How to add an additional Domain Controller from a remote office to the SBS domain - Part 1 By Marina Roos 2003, ISA 2004, SBS, www.smallbizserver.net branch office, rras vpn In this series of three articles (the first article has been published, the other two will follow later) we will explain step by step how to add a DC that will be serving clients at a remote location to the SBS network. The remote DC will be connecting through a VPN connection to the SBS. There are several ways to establish this VPN connection and it all depends on the hardware and software. Table of contents How to add an additional Domain Controller from a remote office to the SBS domain - Part 1 Prepare Active Directory for R2 Domain Controller Create a new site for the Remote Office Create the Subnets for both locations Add a reverse DNS lookup zone for the remote subnet in DNS server Create an account that will be used for the vpn connection only Create the remote site vpn connection and add a network rule in ISA Create access rules to allow traffic to and from this network with the Firewall Policy Set the Intersite Messaging service to automatic and start it and fix DCOM 10016 TERMS This document and what comes with it are provided as-is with blunt warning: Use at your own risk, buyer beware. You break your system; you own the resolution as well. We have no liability for what you do, or can't do, or fail to do with this information. Your entire protection is to start over again with a protected backup, or from protected system. If you don't want to accept this idea, please don't use this document. Hardware VPN from remote router to SBS router: this is a very stable connection and will always be up so the remote server and its clients will be connecting to the domain from boot, but the SBS server should only have one network adapter and thus can't be running ISA. Hardware VPN from remote router to a second SBS router that is directly connected to the internal SBS network: this is also very stable but can only be done if the SBS network has multiple public IP's and if the SBS internet device is capable of routing the several public IP's to different internal IP's. The SBS server can have two network adapters and can have ISA installed. Javier (SBS-MVP) has described the layout of this kind of a VPN connection here: Javier's SBS Wonderland : Site to Site VPN while keeping ISA in the Mix: http://msmvps.com/blogs/javier/archive/2004/12/08/23045.aspx An article with the complete steps to create such a branch office connection will be published soon. Software VPN from remote DC to SBS: on the remote DC we could create a VPN connection just like you would normally do that on a remote client machine to connect to the SBS network. The disadvantage of this kind of a connection is, that the remote DC needs to be logged in to start up the VPN connection. we can use RAS on the remote DC to create a persistent VPN connection to the SBS server which will automatically start when this remote DC is rebooted and doesn't need to be logged in. This will only work when the SBS has two nics and ISA 2004 installed. Disadvantage of this kind of a connection is that it will take a little while after a reboot before RAS will connect automatically to the SBS with a dial in on the remote DC, which will give some warnings in the event log. Another disadvantage is that although the remote network will see all machines in its Network Neighborhood, the remote machines will NOT be visible in the SBS internal Network Neighborhood. This will mean you will have to map a drive manually if that is needed, as the browse won’t show the remote machines. I would like to thank Justin Crosby from Microsoft CSS for additional investigation he has done to help me write these articles. The first article will describe the steps that will need to be done on the SBS server to prepare for a remote additional domain controller. The second article will describe the steps that will need to be done on the remote Windows 2003 server up to including the joining and promoting this server to an additional DC. The third article (not yet available) has the steps that will need to be done after the remote DC has successfully replicated and will include some fine tuning on the SBS server as well as on the remote DC. It doesn't matter which kind of VPN connection you are using for connecting a remote office to the SBS network, you will have to do several steps on the SBS server as well as on the remote server to get them properly connected. On the SBS server we will use Active Directory Sites and Services to create a new site for the remote office and we will create the subnets of both locations. Then we will create a new Reverse Lookup Zone in DNS server for the remote subnet. As we will be using RRAS on the remote server for the VPN connection, we will have to create a special user account. Because the SBS server has got ISA installed, we will need to add the remote subnet to the network configuration and we need to add the remote site vpn connection and some rules. And finally we will need to enable the Intersite Messaging service and fix a DCOM 10016 error. Then the SBS server is ready and the new remote server can be joined to the SBS domain. We will want the remote server to have DNS, DHCP and WINS installed. We don't need to configure these options yet, we will configure that after the joining. DNS server will already be configured by the dcpromo but will need some corrections later. All the preparing work and actual joining and promoting of this remote server, will be described in the second article of this series. When the new remote server is successfully joined and replication has taken place, there are a few more things that will need to be done at the SBS server to complete the new