Discussion:
Adding a 2nd DC that will be deployed offsite and connected via VPN
(too old to reply)
John
2006-03-22 19:59:49 UTC
Permalink
Setup:

Corporate
SBS2003 SP1


Offsite
Windows 2003 SP1

When I deploy the Windows 2003 server it will be a DC, DHCP, DNS, DFS and
File and Print server.

My question is that if I use the add server wizard and add this server and
make it another DC while at the corporate location before I ship it to the
other office, will I run into problems? Or am I better off waiting until I
get it offsite and have the remote people work with me to set it up? I
would prefer to set it up as much as possible here before I send it up
there.


Thanks


John
Ray Collins
2006-03-22 21:00:28 UTC
Permalink
If you can build it with the final IP address while it's at the corporate
location then I would do it. If you can't then wait till you get there.
Changing IP address on a domain controller is a real pain.

HTH
Post by John
Corporate
SBS2003 SP1
Offsite
Windows 2003 SP1
When I deploy the Windows 2003 server it will be a DC, DHCP, DNS, DFS and
File and Print server.
My question is that if I use the add server wizard and add this server and
make it another DC while at the corporate location before I ship it to the
other office, will I run into problems? Or am I better off waiting until
I get it offsite and have the remote people work with me to set it up? I
would prefer to set it up as much as possible here before I send it up
there.
Thanks
John
Cris Hanna (SBS-MVP)
2006-03-23 01:04:43 UTC
Permalink
Are you planning to do a hardware to hardware vpn??
Then connect at the corp office first...much easier
And I have no idea why Ray would suggest that changing the IP on a DC is a pain..., however there is no reason to have DNS on this DC...SBS doesn't play real well with multiple DNS servers
--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
"John" <***@hotmail.com> wrote in message news:%23Wn%***@tk2msftngp13.phx.gbl...
Setup:

Corporate
SBS2003 SP1


Offsite
Windows 2003 SP1

When I deploy the Windows 2003 server it will be a DC, DHCP, DNS, DFS and
File and Print server.

My question is that if I use the add server wizard and add this server and
make it another DC while at the corporate location before I ship it to the
other office, will I run into problems? Or am I better off waiting until I
get it offsite and have the remote people work with me to set it up? I
would prefer to set it up as much as possible here before I send it up
there.


Thanks


John
John
2006-03-23 03:42:42 UTC
Permalink
Cris,

Yes this will be a hardware to hardware VPN. I am assuming that I am going
to create another site within Active Directory for that server and new
subnet?

Cris, if I don't run DNS what about Active Directory, DFS and so forth at
that site?



John



"Cris Hanna (SBS-MVP)" <***@computingnospampossibilities.net>
wrote in message news:%***@TK2MSFTNGP11.phx.gbl...
Are you planning to do a hardware to hardware vpn??
Then connect at the corp office first...much easier
And I have no idea why Ray would suggest that changing the IP on a DC is a
pain..., however there is no reason to have DNS on this DC...SBS doesn't
play real well with multiple DNS servers
--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all
can take advantage
"John" <***@hotmail.com> wrote in message news:%23Wn%***@tk2msftngp13.phx.gbl...
Setup:

Corporate
SBS2003 SP1


Offsite
Windows 2003 SP1

When I deploy the Windows 2003 server it will be a DC, DHCP, DNS, DFS and
File and Print server.

My question is that if I use the add server wizard and add this server and
make it another DC while at the corporate location before I ship it to the
other office, will I run into problems? Or am I better off waiting until I
get it offsite and have the remote people work with me to set it up? I
would prefer to set it up as much as possible here before I send it up
there.


Thanks


John
kj
2006-03-23 03:56:41 UTC
Permalink
Huh? How is SBS's "play" with DNS any different than any other Active Directory Domain?

If the workstations in the remote site are going to be semi-autonomous (for authentication, printing, group policy, Home directories, etc) then the remote DC will need to have DNS, be a Global Catalog Server, and be in it's own Active Directory defined Site with defined subnet(s).
--
/kj
"Cris Hanna (SBS-MVP)" <***@computingnospampossibilities.net> wrote in message news:%***@TK2MSFTNGP11.phx.gbl...
Are you planning to do a hardware to hardware vpn??
Then connect at the corp office first...much easier
And I have no idea why Ray would suggest that changing the IP on a DC is a pain..., however there is no reason to have DNS on this DC...SBS doesn't play real well with multiple DNS servers

--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
"John" <***@hotmail.com> wrote in message news:%23Wn%***@tk2msftngp13.phx.gbl...
Setup:

Corporate
SBS2003 SP1


Offsite
Windows 2003 SP1

When I deploy the Windows 2003 server it will be a DC, DHCP, DNS, DFS and
File and Print server.

