I don't understand why you want to use a child domain in the factory location?
Can you tell us the reason(s). In my opinion there is no need for that.
Remember what I said "for redundancy purposes you at least need 2 DCs for each
domain" For the scenario you want to implement (2 domains) you at least need 4
DCs to service about 60 users. For your environment 2 DCs would be enough when
also thinking about hardware costs, maintenance, licenses, etc.
When talking about the scenario I explained earlier, 2 DCs total, 1 DC for each
location you could do the following
In the HQ location install the first DC by:
* Install Windows 2003 with SP1 on some hardware, install DNS, WINS and DHCP on
the DC (DC01)
* TCP/IP settings for DC01 (IPs are examples):
* IP 70.0.1.1
* Netmask 255.255.255.0
* DNS preferred: 70.0.1.1, DNS alternate: 70.0.2.1 (the alternate DNS is
the other DC at the other location)
* WINS primary: 70.0.1.1, don't configure a secondary!
* In DNS configure the following zones (again examples as the names are!):
* MYDOMAIN.LOCAL (primary and allow dynamic updates)
* _MSDCS.MYDOMAIN.LOCAL (primary and allow dynamic updates)
* DCPROMO DC01 to a DC (DNS NAME domain = MYDOMAIN.LOCAL, NetBIOS name =
MYDOMAIN) (new forest, new domain, first DC)
* After reboot configure the zones as follows:
* MYDOMAIN.LOCAL (AD-integrated, replication scope = DNS in domain,
allow SECURE dynamic updates)
* _MSDCS.MYDOMAIN.LOCAL (AD-integrated, replication scope = DNS in
forest, allow SECURE dynamic updates)
* Authorize DC01 as DCHP server
* Configure DDNS credentials on DC01
* Configure the DHCP scope on DC01 for the clients in HQ location by creating a
scope with ALL available IP addresses (example)
* DHCP scope = HQ location
* range 70.0.1.101 - 70.0.1.150
* Exclude 70.0.1.141 - 70.0.1.150 (=20%)
* Netmask 255.255.255.0
* Default gateway = 70.0.1.254
* Domain name = MYDOMAIN.LOCAL
* Default lease period = 8 days
* DNS = 70.0.1.1 & 70.0.2.1
* WINS = 70.0.1.1 & 70.0.2.1
* Configure the DHCP scope on DC01 for the clients in FACTORY location by
creating a scope with ALL available IP addresses (example)
* DHCP scope = FACTORY location
* range 70.0.2.101 - 70.0.2.150
* Exclude 70.0.1.101 - 70.0.1.140 (=80%)
* Netmask 255.255.255.0
* Default gateway = 70.0.2.254
* Domain name = MYDOMAIN.LOCAL
* Default lease period = 8 days
* DNS = 70.0.2.1 & 70.0.1.1
* WINS = 70.0.2.1 & 70.0.1.1
In the FACTORY location install the first DC by:
* Install Windows 2003 with SP1 on some hardware, install DNS, WINS and DHCP on
the DC (DC01) (same forest, additional DC for existing domain)
* TCP/IP settings for DC02 (IPs are examples):
* IP 70.0.2.1
* Netmask 255.255.255.0
* DNS preferred: 70.0.2.1, DNS alternate: 70.0.1.1 (the alternate DNS is
the other DC at the other location)
* WINS primary: 70.0.2.1, don't configure a secondary!
* DCPROMO DC02 to a DC (DNS NAME domain = MYDOMAIN.LOCAL, NetBIOS name =
MYDOMAIN)
* Authorize DC02 as DCHP server
* Configure DDNS credentials on DC02
* Configure the DHCP scope on DC02 for the clients in HQ location by creating a
scope with ALL available IP addresses (example)
* DHCP scope = HQ location
* range 70.0.1.101 - 70.0.1.150
* Exclude 70.0.1.101 - 70.0.1.140 (=80%)
* Netmask 255.255.255.0
* Default gateway = 70.0.1.254
* Domain name = MYDOMAIN.LOCAL
* Default lease period = 8 days
* DNS = 70.0.1.1 & 70.0.2.1
* WINS = 70.0.1.1 & 70.0.2.1
* Configure the DHCP scope on DC02 for the clients in FACTORY location by
creating a scope with ALL available IP addresses (example)
* DHCP scope = FACTORY location
* range 70.0.2.101 - 70.0.2.150
* Exclude 70.0.1.141 - 70.0.1.150 (=20%)
* Netmask 255.255.255.0
* Default gateway = 70.0.2.254
* Domain name = MYDOMAIN.LOCAL
* Default lease period = 8 days
* DNS = 70.0.2.1 & 70.0.1.1
* WINS = 70.0.2.1 & 70.0.1.1
On the router at the HQ location configure the DHCP relay option (or IP helper)
to point at DC02 (70.0.2.1) and if possible configure a delay
On the router at the FACTORY location configure the DHCP relay option (or IP
helper) to point at DC01 (70.0.1.1) and if possible configure a delay
On DC01 configure for WINS, DC02 as push/pull replication partner with the
default values
On DC02 configure for WINS, DC01 as push/pull replication partner with the
default values
I think not, but I may have forgotten something.
Well you can do a network trace to see the traffic between a client and a DC.
Free network tracers are available like Etherreal, Packetyzer.
Good luck!
