Secondary DC in trusted domain wiht different IP..

25/10/2006, 10h21

We have 2 offices connected via Site 2 Site VPN over 2mb leased line.
Both have 2003 domains which are trusted to each other and can share
data, pings etc.

Local office [192.168.254.*] - Remote office [192.168.254.*]

On the local domain, I created a secondary DC as disaster recovery
should we lose this office. All worked fine with both AD & DNS
replicating changes made to the original DC, so after a week I
relocated the secondary DC to the remote office.

Now the secondary DC cannot communicate with the primary until I change
IP address to the 192.168.254.* range.

I would have thought that retaining the same NIC settings would have
been fine as the Site 2 Site VPN is always up. Is what I am trying to
achieve not possible?

Thanx for your time

G

25/10/2006, 17h10

"gstar" <gary.brett@gmail.com> wrote in message
news:1161768078.110734.115790@m7g2000cwm.googlegro ups.com...
> We have 2 offices connected via Site 2 Site VPN over 2mb leased line.
> Both have 2003 domains which are trusted to each other and can share
> data, pings etc.

Same forest (automatic domain trusts), OR "external" or "forest level"
trusts?

Generally, external trusts require NetBIOS resolution to work.
(Which usually means WINS Server and replication in such
cases.)

> Local office [192.168.254.*] - Remote office [192.168.254.*]

Same subnet or different across the WANS? (Looks like same
but one cannot really tell without the subnet masks.)

> On the local domain, I created a secondary DC as disaster recovery
> should we lose this office.

As of Win2000 DCs are "just DCs" so this would be just
an additional or second DC.

> All worked fine with both AD & DNS
> replicating changes made to the original DC, so after a week I
> relocated the secondary DC to the remote office.
>
> Now the secondary DC cannot communicate with the primary until I change
> IP address to the 192.168.254.* range.

Well, this would be obviously true if that is a different
subnet range (which we cannot tell from your example
without the subnet masks.)

> I would have thought that retaining the same NIC settings would have
> been fine as the Site 2 Site VPN is always up. Is what I am trying to
> achieve not possible?

Sure, it is possible, but it looks like you messed up the
ROUTING.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

26/10/2006, 09h21

Hi Herb, thanx for your .

>> Same forest (automatic domain trusts), OR "external" or "forest level"
trusts?

External Forest

>> Generally, external trusts require NetBIOS resolution to work.

WINs is running on both DCs and are replication partners

>>Local office [192.168.254.*] - Remote office [192.168.254.*]

Sorry my mistake, should have read:
Local office [192.168.45.*] - Remote office [192.168.254.*] - Both
subnets are 255.255.255.0

>> Same subnet or different across the WANS?

You are correct, same

>> Sure, it is possible, but it looks like you messed up the ROUTING.

Perhaps, but I cant see where its gone wrong. Have created a basic
image of what the scenario is if you have time to take a look?

http://gary.brett.googlepages.com/GOOGLE1_raster.htm

Again thanx

G

26/10/2006, 19h07

Gary:

I saw the diagram and you have to change the IP address of Secondary DC
Domain1 (192.168.45.11) to an ip of the 192.168.254.0 range.

Try to configure this server as a DNS and replicate the Active Directory
DNS Zone to all DC over the forest.

Greetings.

Oscar Soto Casali
MVP Directory Services

"gstar" <gary.brett@gmail.com> escribió en el mensaje de
noticias:1161850908.499890.92900@f16g2000cwb.googl egroups.com...
> Hi Herb, thanx for your .
>
>>> Same forest (automatic domain trusts), OR "external" or "forest level"
> trusts?
>
> External Forest
>
>>> Generally, external trusts require NetBIOS resolution to work.
>
> WINs is running on both DCs and are replication partners
>
>>>Local office [192.168.254.*] - Remote office [192.168.254.*]
>
> Sorry my mistake, should have read:
> Local office [192.168.45.*] - Remote office [192.168.254.*] - Both
> subnets are 255.255.255.0
>
>>> Same subnet or different across the WANS?
>
> You are correct, same
>
>>> Sure, it is possible, but it looks like you messed up the ROUTING.
>
> Perhaps, but I cant see where its gone wrong. Have created a basic
> image of what the scenario is if you have time to take a look?
>
> http://gary.brett.googlepages.com/GOOGLE1_raster.htm
>
> Again thanx
>
> G
>

26/10/2006, 20h38

Hi Oscar,

> I saw the diagram and you have to change the IP address of Secondary DC
> Domain1 (192.168.45.11) to an ip of the 192.168.254.0 range.

