Server 2k8: creating/joining sites in a domain

[xSauronx]

Ive got a class project to work on, and since Its starting from scratch I just wanted to make sure I was going to do things in the right order and that there wasnt something somewhere that I needed to deal with.

Im supposed to have 6 2k8 VMs on 3 subnets (2 Vms/subnet)
this is for a fictional bank, using the domain "ibb.local"

for the other domains do I just setup something like branch1.ibb.local and branch2.ibb.local as the domains and just join them all together under ibb.local?

Ive got very little experience with AD and zilch with joining sites and such, and would prefer just to have to do that part once

according to the book it seems like thats the way to do it, I just wanted to make sure that I didnt overlook something.

thanks

 

[yinan]

One domain

 

[rasczak]

you've got the right idea, only you don't need to create multiple domains. just one domain with however many sites/branches you need. you'll probably end up setting up a DC(domain controller) at each "remote" site and there would be very little you need to do as far as joining sites since they already joined by default.

ie

create domain ibb.local
create another domain controller named branch1.ibb.local (still in the same domain)
create another domain controller named branch2.ibb.local (still in the same domain)
each a different site, yet all under domain ibb.local

go to sites and services setup replication between the three DC's/Sites. Make each a global catalog server (sorry this is all coming from my 2k3 server stuff)

in essence, you're not necessarily creating a "new" domain when you setup the branches, you're just setting up sites. If you were to create something else ie. branch1.iab,local, then you would be creating a "new" domain. completely separate from the ibb.local domain. (however, i think i 2k8, the security boundary changed from the domain level to the forest level, so trust between ibb.local and iab.local if setup during the initial AD setup for iab.local would be default)

 

[IndyColtsFan]

Ive got a class project to work on, and since Its starting from scratch I just wanted to make sure I was going to do things in the right order and that there wasnt something somewhere that I needed to deal with.

Im supposed to have 6 2k8 VMs on 3 subnets (2 Vms/subnet)
this is for a fictional bank, using the domain "ibb.local"

for the other domains do I just setup something like branch1.ibb.local and branch2.ibb.local as the domains and just join them all together under ibb.local?

Ive got very little experience with AD and zilch with joining sites and such, and would prefer just to have to do that part once

according to the book it seems like thats the way to do it, I just wanted to make sure that I didnt overlook something.

thanks

One domain (ibb.local) should be sufficient unless there are defined reasons for having multiple domains (typically, differing security requirements). I doubt this is the case, so one domain is sufficient and depending on connectivity, probably one to three AD sites. The textbook says that if the intersite bandwidth is above a certain threshold, you can combine the physical sites into a single logical AD site; I tend to error on the side of caution and use separate logical sites unless you have insane intersite bandwidth.

 

[IndyColtsFan]

you've got the right idea, only you don't need to create multiple domains. just one domain with however many sites/branches you need. you'll probably end up setting up a DC(domain controller) at each "remote" site and there would be very little you need to do as far as joining sites since they already joined by default.

ie

create domain ibb.local
create another domain controller named branch1.ibb.local (still in the same domain)
create another domain controller named branch2.ibb.local (still in the same domain)
each a different site, yet all under domain ibb.local

Yep. OP, in the example above, the branch1 or branch2 denotes the host name of the DC, not the domain name (though it is part of the FQDN ).

go to sites and services setup replication between the three DC's/Sites. Make each a global catalog server (sorry this is all coming from my 2k3 server stuff)

I agree, I'd make both of them GCs, as you recommend. Most of my experience comes from 2K3 as well so some of this may be slightly different with 2K8.

in essence, you're not necessarily creating a "new" domain when you setup the branches, you're just setting up sites. If you were to create something else ie. branch1.iab,local, then you would be creating a "new" domain. completely separate from the ibb.local domain. (however, i think i 2k8, the security boundary changed from the domain level to the forest level, so trust between ibb.local and iab.local if setup during the initial AD setup for iab.local would be default)

Cool, I'll have to look into that a little more.

 

[rasczak]

Yep. OP, in the example above, the branch1 or branch2 denotes the host name of the DC, not the domain name (though it is part of the FQDN ).


I agree, I'd make both of them GCs, as you recommend. Most of my experience comes from 2K3 as well so some of this may be slightly different with 2K8.



Cool, I'll have to look into that a little more.

Hehe good catch. blanghorst is correct.

