2

So I'm not used to setting up DCs in multiple subnets/locations, I was hoping to get some guidance. I'm just messing with virtual servers at the time being.

DC1 = Apollo
DC2 = Cronos

Pre-AD Config

Firewall:
Green -> 192.168.0.15
Purple -> 192.168.3.15

DC1 (initial setup):
IP: 192.168.0.1
SN: 255.255.255.0
GW: 192.168.0.15
DNS: 192.168.0.15 (this will change, only used for initial setup)

DC2 (initial setup):
IP: 192.168.3.1
SN: 255.255.255.0
GW: 192.168.3.15
DNS: 192.168.0.1 (note this is the IP of DC1)

DC1

So I start by installing the ADDS role, and promoting DC1 as the new root domain of dev.local DC1

I install DNS, GC (not really an option for the first server is it?). Doesn't create a DNS delegation zone, NetBIOS name is DEV, keep paths as default.

After installing and restarting DC1, it sets the preferred DNS to 127.0.0.1 but I change this to the actual IP 192.168.0.1

DC2

I install ADDS, and promote it to a domain controller within an existing domain. DC2

I assume it can detect dev.local because my DNS points through.

Here is where I am uncertain, should I install the DNS and GC for this second site? Because ideally this would be at a separate physical site, it would be ideal, right? What options?

Paths, additional options, are all defaults.

Post Config

Firewall:
Green -> 192.168.0.15
Purple -> 192.168.3.15

DC1:
IP: 192.168.0.1
SN: 255.255.255.0
GW: 192.168.0.15
DNS: 192.168.3.1 / 192.168.0.1

DC2:
IP: 192.168.3.1
SN: 255.255.255.0
GW: 192.168.3.15
DNS: 192.168.0.1 / 192.168.3.1

Testing

Running the AD Replication Status Tool at this point gives zero error messages and everything seems to running fine for the forest.

Sites and Services

I could have done this on DC1 before promoting DC2, and just choose the server at that point.

  1. I renamed Default-First-Name-Site to Atlanta
  2. I added 192.168.0.0/24 subnet to Atlanta
  3. I added a new site Copenhagen connected on the DEFAULTIPSITELINK
  4. I added 192.168.3.0/24 subnet Copenhagen
  5. Finally, I moved Cronos to the Copenhagen site.

Special Note

I noticed that after doing this, my AD Replication Status Tool would give me an 8524, and 1908 error message. However I seemed to be able to fix that by going into the DNS servers and deleting the dev.local/_sites/Default-First-Name-Site which mistakenly still listed DC2. DNS Sites

Forcing a replication and waiting a little bit leaves me with a happy domain structure.

Can anyone see anything wrong with this setup? Best practices?

I feel that my DNS settings should be swapped (local first, then remote branch).

Cheers!

Kyle Johnson
  • 163
  • 1
  • 2
  • 8

1 Answers1

3

From reading your post, here are some quick tips for you:

Don't name your domain .local, or any other fake TLD.

All DCs should be GCs.

Don't delete stuff willy-nilly out of Active Directory just because you think it's taking too long to replicate. Be patient and let AD do what it does.

Domain controllers should have 127.0.0.1 as one of their DNS servers, but not as the first entry. Primary DNS for the DC should be a different domain controller. Localhost should be second. That's verbatim out of the Best Practices Analyzer for Directory Services. Which brings me to...

Use the Best Practices Analyzers. You can find them in Server Manager or you can run them from Powershell.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Thanks Ryan, I was not aware using .local was a bad practice to separate internal from external. But doing some reading it does make more sense to setup internal.corp.mycompany.com. – Kyle Johnson Mar 20 '13 at 03:39