My question is that if I use the add server wizard and add this server and
make it another DC while at the corporate location before I ship it to the
other office, will I run into problems? Or am I better off waiting until I
get it offsite and have the remote people work with me to set it up? I
would prefer to set it up as much as possible here before I send it up
there.


Thanks


John
Cris Hanna (SBS-MVP)
2006-03-23 19:34:26 UTC
Permalink
Only in so much as that SBS wants all DNS pointed to it. SBS IP Config 101.
Certainly can have the other DC and it doesn't have to do DNS

I'm not suggesting you can't but many folks are doing hardware VPNs with without having to setup and manage additional DNS, etc.
--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
"kj" <***@nowhere.com> wrote in message news:***@TK2MSFTNGP09.phx.gbl...
Huh? How is SBS's "play" with DNS any different than any other Active Directory Domain?

If the workstations in the remote site are going to be semi-autonomous (for authentication, printing, group policy, Home directories, etc) then the remote DC will need to have DNS, be a Global Catalog Server, and be in it's own Active Directory defined Site with defined subnet(s).

--
/kj
"Cris Hanna (SBS-MVP)" <***@computingnospampossibilities.net> wrote in message news:%***@TK2MSFTNGP11.phx.gbl...
Are you planning to do a hardware to hardware vpn??
Then connect at the corp office first...much easier
And I have no idea why Ray would suggest that changing the IP on a DC is a pain..., however there is no reason to have DNS on this DC...SBS doesn't play real well with multiple DNS servers

--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
"John" <***@hotmail.com> wrote in message news:%23Wn%***@tk2msftngp13.phx.gbl...
Setup:

Corporate
SBS2003 SP1


Offsite
Windows 2003 SP1

When I deploy the Windows 2003 server it will be a DC, DHCP, DNS, DFS and
File and Print server.

My question is that if I use the add server wizard and add this server and
make it another DC while at the corporate location before I ship it to the
other office, will I run into problems? Or am I better off waiting until I
get it offsite and have the remote people work with me to set it up? I
would prefer to set it up as much as possible here before I send it up
there.


Thanks


John
kj
2006-03-24 18:08:08 UTC
Permalink
A second Domain Controller with Active Directory integrated DNS replicates identical DNS information just like the other AD partitions. Once setup, there is no additional management involved. Nothing in this configuration changes the DNS focus of the SBS server. (AD DNS 101)

What it does do is provide the remote site a local and independent authentication authority as well as local and redundant DNS services. Everything SBS still resolves to the SBS server and all changes in the remote DNS server are replicated to the DNS of the SBS server. The remote DNS server only forwards to the ISP or root hints just like the SBS server DNS config.

The hardware VPN is a given, but should it fail, the remote site has no DNS, no authentication, no group membership enumeration, no group policy. They're pretty much workstation local until the VPN is back up. Additionally, without a local DC and DNS server, all DC content must traverse the VPN. All DNS lookups, all Group Policy, all login scripts,etc. This may be fine for a large, underutilized, and highly reliable connection between the two sites. But eventually the connection will saturate, fail, or become unreliable.
--
/kj
"Cris Hanna (SBS-MVP)" <***@computingnospampossibilities.net> wrote in message news:***@tk2msftngp13.phx.gbl...
Only in so much as that SBS wants all DNS pointed to it. SBS IP Config 101.
Certainly can have the other DC and it doesn't have to do DNS

I'm not suggesting you can't but many folks are doing hardware VPNs with without having to setup and manage additional DNS, etc.

--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
"kj" <***@nowhere.com> wrote in message news:***@TK2MSFTNGP09.phx.gbl...
Huh? How is SBS's "play" with DNS any different than any other Active Directory Domain?

If the workstations in the remote site are going to be semi-autonomous (for authentication, printing, group policy, Home directories, etc) then the remote DC will need to have DNS, be a Global Catalog Server, and be in it's own Active Directory defined Site with defined subnet(s).