 

[xSauronx]

ok so as long as im using $machine.ibb.local adn theyre on different subnets theres pretty much nada to do? im familiar with the replication in a single domain and such so I guess there really isnt much to it

thanks

 

[stlcardinals]

If the servers really are supposed to be in different physical sites, you will want to make different sites for them in Active Directory Sites and Services. Just do a google search for "how to make sites in active directory", should get you started in the right direction.

 

[xSauronx]

ok Im having a routing issue that i posted in the network forum, and cant get the routing to work, so when on diff subnets none of the machines can see one another

do i:
wait and fix that before running dcpromo on any boxes after the first pair is set up
setup each pair on a subnet as ibb.local and join them all together later when routing works?

 

[phoenix79]

Fix your routing issue first. You won't be able to join them to the domain if they can't contact the PDC

 

[xSauronx]

Fix your routing issue first. You won't be able to join them to the domain if they can't contact the PDC

yeah....and that routing issue is being a bitch. my lab setup is ridiculously stupid

 

[IndyColtsFan]

ok so as long as im using $machine.ibb.local adn theyre on different subnets theres pretty much nada to do? im familiar with the replication in a single domain and such so I guess there really isnt much to it

thanks

No, you probably want to make separate AD sites, move the DCs at the remote sites into their respective AD sites, and let AD manage the replication. Do NOT manually create replication links as in 95% of all scenarios, it is a bad idea.

 

[IndyColtsFan]

ok Im having a routing issue that i posted in the network forum, and cant get the routing to work, so when on diff subnets none of the machines can see one another

do i:
wait and fix that before running dcpromo on any boxes after the first pair is set up
setup each pair on a subnet as ibb.local and join them all together later when routing works?

No, get the routing working first.

 

[xSauronx]

ok, routing is working. thats a headache i dont even want to discuss here.

so, all 3 subnets can see one another, everyone can ping everyone else. whats the proper order to get things set up?

172.20.5.0 - 2 DCs in ibb.local
172.20.10.0 - 2 DCs in ibb.local
172.20.28.0 - 2 DCs in ibb.local

of course, being on separate subnets, none of them see each other. added the sites and created subnets for each in the x.x.5.0 group, but how do i actually make the machines on the various subnets a part of the same domain where they communicate and can replicate with each other?

i see the timer under the site link setup defaults to 180 minutes, when that timer goes off (and lets say id reduce it to 15 mins or whatever) will they then try to talk to one another? do i have to do something else first? is there a way to force the intersite replication so i can see if its going to work?

i cant really find *that* information anywhere. just info on setting up sites and...then apparently its magic

 

[RebateMonger]

ok, routing is working. thats a headache i dont even want to discuss here.

a) ---- so, all 3 subnets can see one another, everyone can ping everyone else. whats the proper order to get things set up?

b) ---- of course, being on separate subnets, none of them see each other

I'm probably confused. But is it a) or b)?

 

[xSauronx]

I'm probably confused. But is it a) or b)?

my bad, it was getting lateish so i wasnt clear at all.

3 subnets can see each other: routing works, they can ping, remote desktop, whatever.

now when i have two DCs for ibb.local on x.x.5.0 and run dcpromo on, lets say, x.x.10.0, and want to tell those 2 boxes to join as a dc to an existing domain, due to the separate subnets, theyre not going to see the ibb.local boxes on x.x.5.0

 

[Genx87]

my bad, it was getting lateish so i wasnt clear at all.

3 subnets can see each other: routing works, they can ping, remote desktop, whatever.

now when i have two DCs for ibb.local on x.x.5.0 and run dcpromo on, lets say, x.x.10.0, and want to tell those 2 boxes to join as a dc to an existing domain, due to the separate subnets, theyre not going to see the ibb.local boxes on x.x.5.0

Point the machines you want to promote DNS at the subnet where the other DCs sit.

So the box x.x.10.1, on the nic set the dns to point at the DC in the x.x.5.0 network that is running DNS.

 

[xSauronx]

Point the machines you want to promote DNS at the subnet where the other DCs sit.

So the box x.x.10.1, on the nic set the dns to point at the DC in the x.x.5.0 network that is running DNS.

ahhhh gotcha, thanks

 

[GeekDrew]

however, i think i 2k8, the security boundary changed from the domain level to the forest level

For what it's worth, it was just realized around the time of 2008 being released, that the security boundary has always been forest level. Most documentation and best practices, including from MS, incorrectly stated that the security boundary was the domain. From what I've read, few people had previously considered the intra-forest inter-domain disgruntled admin scenario to be a viable threat.