I have done that, changed the DNS & WINs properties, and IPCONFIG now
looks like this on Secondary DC:

Physical Address. . . . . . . . . : 00-0B-DB-D5-14-
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.254.21
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.254.1
DNS Servers . . . . . . . . . . . : 192.168.45.10
192.168.254.2
Primary WINS Server . . . . . . . : 192.168.45.10
Secondary WINS Server . . . . . . : 192.168.254.2

If I make changes to the original DC [AD or DNS] they replicate
instantly over to the secondary so that appears to be working.

> Try to configure this server as a DNS and replicate the Active Directory
> DNS Zone to all DC over the forest.

The secondary DNS already replicates from DC, is that what you meant?

Thanx again
Gary

27/10/2006, 12h22

"gstar" <gary.brett@gmail.com> wrote in message
news:1161850908.499890.92900@f16g2000cwb.googlegro ups.com...
> Hi Herb, thanx for your .
>
>>> Same forest (automatic domain trusts), OR "external" or "forest level"
> trusts?
>
> External Forest

That doesn't answer the question since External and Forest
level trusts are two DIFFERENT types, but in both cases
you may need NetBIOS (more likely in External since they
were built for NT.)

>>> Generally, external trusts require NetBIOS resolution to work.
>
> WINs is running on both DCs and are replication partners

Is every DC set as a "WINS Client"? Many people forget to do this.

And in general, every machine needs to be a WINS client. (NIC->
IP->Advanced->WINS.

>>>Local office [192.168.254.*] - Remote office [192.168.254.*]
>
> Sorry my mistake, should have read:
> Local office [192.168.45.*] - Remote office [192.168.254.*] - Both
> subnets are 255.255.255.0

Subnet masks. The subnets are 192.168.45.0 and 192.168.254.0,
while 255.255.255.0 is the mask (for both.)

>>> Same subnet or different across the WANS?
>
> You are correct, same

No. They are different SUBNETS using the same mask (the latter
is practically irrelevant as long as it is correct.)

>>> Sure, it is possible, but it looks like you messed up the ROUTING.
>
> Perhaps, but I cant see where its gone wrong. Have created a basic
> image of what the scenario is if you have time to take a look?

If you cannot ping and tracert (assuming no firewalls blocking
ICMP) then you can't do much else with this.

If ICMP is blocked you will need to test routing with simpler
tools like telnet, NC (netcat from Internet), etc.

> http://gary.brett.googlepages.com/GOOGLE1_raster.htm

What's this?

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

> Again thanx
>
> G
>

27/10/2006, 12h26

"gstar" <gary.brett@gmail.com> wrote in message
news:1161891491.168353.8050@m7g2000cwm.googlegroup s.com...
> Hi Oscar,
>
>> I saw the diagram and you have to change the IP address of Secondary DC
>> Domain1 (192.168.45.11) to an ip of the 192.168.254.0 range.
>
> I have done that, changed the DNS & WINs properties, and IPCONFIG now
> looks like this on Secondary DC:
>
> Physical Address. . . . . . . . . : 00-0B-DB-D5-14-
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.254.21
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.254.1
> DNS Servers . . . . . . . . . . . : 192.168.45.10
> 192.168.254.2

Generally the machine should use the DNS on the same
subnet first.

> Primary WINS Server . . . . . . . : 192.168.45.10
> Secondary WINS Server . . . . . . : 192.168.254.2

Ditto for WINS Server.

> If I make changes to the original DC [AD or DNS] they replicate
> instantly over to the secondary so that appears to be working.

Then routing is working. So maybe the routing problems were
just in your description in the first message.

Go through the DNS steps below, especially the DCDiag stuff
but since it is replicating there isn't likely to be anything too
major.