Cheers,
Jorge
________________________________
From: [EMAIL PROTECTED] on behalf of rania
Sent: Sun 10/16/2005 3:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD/ Sites & Services
Thanks for your reply.
Your reply is more than Perfect & really you are very helpful.
Actually, i do not want the user Authentication to be done over the wireless
Link.
I mean the user in Location A, when he will login in the morning, i want him
to go and speake to the DNS which is located in the Factory and then the DNS
will reply on him by giving the DC which is located in Factory
So i do not want the Authentication Traffic will travle from the Location A to
location B.
2- I have in the Location A which is the Head office 30 Users with this Domain
name ( MYDOMAIN.COM ) , and we bring 2 Domain Controllers to work as Backup in
the Head office.
3- in the FACTORY or in the LOCATION B, i have 20 users and child domain with
this name ( child.mydomain.com) and one domain controller only in this
location.
4- iam unable exactly to imagin how can i do that , so can you guide me to
this?
5- is there any software can i use to trace the traffic and see that this user
is now talking to this DNS and asking for the domain controller .
> Hi Rania,
>
> One forest with one domain should do it for you and make all DCs a GC
>
> The site and replication topology is used:
> * By DCs so they know with which DC to replicate with within a site
> and between sites * By clients/servers to find the "nearest" DC for
> authentication, GPOs, etc.
>
> Now we need to define "nearest"....
>
> The clients get the nearest DC by querying DNS. If the clients don't
> know what site they are in (mostly when joining) they ask DNS: "give
> me a DC for domain X". If they have discovered the site they are in
> they ask DNS: "give me a DC for domain X in site Y"
>
> In your situation having 2 location separated by a wireless
> connection you have the following possibilities:
> (1) Create 1 overal site for both locations and assign the subnets
> of the locations to that site
> (2) Create 2 sites, one for each location and assign the subnets of
> each location to the corresponding site
>
> (1)
> The answer for the query for "give me a DC for domain X" and "give
> me a DC for domain X in site Y" is the same. Assuming you have DCs
> at both locations a client in location A can be serviced by a DC in
> location A and B. So authentication across the wireless connection
> is a possibility! I don't think you want that
>
> (2)
> Assuming again you have DCs at both locations, the query for "give
> me a DC for domain X" and "give me a DC for domain X in site Y" will
> have different answers. In this case the client will be
> authenticated (and etc.) by a DC local to its own site.
>
> A best practice and highly recommended is to have AT LEAST 2 DCs for
> each domain and also to backup AT LEAST 2 DCs for each domain. In
> your case it is unknown to us how many users you have in your
> organization (at both location) so it is difficult to say how many
> DCs each location should get. * If you always need authentication
> within a site in the situation a DC might crash use 2 DCs for each
> location. Might be rather expensive is the organization is small *
> If you have a location with many users and a location with few users
> you could install 2 DCs at the "many users location" and 1 DC at the
> "few users location". If one of the DCs in the "many users location"
> drops dead you still have the second DC to authenticate locally. If
> the DC in the "few users location" drops dead you will need to
> authenticate across the wireless connection * If both locations have
> not that many users and you want to spend that much money on DCs,
> you could install just 1 DC at each location where each DC must be
> able to service user/clients/servers in both locations if one of the
> DCs drops dead.
>
> >From what you have told us and what I have read I think the following would
be OK:
> * 1 DC at each location
> * 1 AD site for each location
> * Assign subnets of each location to its corresponding AD site
> * Use the default IP site link and assign both sites to it and
> configure the site link accordingly for replication between the
> sites (cost, schedule, interval) * Combine DC, DNS, WINS, DHCP on
> one server and if needed wanted setup DHCP redundant using the 80/20
> rule
>
> I hope this takes away you confusion
>
> Cheers,
> Jorge
>
> ________________________________
>
> From: [EMAIL PROTECTED] on behalf of rania
> Sent: Sun 10/16/2005 2:00 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] AD/ Sites & Services
>
> Dear All,
>
> I have here in My Company, 2 Sepearate Locations, the First one is Head
> Office , the second one is the Private office .
>
> The head office have one single Network with this Range of IP-
> Address (
> 70.0.0.X / 255.255.255.0 ) .
>
> We have Wireless -Point-To-Point Between the 2 locations .
>
> The Privare office have also one single Network with the same range
> of IP-Address in the Head office which is ( 70.0.0.X / 255.255.255.0
> ).
>
> All of them is under Workgroup, and no domains at all . -------------
> ---------
> ----------------------------------------------------------------------
> what we need , is to create domain and to provide users with the
> authentication from the domain by using user name & Password.
> -----------------------------
>
> My question is here, i am really get confused, what should i follow :-
>
> 1- Should i follow Single Site for the 2 locations & each site will
> represented by subnet , so i will have 2 subnets in one site ?
>
> Or
>
> 2- should i follw Multiple Site with one subnet at least in each
> site, and each site will represent the location it self ?
>
> i really get confused.
>
> as i know the site is used for the Replication , so i want to simple
> the replication it self.
>
> CAN ANY ONE GUIDE ME TO THE BEST OF IT.
>
> Best Regards,
> RANIA SAMEER.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied, disclosed to, retained or used by, any other party. If you
> are not an intended recipient then please promptly delete this e-
> mail and any attachment and all copies and inform the sender. Thank you.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
