanks for your response. We are using the VPN services from provider which
are very costly. We will eventually replace with site to site VPN, using
Soniwall NSA products. However, in the interim I was looking at having a
separate network at the remote site, I was hoping to use AD, but not
required. Then on the remote network have clients connect utilizing
Blackberry internet connections and VPN client. This would allow them access
to both the remote site server and corporate site. If I leave the DC at the
remote site and down the link could the network get by, or should I down the
DC first? Or is this just a crazy thought. Your thoughts?

"RCan" wrote:

> Hi James,
>
> generally if the clients don't have a valid network path to the domain
> controller they can't authentificate anymore against your AD :-(
>
> If you want to "offer" your branch site, domain services you need to :
> 1. Site-2-Site VPN (on demand)
> many routers support site-2-site tunnels via your normal internet connection
> to your corporate network. Then the traffic will be routed trough the tunnel
> to your domain controller.
> AD sites and services :
> many subnets, but 1 site
>
> 2. Remote DC (RODC)
> you can also install an own domain controller which only makes sense when
> you have a high number of users in the office. If you are already running
> windows 2008 you can also use the new functionality called read only domain
> controller (RODC).
> AD sites and services:
> 2 sites, 2 subnets assigned to each site
> The replication can then be fully controlled via link costs and replication
> interval. but again also here you would require a valid network path between
> each networks / subnets.
>
> BUT there are also so many other important factors which you need to take
> into your design decisions. Therefore I hope this gives you a general idea
> what options you could run....
>
> Regards
> Ramazan
>
Re: Urgent -AD change site disconnect [message #377782 is a reply to message #377772] Tue, 26 January 2010 14:25 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello James,

If you break the connection to the other DCs you run into replication problems
at least after the tombstone lifetime, a DC must replicate to all other DCs,
also connectivity is needed to refill the RID pool, from the DC with the
RID master FSMO, on each one if it empties out.

So either demote the server and the clients are not able to logon to the
domain if the connection is removed or create remote access to the domain
with RRAS server for the clients, that needs at least an internet connection
where the clients are able to connect to.
The RRAS should NEVER be installed on a Domain controller, as you will run
into problems, because a DC shouldn't be multihomed with multiple NICs, which
is done when configuring RRAS on a DC, use member server instead for RRAS.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks for your response. We are using the VPN services from provider
> which are very costly. We will eventually replace with site to site
> VPN, using Soniwall NSA products. However, in the interim I was
> looking at having a separate network at the remote site, I was hoping
> to use AD, but not required. Then on the remote network have clients
> connect utilizing Blackberry internet connections and VPN client.
> This would allow them access to both the remote site server and
> corporate site. If I leave the DC at the remote site and down the
> link could the network get by, or should I down the DC first? Or is
> this just a crazy thought. Your thoughts?
>
> "RCan" wrote:
>
>> Hi James,
>>
>> generally if the clients don't have a valid network path to the
>> domain controller they can't authentificate anymore against your AD
>> :-(
>>
>> If you want to "offer" your branch site, domain services you need to
>> :
>> 1. Site-2-Site VPN (on demand)
>> many routers support site-2-site tunnels via your normal internet
>> connection
>> to your corporate network. Then the traffic will be routed trough the
>> tunnel
>> to your domain controller.
>> AD sites and services :
>> many subnets, but 1 site
>> 2. Remote DC (RODC)
>> you can also install an own domain controller which only makes sense
>> when
>> you have a high number of users in the office. If you are already
>> running
>> windows 2008 you can also use the new functionality called read only
>> domain
>> controller (RODC).
>> AD sites and services:
>> 2 sites, 2 subnets assigned to each site
>> The replication can then be fully controlled via link costs and
>> replication
>> interval. but again also here you would require a valid network path
>> between
>> each networks / subnets.
>> BUT there are also so many other important factors which you need to
>> take into your design decisions. Therefore I hope this gives you a
>> general idea what options you could run....
>>
>> Regards
>> Ramazan
Re: Urgent -AD change site disconnect [message #377799 is a reply to message #377772] Tue, 26 January 2010 13:42 Go to previous messageGo to next message
RCan  is currently offline RCan
Messages: 248
Registered: January 2010
Senior Member
"James H" <JamesH@discussions.microsoft.com> wrote in message
news:E3C75425-CE9B-431B-9A47->
> However, in the interim I was looking at having a
> separate network at the remote site, I was hoping to use AD, but not
> required.