But if this is working, do you still have a problem because
originally you said it would NOT replicate when on the
other subnet.

>> Try to configure this server as a DNS and replicate the Active Directory
>> DNS Zone to all DC over the forest.
>
> The secondary DNS already replicates from DC, is that what you meant?

Then what is the problem? You originally said that the
two DCs were not replicating but now you say they are
doing so.....?

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> Thanx again
> Gary
>

28/10/2006, 15h00

Gary:

It sounds good.

I think your replication must be working now.

Know in the clients from your remote site configure the DNS Client to point
to the local DNS as primary DNS address, and the Central Site DNS as the
secondary DNS address.

Regards.

Oscar Soto Casali
MVP Directory Services
"gstar" <gary.brett@gmail.com> escribió en el mensaje de
noticias:1161891491.168353.8050@m7g2000cwm.googleg roups.com...
> Hi Oscar,
>
>> I saw the diagram and you have to change the IP address of Secondary DC
>> Domain1 (192.168.45.11) to an ip of the 192.168.254.0 range.
>
> I have done that, changed the DNS & WINs properties, and IPCONFIG now
> looks like this on Secondary DC:
>
> Physical Address. . . . . . . . . : 00-0B-DB-D5-14-
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.254.21
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.254.1
> DNS Servers . . . . . . . . . . . : 192.168.45.10
> 192.168.254.2
> Primary WINS Server . . . . . . . : 192.168.45.10
> Secondary WINS Server . . . . . . : 192.168.254.2
>
> If I make changes to the original DC [AD or DNS] they replicate
> instantly over to the secondary so that appears to be working.
>
>> Try to configure this server as a DNS and replicate the Active Directory
>> DNS Zone to all DC over the forest.
>
> The secondary DNS already replicates from DC, is that what you meant?
>
> Thanx again
> Gary
>

25/10/2006, 10h21	#1
gstar Messages: n/a Hébergeur:	Secondary DC in trusted domain wiht different IP.. We have 2 offices connected via Site 2 Site VPN over 2mb leased line. Both have 2003 domains which are trusted to each other and can share data, pings etc. Local office [192.168.254.] - Remote office [192.168.254.] On the local domain, I created a secondary DC as disaster recovery should we lose this office. All worked fine with both AD & DNS replicating changes made to the original DC, so after a week I relocated the secondary DC to the remote office. Now the secondary DC cannot communicate with the primary until I change IP address to the 192.168.254.* range. I would have thought that retaining the same NIC settings would have been fine as the Site 2 Site VPN is always up. Is what I am trying to achieve not possible? Thanx for your time G

25/10/2006, 17h10	#2
Herb Martin Messages: n/a Hébergeur:	Re: Secondary DC in trusted domain wiht different IP.. "gstar" <gary.brett@gmail.com> wrote in message news:1161768078.110734.115790@m7g2000cwm.googlegro ups.com... > We have 2 offices connected via Site 2 Site VPN over 2mb leased line. > Both have 2003 domains which are trusted to each other and can share > data, pings etc. Same forest (automatic domain trusts), OR "external" or "forest level" trusts? Generally, external trusts require NetBIOS resolution to work. (Which usually means WINS Server and replication in such cases.) > Local office [192.168.254.] - Remote office [192.168.254.] Same subnet or different across the WANS? (Looks like same but one cannot really tell without the subnet masks.) > On the local domain, I created a secondary DC as disaster recovery > should we lose this office. As of Win2000 DCs are "just DCs" so this would be just an additional or second DC. > All worked fine with both AD & DNS > replicating changes made to the original DC, so after a week I > relocated the secondary DC to the remote office. > > Now the secondary DC cannot communicate with the primary until I change > IP address to the 192.168.254.* range. Well, this would be obviously true if that is a different subnet range (which we cannot tell from your example without the subnet masks.) > I would have thought that retaining the same NIC settings would have > been fine as the Site 2 Site VPN is always up. Is what I am trying to > achieve not possible? Sure, it is possible, but it looks like you messed up the ROUTING. -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site]