remote office connection. Also the remote DC will have some fine tuning. Those will be published in the third article of this series. Prepare Active Directory for R2 Domain Controller If there hasn't been an additional Windows 2003 R2 Domain Controller yet, we will need to prepare the domain first. This is a one time only action and needs to be done on the SBS server. The article "How to prepare the SBS domain for an additional R2 Domain Controller" has the complete steps with screen shots. Create a new site for the Remote Office With Active Directory Sites and Services we will add a new site and create the subnets that will be linked to the proper sites. Start, All Programs, Administrative Tools, Active Directory Sites and Services: Right click on Sites and choose New Site: Type a name for the new site, where you will have to keep in mind that you can't use spaces or other characters: We will call our new site RemoteBranchOffice: We click on the Link Name DEFAULTIPSITELINK and click OK: We will get the next message about the site being created and which other things we need to do and click OK: At the same time you might notice the next warning in the System event log: You don't need to worry about this warning, it is perfectly normal at this stage. Active Directory Sites and Services will show the new site with 3 objects created in it: When we expand the Inter-Site Transports and select the IP-node, the properties of the DEFAULTIPSITELINK will show that it has automagically added the new site in the Site Link: Create the Subnets for both locations We will now create both subnets that will be used by the SBS network and the remote office by right clicking the Subnets node and selecting New Subnet: The New Object needs the subnet IP address and mask and needs to know to which site it belongs: We will first create the SBS subnet, and the address that our SBS server is using is the 192.168.26.0 with mask 255.255.255.0. Then we select the Default-First-Site-Name and click OK: We right click the Subnets node again and choose New Subnet to add the remote subnet: Our remote subnet will be using 192.168.90.0 with mask 255.255.255.0, we select the RemoteBranchOffice site and click OK: The result in Active Directory Sites and Services looks like this: We can close Active Directory Sites and Services for now and will continue by creating a new Reverse Lookup Zone in DNS server. Add a reverse DNS lookup zone for the remote subnet in DNS server Expand the SBS server name in DNS server, right click the Reverse Lookup Zones and choose New Zone: The Welcome to the New Zone Wizard appears, so click Next: Accept the default settings and click Next: Accept the default setting again and click Next: The Network ID for the new reverse lookup zone is the IP range used in the Branch office. You only need to type the first three octets 192.168.90 and then click Next: We accept the default setting for the Dynamic Update and click Next: After reviewing the settings, we click Finish: The new reverse lookup zone appears in DNS server: Create an account that will be used for the vpn connection only The remote location will be using RRAS to set up a VPN connection with PPTP to the SBS server. That connection needs a dial-in user account that can be authenticated on the SBS and that account will be used ONLY for this VPN connection. In Active Directory Users and Computers, expand the local domain name (in our case ComputerWorks.lan) and right click the Users node, select New and select User: We fill in the First name, Last name and User logon name and click Next. For our account we will create user BranchVPN: We create a strong password for this user and uncheck the 'User must change password at next logon', check the 'User cannot change password' and check the 'Password never expires' boxes before clicking Next: This account doesn't need a mailbox, so we will uncheck the 'Create an Exchange mailbox' and click Next: After reviewing the settings, we will click Finish: As we will have to make sure this account is enabled for remote access, we will add the group Mobile Users manually. In the right pane of ADUC we right click the new user and choose Properties: We click the 'Member of' tab and click Add: In the Object names we type Mobile Users and click OK: The group has been added and we click OK to close the properties of this user: Create the remote site vpn connection and add a network rule in ISA ISA needs to know that the remote subnet is allowed to the internal SBS network, so it will accept the users and computers in that remote subnet and treat them as internal. We will first create the site-to-site vpn connection, then add the network rule and the firewall policies. Choose the Virtual Private Networks (VPN) node, click tab Remote Sites. In the right pane choose Add Remote Site Network: The Welcome to the New Network Wizard appears where you type the new Network Name that has to be the same as the dial in user BranchVPN and click Next: Select the Point-to-Point Tunneling Protocol (PPTP) and click Next: The message appears making sure that you understand that the Network Name has to be the same as the dial in user, click OK: The Remote Site Gateway is the public IP of the remote site, in this case we use 188.8.131.52, then click Next: Although we don't have 1723 open inbound on the remote site, but to prevent errors in the SBS system log, we do fill in the Remote Authentication and click Next: We have to define the IP range of the remote site, which will be the 192.168.90.0. Click the Add button and type 192.168.90.0 for the starting address and 192.168.90.255 for the ending address. Click OK: The range has been added, click Next: The summary shows, click Finish: The message shows that Remote Access might need to be restarted, click OK: As