separate network is generally a good idea :-)
On which base do you decide here that the clients will not need AD anymore ?
Are there not any users which use ressources (a.e. fileserver) from your
domain environment ? are the clients currently domain members ?

> Then on the remote network have clients connect utilizing
> Blackberry internet connections and VPN client. This would allow them
> access
> to both the remote site server and corporate site.

And each user will/can connect via VPN to your headquarter ?

> If I leave the DC at the
> remote site and down the link could the network get by, or should I down
> the
> DC first? Or is this just a crazy thought. Your thoughts?

Trying to get you here....
Is there currently a DC ? Do you have currently 2 domain controllers and 1
IP subnet ? How is your site and services configured right now ?

If you need domain authentification you need connectivity to your domain
controller. If they don't have a connection, they will not be able to
(tombstoned) use any domain secured shared ressources/services after a while
till you grant everyone full control or users need to authentificate each
time :-(

Top of the bottom here is......valid network path = domain membership
possible, not valid network path = no domain membership possible :-)

Regards
Ramazan
Re: Urgent -AD change site disconnect [message #377930 is a reply to message #377799] Tue, 26 January 2010 18:02 Go to previous messageGo to next message
James H  is currently offline James H
Messages: 5
Registered: May 2009
Junior Member
Currently one DC at remote site, 3 at main office. 2 different sites and
subnets. So if I down the link without demoting the DC, definite replication
problems would occur.

I think I will convince management we need at least a DSL line installed and
attach an available sonicwall. Then use site to site VPNover the internet,
rather than private VPN netowrk by our provider. What security risks do I
run and should I be aware of?
Re: Urgent -AD change site disconnect [message #377981 is a reply to message #377782] Tue, 26 January 2010 19:27 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911dcd998cc6ced8f61eaac@msnews.microsoft.com...
> Hello James,
>
> If you break the connection to the other DCs you run into replication
> problems at least after the tombstone lifetime, a DC must replicate to all
> other DCs, also connectivity is needed to refill the RID pool, from the DC
> with the RID master FSMO, on each one if it empties out.
>
> So either demote the server and the clients are not able to logon to the
> domain if the connection is removed or create remote access to the domain
> with RRAS server for the clients, that needs at least an internet
> connection where the clients are able to connect to.
> The RRAS should NEVER be installed on a Domain controller, as you will run
> into problems, because a DC shouldn't be multihomed with multiple NICs,
> which is done when configuring RRAS on a DC, use member server instead for
> RRAS.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>

I agree, Meinolf. That is my main concern with this course of action
disabling a VPN. I'm not sure if I read he was planning to use RRAS on a DC
for a site to site tunnel VPN, (which I disagree as well doing effectively
causing problems with the DC), however I did see he mentioned a SonicWall,
which I believe is a good solution.

However, it appears there will be an interim where the provider VPN is down
prior to putting the Sonicwall in place. Due to replication issues that will
ensue during this interim, as you pointed out, I would possibly suggest to
demote the DC, and allow the clients to remote into the main campus. I
believe using the demoted DC as a RRAS/VPN server (only after demotion) and
moved to the main campus, unless there's a member server that can be used
for this task at the main campus, will be fine until the Sonicwalls are in
place and the tunnel built, where then RRAS/VPN can be disabled, then
promote the machine back into the domain.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Previous Topic:Windows 2008 AD
Next Topic:General AD DNS question about how AD DNS functions
Goto Forum:
  


Current Time: Tue Jan 16 10:41:25 MST 2018

Total time taken to generate the page: 0.02306 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software