--
/kj
"Cris Hanna (SBS-MVP)" <***@computingnospampossibilities.net> wrote in message news:%***@TK2MSFTNGP11.phx.gbl...
Are you planning to do a hardware to hardware vpn??
Then connect at the corp office first...much easier
And I have no idea why Ray would suggest that changing the IP on a DC is a pain..., however there is no reason to have DNS on this DC...SBS doesn't play real well with multiple DNS servers

--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
"John" <***@hotmail.com> wrote in message news:%23Wn%***@tk2msftngp13.phx.gbl...
Setup:

Corporate
SBS2003 SP1


Offsite
Windows 2003 SP1

When I deploy the Windows 2003 server it will be a DC, DHCP, DNS, DFS and
File and Print server.

My question is that if I use the add server wizard and add this server and
make it another DC while at the corporate location before I ship it to the
other office, will I run into problems? Or am I better off waiting until I
get it offsite and have the remote people work with me to set it up? I
would prefer to set it up as much as possible here before I send it up
there.


Thanks


John
Ray Collins
2006-03-23 10:04:55 UTC
Permalink
It should be easy to change the IP address, and when it works it is. BUT,
when you have multimaster replication going on between various domain
controllers it unfortunately can happen that you change the IP address in
the middle of something happening and things get screwed up.

It is all manually recoverable but if I have a choice when changing a DC IP
address I will do a dcpromo, change IP, then dcpromo again. Of course that
defeats the purpose of prebuilding :-)

If you have a large AD and/or slow WAN links Windows Server 2003 has a
feature called "Install from Media" and it's available by running DCPROMO
with the /adv switch. It's not a replacement for network replication, you
still need network connectivity.

To get maximum benefit from a DC in a remote site it should have DNS (hard
to avoid) and it should be a global catalogue server. You should also look
at the site links and consider tuning replication for out of hours.

HTH


"Cris Hanna (SBS-MVP)" <***@computingnospampossibilities.net>
wrote in message news:%***@TK2MSFTNGP11.phx.gbl...
Are you planning to do a hardware to hardware vpn??
Then connect at the corp office first...much easier
And I have no idea why Ray would suggest that changing the IP on a DC is a
pain..., however there is no reason to have DNS on this DC...SBS doesn't
play real well with multiple DNS servers
--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all
can take advantage
"John" <***@hotmail.com> wrote in message news:%23Wn%***@tk2msftngp13.phx.gbl...
Setup:

Corporate
SBS2003 SP1


Offsite
Windows 2003 SP1

When I deploy the Windows 2003 server it will be a DC, DHCP, DNS, DFS and
File and Print server.

My question is that if I use the add server wizard and add this server and
make it another DC while at the corporate location before I ship it to the
other office, will I run into problems? Or am I better off waiting until I
get it offsite and have the remote people work with me to set it up? I
would prefer to set it up as much as possible here before I send it up
there.


Thanks


John
John
2006-03-23 12:29:41 UTC
Permalink
I think than I will ship the server to the remote site and coordinate with
the onsite tech to finish the install.

Thanks


John
Post by Ray Collins
It should be easy to change the IP address, and when it works it is. BUT,
when you have multimaster replication going on between various domain
controllers it unfortunately can happen that you change the IP address in
the middle of something happening and things get screwed up.
It is all manually recoverable but if I have a choice when changing a DC
IP address I will do a dcpromo, change IP, then dcpromo again. Of course
that defeats the purpose of prebuilding :-)
If you have a large AD and/or slow WAN links Windows Server 2003 has a
feature called "Install from Media" and it's available by running DCPROMO
with the /adv switch. It's not a replacement for network replication, you
still need network connectivity.
To get maximum benefit from a DC in a remote site it should have DNS (hard
to avoid) and it should be a global catalogue server. You should also
look at the site links and consider tuning replication for out of hours.
HTH
Are you planning to do a hardware to hardware vpn??
Then connect at the corp office first...much easier
And I have no idea why Ray would suggest that changing the IP on a DC is a
pain..., however there is no reason to have DNS on this DC...SBS doesn't
play real well with multiple DNS servers
--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so
all can take advantage
Corporate
SBS2003 SP1
Offsite
Windows 2003 SP1
When I deploy the Windows 2003 server it will be a DC, DHCP, DNS, DFS and
File and Print server.
My question is that if I use the add server wizard and add this server and
make it another DC while at the corporate location before I ship it to the
other office, will I run into problems? Or am I better off waiting until I
get it offsite and have the remote people work with me to set it up? I
would prefer to set it up as much as possible here before I send it up
there.
Thanks
John
John Chen [MSFT]
2006-03-23 14:25:24 UTC
Permalink
Hello John,

Thank you for posting.

