Thanks in advance to anyone who can provide some thoughts.
I have a customer who will be expanding his business into two physically separate locations. We are operating from a limited budget and I'm having to do everything on the cheap. As a result, I must design the network such that we use a
single DC in Site 1 and another DC in Site 2. I believe it is probably best if I could install 2 DC's at each site, but there's not enough cash to work with. I'm aware that even if this works, it may well-mean severely degraded performance
for the users at the site w/the failed DC.
Questions:
1. Is there a practical way - with this limited configuration - to ensure users at Site 1 can still login to the domain using the DC from site 2 and vice versa?
2. What steps do I need to take to ensure clients at the "down" site are able to see the DC at site 2?
3. What steps do I need to take to ensure minimal downtime if/when one of the DC's goes down?
4. What, if anything, do I need to be aware of once I bring the failed DC back up?
Note: I'm planning on using small business grade VPN routers at each site for site-to-site security purposes.

Thanks for your help! - David

Need to support users over the internet? click here try our remote control online beta

Hi,
I would think that a site to site vpn setup on the two routers at each site would work, just use the router as secondary dns at each site.
Cheers
Jason

Need to support users over the internet? click here try our remote control online beta

That makes sense. Will it matter if the dc at site 2 is on a different subnet? I suppose not as long as I have ports forwarded properly.

There is an amazing pack of free network admin tools. click here to download it

If the vpn router was good enough it would deal with the NAT also.

Cheers
Jason

There is an amazing pack of free network admin tools. click here to download it

What has this got to do with port forwarding? If you have a site to site VPN properly configured the two sites must be in different IP subnets. And you will have normal routing between the two subnets. It will work just lke any two subnets connected
by an IP router (only slower). The is what VPN means : a virtual private network. The VPN link emulates a direct cable connection between the sites. The link through the Internet is completely transparent to the machines in each site.

Bill

Need to support users over the internet? click here try our remote control online beta

I use OpenVPN, which is a free bit of software, and installed as a virtual machine requires that you forward port 1723 to it. So i suppose it depends on the VPN is achieved.
Cheers
Jason

There is an amazing pack of free network admin tools. click here to download it

Hello,
either you have to use VPN connection for the sites or routers to connect them, important is that AD required ports according to

http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
are open.
1. logon/authentication require DNS as first step, so assure both DCs are also DNS servers and clients are configure to use the site DNS as preferred and the other one as secondary DNS on the NIC.
2. beside DNS it is important that AD sites and services is configured with all subnets, sites are created where the DCs are moved to.

http://technet.microsoft.com/en-us/library/cc730868.aspx



http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx
Also important is that replication is working correct


http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx
and that you should use the default topology, except you have specific requirements to change it


http://blogs.technet.com/b/markmoro/archive/2011/08/05/you-are-not-smarter-than-the-kcc.aspx

3. see 1 and 2, that's it
4. for AD aware backup it is important NOT to use snapshots/images/clones from the machines(USN rollback problem

http://technet.microsoft.com/en-us/library/dd348479(WS.10).aspx
), minimum is the system state

http://technet.microsoft.com/en-us/library/cc753359(WS.10).aspx

Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/


Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Need to support users over the internet? click here try our remote control online beta

I'll keep all of this in mind when we implement. Thanks!

There is an amazing pack of free network admin tools. click here to download it