Windows 2003 - 2 DC behind NAT but members of the same domain

By msole ·
I have two domain controllers at 23 different locations. Both behind firewalls using NAT.

I have users that go back and forth between both domainds.

I need both DCs to be able to authenticate the same list of users and process Group Policy.

I thought have the 2 servers connected via a VPN would solve the problem but no.

Can anyone provide me with tips or a walkthrough on how to do this?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

go to Microsoft Technet

by CG IT In reply to Windows 2003 - 2 DC behin ...

then search for replicate DCs over WAN link.

DCs in the same domain want to replicate data. In fact it's done automatically if their on the same subnet.

With your setup, you have to have the DC use a WAN link. There are many articles on Microsoft's Technet site which will give you the "how to".

Collapse -

A bit of info

by Dumphrey In reply to Windows 2003 - 2 DC behin ...

are all of these in the same domaine? And are they all in the same site?
Are the users logging into different domains depending on location? Or is it the same domaine all arround.
First check to see if you have replication between DC's, admin tools, AD Sites and Services. Look to see if you have 22 connectors in Site transports (23 servers minus one you are on). You can limit to less by assigning a single server in each site a sa bridgehead server, and they will replicate back and forth.
Replmon is a great tool for this, its in the server 2003 support tools.
If the servers are not replicating, your user info will not be available.

Collapse -

More details

by msole In reply to A bit of info

these are 2 domain controllers

members of the same domain

in different physical locations

both seperated by firewalls and NAT

I tried to connect them with a PPTP tunnel thinking that would do it but I am having additional problems.

Collapse -


by Dumphrey In reply to More details

they are in different physical locations, so I would bet replication is not occuring properly. Over a WAN link you would want to use smtp not IP.
See if this helps any.
I would all most guarantee replication is the problem if they are in different sites as well.

Collapse -

Getting closer to an answer! SMTP it is!

by msole In reply to Okay

Yeah I was coming to this same conclusion.

However I am having a tough time finding a good guide for doing SMTP replication as I have never done it.

The article you provided really doesn't show how. Could you please suggest another?

Thanks for your help!

Collapse -

Close but no cigar

by msole In reply to Getting closer to an answ ...

So after further review, replication via SMTP is insufficient as it does not replicate the whole AD just users and groups. It would need 2 domains, one for each location and then establish trust.

According to my research replication of AD over a T1->DSL should be more than enough bandwith but I am still running into some issues.

Anyone out there have any experience with AD over a high speed WAN link using a PPTP tunnel?

Collapse -

On either of the two

by Dumphrey In reply to Getting closer to an answ ...

servers involved, when you go into AD sites and services, do you have much there? There should be the other server listed and a "connector" object as well.

Some more articles: (terms explained)

After giving those 3 a good once over, head to your AD Sites and Services control pannell, and browse arround and get familiar with whats there. After looking it should be pretty simple to get basic replication going. And remember, you can have multiple links to other sites, you are not limited to connecting to one site. Just make sure you set the schedules to not over lap to much and swamp your bandwidth.

Collapse -

Fixed (mostly)

by msole In reply to On either of the two

Well it appears as if it was a simple solution. I needed to make the second DC a global catalog server. I had someone tell me once you were only supposed to have one GCS per network, apparently he was very wrong. I still get a variety of errors when I run dcdiag but the SYSVOL and NETLOGON shares are replicating.

Now I just need to get DFS running so I can have a single point of access for file shares but that seems easy enough.

The last question I have is, should each DC host DNS and should each DC point to itself for DNS?

Collapse -

Global Catalog general rule

by Dumphrey In reply to Fixed (mostly)

is on GC per site, not per network, as you can have 3 or 4 geographicly differnt locations, in several sites, all on the same subnet, but each needing a GC.

I would set this up as each site/location should have a local DNS server, active directory intigrated, and point it to your isp dns for dns forwarding. Idealy, you could ahve a master site that all other sites could forward to and then it would forward to the net.. slower but more secure. And yes, I would point each DC to its self for DNS, as DNS will be pointing to an external server for external addresses.
I would spend at least several hours raeding up on DNS, its the backbone of a windows network. Bad DNS == bad Active Directory or no working AD. Especially come to terms with Primary vs secondary and stub sites, as well as read only. A DNS server should only be able to be modified by machines in its site, or a master "site", or manually by an admin. Example. I have 2 sites, 2 domaines, and 2 physical location. Each location has a Primary DNS site in dns that is authoritative for that domain, but each dns server also caontains a read only version of the other domain, replicated through AD since they are in the same forest. So domainA can manage and change DNS info for domainA, and can read and send out current info for domainB, but not make any changes to that info, and vice versa.

Related Discussions

Related Forums