AD & Slow, high latency WAN

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

we have now a AD forest with 3 dc & a 4th to be added soon spanning 4 sites
(1 DC / site) with parent DC in site 1 using w2k3 with Exchange 2k3 & LCS
2k3, and an oracle DB on another server, site 2 have DC 2 is connected with a
512 frame relay link with 10 PCs, site 3 with DC 3 connected via VPN Lan2Lan
over 256/128 ADSL connection with 2 PC's and site 4 with DC 4 connected via
VPN Lan2Lan over 512/256 ADSL connection with ~ 15 PCs all connection to Site
1.

now to my question, i don't have enough experince with AD site nor with
child domains but i decieded it would be better if every site had its own
domain thus to be able to work even the link is down, especially site 3 &
site 4 where site 3 is 200-2000ms and i failed to run DCpromo on site (with
error failed to create server object ... enusre have suffiecient access...
couldn't find a DC for this domain), nor to have AD replication working both
ways until i used SMTP links and carefully set the cost (took me 2 months to
set it right), but that topology is giving me hard time setting something
like exchange & LCS2k3 which failed due to schema problems.

so is there any other was to get it working with one domain?, could i have
SMTP & One domain in same time?, is there a way i could fix the schema as its
not accpeting any modifications even with the schema admin account or the
enterprise admin account and always now give me an error that i don't have
schema admin preivildge! ?

Help is really apperciated as i am thinking of re-installing all servers but
i need to have it right as it will be killing me if it didn't work this time
too after all this work ( 3 DC in 3 Sites)
 
M,

Generally it is not a necessity to have each Site as it's own Domain.
Meaning, if you have three physical locations ( Blacksburg, Roanoke,
Lynchburg ) that you would have four domains: yourdomain.com,
blacksburg.yourdomain.com, roanoke.yourdomain.com and
lynchburg.yourdomain.com.

You are generally creating more work - and expense - for yourself and your
employer!

Do you have a Firewall-to-Firewall VPN set up correctly between all of your
Sites?

Why are you using SMTP? Most of us would use only IP? SMTP is generally
used when there are extremely flaky links between offices ( something
similar to what happens in Mexico and Central- and SouthAmerica ).

Generally you would set up your initial location. Open up Active Directory
Sites and Services. Create the Sites. Then create the Subnets. Then
associate each Subnet with the appropriate Site. Place the DCs in the
Appropriate Site.

You will need to configure the Site Links but that should be it. Our friend
the KCC - with it's traveling side-kick ISTG - take care of the rest for us.
Well, we can let that happen or we can do it ourselves or we can have a mix!
I would suggest that you let it do everything.

I would also suggest that you have two DCs in each Site...but that might be
a situation where you add that second DC to each Site over time. I would
also suggest that each DC is a Global Catalog Server.

Furthermore, how is DNS set up? Is each DC also a DDNS Server? And how are
things pointing?

How are the clients getting their IP Address information? Are you using
DHCP? How are the Options set? I assume that you are using Options 003,
006 and 015? You should be giving out only YOUR internal DNS Server
information. The ISP DNS Server information belongs in one place and one
place only - in your Forwarders tab in the FLZ!

Have you run dcdiag /c /v on all of your Domain Controllers? How about
netdiag /v?

Sorry for my ignorance, but what is LCS? Is it Live Communication Server?
I would worry about getting everything set up properly before adding extra
variables to the mix.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Hi,

it seems i didn't explained it clearly or gave a lot of data that caused
confusion.

i understand that i don't need a DC for each site but i confirgures the
network as follows:

*Site 1 has DC1 which is the parent Domain and Forest Root

*Site 2 has DC2 just for reduncey as frame relay connection was stable just
down every 2-3 months (we are in middle east/north africa) which is very
good, thus i am using IP site Link

*Site 3 has DC3 as its connected using a VPN created over ADSL internet
connection to site 1 which have very high latency and was not stable so PCs
there authenicating back @ Site 1 took 10-20 min to start, and as i said in
pervious post even DCPromo failed to complete stating [ error failed to
create server object ... enusre have suffiecient access... couldn't find a DC
for this domain ] and i had to bring this server to site 1 to be able to
promote it to DC, that's why i had to use a DC, SMTP Site Link & child domain
here.

*Site 4 which will be in the UK still under way is to use same connection
like site 3 (VPN Lan2Lan over ADSL internet connectionto site 1) thus i
expect same problems even it will have a higher speed but it will host more
PCs & Users also will be using DC, SMTP Link & child domain here too.

Each DC is GC & have DDNS, Wins (yes i have win9x, & LCS depned on it for
online staus), DHCP and host the site Exchange DB & LCS 2k3 (Live
communication server 2003) users while site 1 hosts the the Exchange Server &
the LCS Home Server & oracle DB server, site 4 hosts another DB application
server.

All DC's have AD integrated DNS zones & other DCs as WINS replication
partners, Sie 1 is the Hub for replication to all other 3 sites,and using
SMTP links forced me to have separate child domain one for each site, which i
know is giving me hard time

so back to my question it there a better way to work it out ? could i adjust
anything to use IP site Link instead of SMTP Links thus no child domains ?
why is dcpromo failing even i am using the enterprise admin account and site
1 dns as my dns ? could replication problems prevent schema modofications ?
as LCS schema prepartion is also failing in site 3 with an error that i am
not the schema admin even i am using the enterprise admin account which i
confirmed is in the schema admin group !!
 
Back
Top