26/10/2006, 09h21	#3
gstar Messages: n/a Hébergeur:	Re: Secondary DC in trusted domain wiht different IP.. Hi Herb, thanx for your . >> Same forest (automatic domain trusts), OR "external" or "forest level" trusts? External Forest >> Generally, external trusts require NetBIOS resolution to work. WINs is running on both DCs and are replication partners >>Local office [192.168.254.] - Remote office [192.168.254.] Sorry my mistake, should have read: Local office [192.168.45.] - Remote office [192.168.254.] - Both subnets are 255.255.255.0 >> Same subnet or different across the WANS? You are correct, same >> Sure, it is possible, but it looks like you messed up the ROUTING. Perhaps, but I cant see where its gone wrong. Have created a basic image of what the scenario is if you have time to take a look? http://gary.brett.googlepages.com/GOOGLE1_raster.htm Again thanx G

26/10/2006, 19h07	#4
OscarSotoCL Messages: n/a Hébergeur:	Re: Secondary DC in trusted domain wiht different IP.. Gary: I saw the diagram and you have to change the IP address of Secondary DC Domain1 (192.168.45.11) to an ip of the 192.168.254.0 range. Try to configure this server as a DNS and replicate the Active Directory DNS Zone to all DC over the forest. Greetings. Oscar Soto Casali MVP Directory Services "gstar" <gary.brett@gmail.com> escribió en el mensaje de noticias:1161850908.499890.92900@f16g2000cwb.googl egroups.com... > Hi Herb, thanx for your . > >>> Same forest (automatic domain trusts), OR "external" or "forest level" > trusts? > > External Forest > >>> Generally, external trusts require NetBIOS resolution to work. > > WINs is running on both DCs and are replication partners > >>>Local office [192.168.254.] - Remote office [192.168.254.] > > Sorry my mistake, should have read: > Local office [192.168.45.] - Remote office [192.168.254.] - Both > subnets are 255.255.255.0 > >>> Same subnet or different across the WANS? > > You are correct, same > >>> Sure, it is possible, but it looks like you messed up the ROUTING. > > Perhaps, but I cant see where its gone wrong. Have created a basic > image of what the scenario is if you have time to take a look? > > http://gary.brett.googlepages.com/GOOGLE1_raster.htm > > Again thanx > > G >

26/10/2006, 20h38	#5
gstar Messages: n/a Hébergeur:	Re: Secondary DC in trusted domain wiht different IP.. Hi Oscar, > I saw the diagram and you have to change the IP address of Secondary DC > Domain1 (192.168.45.11) to an ip of the 192.168.254.0 range. I have done that, changed the DNS & WINs properties, and IPCONFIG now looks like this on Secondary DC: Physical Address. . . . . . . . . : 00-0B-DB-D5-14- DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.254.21 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.254.1 DNS Servers . . . . . . . . . . . : 192.168.45.10 192.168.254.2 Primary WINS Server . . . . . . . : 192.168.45.10 Secondary WINS Server . . . . . . : 192.168.254.2 If I make changes to the original DC [AD or DNS] they replicate instantly over to the secondary so that appears to be working. > Try to configure this server as a DNS and replicate the Active Directory > DNS Zone to all DC over the forest. The secondary DNS already replicates from DC, is that what you meant? Thanx again Gary

27/10/2006, 12h22	#6
Herb Martin Messages: n/a Hébergeur:	Re: Secondary DC in trusted domain wiht different IP.. "gstar" <gary.brett@gmail.com> wrote in message news:1161850908.499890.92900@f16g2000cwb.googlegro ups.com... > Hi Herb, thanx for your . > >>> Same forest (automatic domain trusts), OR "external" or "forest level" > trusts? > > External Forest That doesn't answer the question since External and Forest level trusts are two DIFFERENT types, but in both cases you may need NetBIOS (more likely in External since they were built for NT.) >>> Generally, external trusts require NetBIOS resolution to work. > > WINs is running on both DCs and are replication partners Is every DC set as a "WINS Client"? Many people forget to do this. And in general, every machine needs to be a WINS client. (NIC-> IP->Advanced->WINS. >>>Local office [192.168.254.] - Remote office [192.168.254.] > > Sorry my mistake, should have read: > Local office [192.168.45.] - Remote office [192.168.254.] - Both > subnets are 255.255.255.0 Subnet masks. The subnets are 192.168.45.0 and 192.168.254.0, while 255.255.255.0 is the mask (for both.) >>> Same subnet or different across the WANS? > > You are correct, same No. They are different SUBNETS using the same mask (the latter is practically irrelevant as long as it is correct.) >>> Sure, it is possible, but it looks like you messed up the ROUTING. > > Perhaps, but I cant see where its gone wrong. Have created a basic > image of what the scenario is if you have time to take a look? If you cannot ping and tracert (assuming no firewalls blocking ICMP) then you can't do much else with this. If ICMP is blocked you will need to test routing with simpler tools like telnet, NC (netcat from Internet), etc. > http://gary.brett.googlepages.com/GOOGLE1_raster.htm What's this? -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] > Again thanx > > G >