we are not done in ISA yet, we will wait with the big Apply and continue: Create the Network Rule to allow traffic to and from this network. Expand Configuration, Networks, tab Network Rules, in the right pane Tasks, Create a New Network Rule: The Welcome to the New Network Rule Wizard appears, type in a name like Branch to SBS and click Next: The Traffic Sources will be the remote network, click Add, expand Networks, select BranchVPN, click Add and then Close to close the Add Network Entities: The source BranchVPN has been added, so click Next: The Destination will be the Internal network, so click Add, expand Networks, select Internal, click Add and then Close. Click Next: The traffic between the source and destination needs to be routed, so select the Route option and click Next: The summary shows the options we have configured, click Finish: We don't need to create a network rule for traffic from the Branch to the SBS, because route relationships are bidirectional in ISA. If a route relationship is defined for traffic from the Branch to the SBS, a route relationship also exists for traffic sent from the SBS to the Branch. We won’t Apply the configuration changes yet: Create access rules to allow traffic to and from this network with the Firewall Policy We will need to add two rules to allow traffic from the Branch Office to the SBS and from the SBS to the Branch Office. We will also need to edit the System Policies to allow the several protocols that are used by the Active Directory when promoting a remote server to be an additional domain controller. In the Firewall Policy node, in the right pane at Tasks, choose Create New Access Rule: The Welcome to the New Access Rule Wizard appears where you type a name for the access rule, e.g. Branch to SBS, click Next: Default the Rule Action is set to Deny, so we change that to Allow, then click Next: All outbound protocols from the Branch should be allowed, so just click Next: The source will be the BranchVPN network entity, so click Add, expand Networks, select BranchVPN, click Add, then Close. Click Next: The Destination will be the Internal network. Click Add, expand networks, select Internal, click Add and Close. Click Next: We will leave the User Sets to the default All Users, so click Next: A summary appears, so click Finish: We need another rule for access from the SBS to the Branch. We can create this rule like we have done, but we can also copy and paste the rule and then change the name of the rule, and the network entities in the From and To tab. Right click the just created Access Rule and choose Copy: Right click again and choose Paste: The pasted rule has the same name but has the (1) added to it. Right click this rule and choose Properties: Change the name of this rule to SBS to Branch but don’t click OK yet: Select the From tab, select BranchVPN and click Remove: Click Add, expand Networks, select Internal, click Add, click Close: Select the To tab, select Internal and click Remove: Click Add, expand Networks, select BranchVPN, click Add, click Close, click OK: Now click the Apply button at the top of the screen to apply all the changes we have made: If the changes are successful, the message will say so, click OK: The only thing left to do in ISA, is to make sure that the several Active Directory protocols will be allowed by ISA. We need to edit the System Policy for this. In the right pane, Tasks, select the Edit System Policy: In the left pane, select NTP in the Network Services of the Configuration Groups and select the To tab in the right pane: Only the Internal network is listed here, so click Add, expand Networks, select BranchVPN, click Add, click Close: Don't click OK yet, because you will need to do the same for the Active Directory in the Authentication Services, the Firewall Client Installation in the Firewall Client option, and the Windows Networking in the Diagnostic Services. When you have added the BranchVPN network to these four options in the System Policy, you can close it with OK. It always takes some time before this screen will close and disappear after you have clicked OK. Then you will have to Apply the configuration changes to ISA again. Set the Intersite Messaging service to automatic and start it and fix DCOM 10016 As we have created a new Site in AD Sites and Services, we will need to set this service to automatic and start it. Default this service doesn't run on SBS and is set to Disabled. In Services, right click the Intersite Messaging service and choose Properties: Click the drop down box at the Startup type field and select Automatic, then click Apply: Click the Start button to start the service: When the service has started, click OK: About 10 minutes after this service was started, you will notice a few Netlogon information events in the System event log: As long as you don't have any true errors in the event logs, you don't need to worry yet. You might see the following DCOM 10016 error: The description has the solution and the CLSID is pointing to the Netman application, so with Administrative Tools, Component Services drill down to the DCOM Config Node: It is the Netman component which we will have to correct. Right click on the Netman component and choose Properties: Select tab Security, then click the Edit button in the Launch and Activation Permissions: It is missing the Network Service, so click the Add button: Type network service and click OK: Check mark the Local Activation box and click OK: Select OK, and OK and close the Component Services. The SBS server is now ready for a new remote Domain Controller. Part 2 of this series will describe all the steps that are needed to configure the remote server and dcpromo it into the SBS domain. Part 3 will have the finishing steps described and some fine tuning.