This question appears to be more consulting in nature. Please understand
that our newsgroups are provided for specific break/fix issues.

Although this newsgroup provides break/fix resolution, we are happy to
provide general information and suggestions on it here and you may receive
suggestions from other partners on this topic both here and in the public
newsgroup for this product. You may also receive assistance/information by
contacting our CSS advisory service at
<http://support.microsoft.com/gp/advisoryservice>.

Thank you for your understanding!

I am providing the following information as a convenience. I think you can
set up the DC at the remote office directly. In this way, you can test if
the VPN works fine and it can prevent you from changing any settings on the
Windows 2003 machine.

Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
John
2006-03-24 02:02:28 UTC
Permalink
John,

I thought the private Microsoft newsgroups were specifically for break fix
and the public ones were more community oriented for the support. Am I
wrong on this?


Thanks


John
Post by John Chen [MSFT]
Hello John,
Thank you for posting.
This question appears to be more consulting in nature. Please understand
that our newsgroups are provided for specific break/fix issues.
Although this newsgroup provides break/fix resolution, we are happy to
provide general information and suggestions on it here and you may receive
suggestions from other partners on this topic both here and in the public
newsgroup for this product. You may also receive assistance/information by
contacting our CSS advisory service at
<http://support.microsoft.com/gp/advisoryservice>.
Thank you for your understanding!
I am providing the following information as a convenience. I think you can
set up the DC at the remote office directly. In this way, you can test if
the VPN works fine and it can prevent you from changing any settings on the
Windows 2003 machine.
Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
John Chen [MSFT]
2006-03-24 11:10:09 UTC
Permalink
Hi John,

I am sorry that I didn't explain it clearly.

Actually, if a customer submits the issue via Technet credential, the post
will be considered as a Managed one by Microsoft, and follow up by Technet
support engineers. Contrarily, if you submit the issue with a normal
credential, the post will be regarded as a pure public one (handled by SBS
public support engineers). Consulting issues are not supported officially
by Technet support engineers; however, you can also benefit from others,
such as MVPs. SBS public newsgroup engineers can support simple advisory
posts, so if you would, please submit the request again by using a
non-Technet user credential. In doing so, our SBS public newsgroup support
engineers or other MVPs can help you on this issue.

In addtion, you may also receive assistance/information by contacting our
CSS advisory service at
<http://support.microsoft.com/gp/advisoryservice>.

Sorry for the confusion and inconvenience. And I appreciate your
understanding.

Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
John
2006-03-27 06:12:00 UTC
Permalink
John,

What is a Non Technet user credential?


John
Post by John Chen [MSFT]
Hi John,
I am sorry that I didn't explain it clearly.
Actually, if a customer submits the issue via Technet credential, the post
will be considered as a Managed one by Microsoft, and follow up by Technet
support engineers. Contrarily, if you submit the issue with a normal
credential, the post will be regarded as a pure public one (handled by SBS
public support engineers). Consulting issues are not supported officially
by Technet support engineers; however, you can also benefit from others,
such as MVPs. SBS public newsgroup engineers can support simple advisory
posts, so if you would, please submit the request again by using a
non-Technet user credential. In doing so, our SBS public newsgroup support
engineers or other MVPs can help you on this issue.
In addtion, you may also receive assistance/information by contacting our
CSS advisory service at
<http://support.microsoft.com/gp/advisoryservice>.
Sorry for the confusion and inconvenience. And I appreciate your
understanding.
Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
John Chen [MSFT]
2006-03-27 11:39:39 UTC
Permalink
Hi John,

Our system will check the Display Name and Email Alias of a post. If the
information doesn't match any entry in our registration database, the post
will be regarded as a pure public post. So you can input any Display Names
and Email Aliases except the name and alias you used while registration.

Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
John
2006-03-28 01:55:52 UTC
Permalink
What registration database? Partners?


John
Post by John Chen [MSFT]
Hi John,
Our system will check the Display Name and Email Alias of a post. If the
information doesn't match any entry in our registration database, the post
will be regarded as a pure public post. So you can input any Display Names
and Email Aliases except the name and alias you used while registration.
Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...