27/10/2006, 12h26	#7
Herb Martin Messages: n/a Hébergeur:	Re: Secondary DC in trusted domain wiht different IP.. "gstar" <gary.brett@gmail.com> wrote in message news:1161891491.168353.8050@m7g2000cwm.googlegroup s.com... > Hi Oscar, > >> I saw the diagram and you have to change the IP address of Secondary DC >> Domain1 (192.168.45.11) to an ip of the 192.168.254.0 range. > > I have done that, changed the DNS & WINs properties, and IPCONFIG now > looks like this on Secondary DC: > > Physical Address. . . . . . . . . : 00-0B-DB-D5-14- > DHCP Enabled. . . . . . . . . . . : No > IP Address. . . . . . . . . . . . : 192.168.254.21 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 192.168.254.1 > DNS Servers . . . . . . . . . . . : 192.168.45.10 > 192.168.254.2 Generally the machine should use the DNS on the same subnet first. > Primary WINS Server . . . . . . . : 192.168.45.10 > Secondary WINS Server . . . . . . : 192.168.254.2 Ditto for WINS Server. > If I make changes to the original DC [AD or DNS] they replicate > instantly over to the secondary so that appears to be working. Then routing is working. So maybe the routing problems were just in your description in the first message. Go through the DNS steps below, especially the DCDiag stuff but since it is replicating there isn't likely to be anything too major. But if this is working, do you still have a problem because originally you said it would NOT replicate when on the other subnet. >> Try to configure this server as a DNS and replicate the Active Directory >> DNS Zone to all DC over the forest. > > The secondary DNS already replicates from DC, is that what you meant? Then what is the problem? You originally said that the two DCs were not replicating but now you say they are doing so.....? -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] > > Thanx again > Gary >

28/10/2006, 15h00	#8
OscarSotoCL Messages: n/a Hébergeur:	Re: Secondary DC in trusted domain wiht different IP.. Gary: It sounds good. I think your replication must be working now. Know in the clients from your remote site configure the DNS Client to point to the local DNS as primary DNS address, and the Central Site DNS as the secondary DNS address. Regards. Oscar Soto Casali MVP Directory Services "gstar" <gary.brett@gmail.com> escribió en el mensaje de noticias:1161891491.168353.8050@m7g2000cwm.googleg roups.com... > Hi Oscar, > >> I saw the diagram and you have to change the IP address of Secondary DC >> Domain1 (192.168.45.11) to an ip of the 192.168.254.0 range. > > I have done that, changed the DNS & WINs properties, and IPCONFIG now > looks like this on Secondary DC: > > Physical Address. . . . . . . . . : 00-0B-DB-D5-14- > DHCP Enabled. . . . . . . . . . . : No > IP Address. . . . . . . . . . . . : 192.168.254.21 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 192.168.254.1 > DNS Servers . . . . . . . . . . . : 192.168.45.10 > 192.168.254.2 > Primary WINS Server . . . . . . . : 192.168.45.10 > Secondary WINS Server . . . . . . : 192.168.254.2 > > If I make changes to the original DC [AD or DNS] they replicate > instantly over to the secondary so that appears to be working. > >> Try to configure this server as a DNS and replicate the Active Directory >> DNS Zone to all DC over the forest. > > The secondary DNS already replicates from DC, is that what you meant? > > Thanx again > Gary >

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email