Active Directory help

R

Ryan45

Limp Gawd
Joined
Sep 19, 2009
Messages
209
I have three domains in my forest, connected via WAN.

Site1= primary

Site2= secondary

Site3= secondary

Site 2 and 3 RDP into terminal server for some functions. Terminal server are part of Site1 domain.

Everything works fine until WAN goes down. Users VPN in to connect to terminal server, but they can't authenticate/log on because their domain controller are not accessible because the WAN is down.

Can I put DC's from site2/3 on site1? Or what are my options.
 
You have a global catalogue at each site? You should be replicating between sites though I've only ever done this with one domain so I'm less certain about the forest level. Assuming all the domains are configured to talk to one another you should be able to make this happen.

You may need to put a full domain name for a user to login though. domain\username or [email protected] to make it work.
 
Is there a cross-domain or forest wide trust implemented for all domains?
 
XOR != OR said:
Let's back up a notch: Why do you have three domains?
Click to expand...

3 different companies, some shared resources.

Yes there are trusts setup in between the domains.

Right now the Trust type is Tree Root, Transitive.
 
So does each physical site have a DC on-site? A lot of lacking information here to provide informed advice.
 
Sorry it is kind of hard to explain. I'll try my best.

Each company has its own domain and own DCs.

Site1:domain1: company 1

Site2:domain2: company 2

Site3:domain3: company 3

All are trusted domains in the forest. Replication goes over WAN. If WAN goes down at site2 or site3. Users VPN in to Site1 but can not login in to terminal server (member of domain 1) because Global catalog is not available. I am thinking a RODC might work if I put one for domain 2 and domain 3 at site 1.
 
Are they logging in to the terminal server using credentials from their own domain? If so, that would explain the login issues if their WAN goes down since cross-domain credentials in that type of setup aren't cached.

The only way around this is for the other companies to put DCs at site 1 or for a redundant WAN link to be in place. Honestly I'm somewhat surprised a redundant WAN link doesn't exist.
 
Wrench00 said:
Yeah the only thing you can do is put DC's in the main site. Assuming he is running min 2008 server. That's what I would do/
Click to expand...

The other companies aren't going to like that recommendation even if it was an RODC. I wouldn't, I'd opt more for the redundant WAN.
 
shade91 said:
The other companies aren't going to like that recommendation even if it was an RODC. I wouldn't, I'd opt more for the redundant WAN.
Click to expand...

If they're all in the same forest, I'd hope these companies are all wholly owned by the parent company. There's no reason to have them all in the same forest unless you have centralized IT that can admin everything.

Put RODCs or even just DCs at the primary site for the other 2 domains so that when the WAN goes down you still have a local dc that they can authenticate against.
 
Since having only 1 DC per domain is a horrible idea....let me suggest.


(1) Hyper-V server with (3) Guest OSs each with a secondary DC for all three domains.

You only need one 2012 Std license to do this. A inexpensive quad core server with 8GB of RAM can pull this off.

Each guest OS gets 2 vcores and 2GB of ram.


One server, one license = done
 
Mackintire said:
Since having only 1 DC per domain is a horrible idea....let me suggest.


(1) Hyper-V server with (3) Guest OSs each with a secondary DC for all three domains.

You only need one 2012 Std license to do this. A inexpensive quad core server with 8GB of RAM can pull this off.

Each guest OS gets 2 vcores and 2GB of ram.


One server, one license = done
Click to expand...

Wrong. 1 Windows 2012 standard license only allows you to run 2 VMs, provided the host has no roles installed but hyperV.
 
Why are you guys throwing out solutions without first knowing his infrastructure capabilities? :p
 
Mackintire said:
Since having only 1 DC per domain is a horrible idea....let me suggest.


(1) Hyper-V server with (3) Guest OSs each with a secondary DC for all three domains.

You only need one 2012 Std license to do this. A inexpensive quad core server with 8GB of RAM can pull this off.

Each guest OS gets 2 vcores and 2GB of ram.


One server, one license = done
Click to expand...

Don't even give each guest 2 vcores. A RODC is very lightweight for most average sized domains.

But as said, infrastructure wise there are a lot of variables. If he already has a virtual infrastructure, it does not even matter.
 
Mackintire said:
Since having only 1 DC per domain is a horrible idea....let me suggest.


(1) Hyper-V server with (3) Guest OSs each with a secondary DC for all three domains.

You only need one 2012 Std license to do this. A inexpensive quad core server with 8GB of RAM can pull this off.

Each guest OS gets 2 vcores and 2GB of ram.


One server, one license = done
Click to expand...

We have multiple DC's at each site. This just for when the WAN goes down.


Are they logging in to the terminal server using credentials from their own domain? If so, that would explain the login issues if their WAN goes down since cross-domain credentials in that type of setup aren't cached.

The only way around this is for the other companies to put DCs at site 1 or for a redundant WAN link to be in place. Honestly I'm somewhat surprised a redundant WAN link doesn't exist.
Click to expand...

Very remote site so not many options for them to have a second point to point. They have a separate internet connection and that is where they can VPN in to the main site.

This issue came up when there was a city wide power outage, so the whole site2 was down and people where trying to VPN into site1 from home. VPN worked fine, they just couldn't login to terminal server because the DC's at site2 where down.

I am going to go the route of putting a RODC on site 1. Thanks for the feedback.
 
You must log in or register to reply here.
Back
Top