Tutorials

Specify Alternate Text

How to add an additional Domain Controller from a remote office to the SBS domain - Part 1

In this series of three articles (the first article has been published, the other two will follow later) we will explain step by step how to add a DC that will be serving clients at a remote location to the SBS network. The remote DC will be connecting through a VPN connection to the SBS. There are several ways to establish this VPN connection and it all depends on the hardware and software.

TERMS This document and what comes with it are provided as-is with blunt warning: Use at your own risk, buyer beware. You break your system; you own the resolution as well. We have no liability for what you do, or can't do, or fail to do with this information. Your entire protection is to start over again with a protected backup, or from protected system. If you don't want to accept this idea, please don't use this document.
  1. Hardware VPN from remote router to SBS router: this is a very stable connection and will always be up so the remote server and its clients will be connecting to the domain from boot, but the SBS server should only have one network adapter and thus can't be running ISA.
  2. Hardware VPN from remote router to a second SBS router that is directly connected to the internal SBS network: this is also very stable but can only be done if the SBS network has multiple public IP's and if the SBS internet device is capable of routing the several public IP's to different internal IP's. The SBS server can have two network adapters and can have ISA installed. Javier (SBS-MVP) has described the layout of this kind of a VPN connection here: Javier's SBS Wonderland : Site to Site VPN while keeping ISA in the Mix: http://msmvps.com/blogs/javier/archive/2004/12/08/23045.aspx
    An article with the complete steps to create such a branch office connection will be published soon.
  3. Software VPN from remote DC to SBS:
    1. on the remote DC we could create a VPN connection just like you would normally do that on a remote client machine to connect to the SBS network. The disadvantage of this kind of a connection is, that the remote DC needs to be logged in to start up the VPN connection.
    2. we can use RAS on the remote DC to create a persistent VPN connection to the SBS server which will automatically start when this remote DC is rebooted and doesn't need to be logged in. This will only work when the SBS has two nics and ISA 2004 installed. Disadvantage of this kind of a connection is that it will take a little while after a reboot before RAS will connect automatically to the SBS with a dial in on the remote DC, which will give some warnings in the event log. Another disadvantage is that although the remote network will see all machines in its Network Neighborhood, the remote machines will NOT be visible in the SBS internal Network Neighborhood. This will mean you will have to map a drive manually if that is needed, as the browse won’t show the remote machines.

I would like to thank Justin Crosby from Microsoft CSS for additional investigation he has done to help me write these articles.

The first article will describe the steps that will need to be done on the SBS server to prepare for a remote additional domain controller. The second article will describe the steps that will need to be done on the remote Windows 2003 server up to including the joining and promoting this server to an additional DC. The third article (not yet available) has the steps that will need to be done after the remote DC has successfully replicated and will include some fine tuning on the SBS server as well as on the remote DC.

It doesn't matter which kind of VPN connection you are using for connecting a remote office to the SBS network, you will have to do several steps on the SBS server as well as on the remote server to get them properly connected.

On the SBS server we will use Active Directory Sites and Services to create a new site for the remote office and we will create the subnets of both locations. Then we will create a new Reverse Lookup Zone in DNS server for the remote subnet. As we will be using RRAS on the remote server for the VPN connection, we will have to create a special user account. Because the SBS server has got ISA installed, we will need to add the remote subnet to the network configuration and we need to add the remote site vpn connection and some rules. And finally we will need to enable the Intersite Messaging service and fix a DCOM 10016 error. Then the SBS server is ready and the new remote server can be joined to the SBS domain.

We will want the remote server to have DNS, DHCP and WINS installed. We don't need to configure these options yet, we will configure that after the joining. DNS server will already be configured by the dcpromo but will need some corrections later. All the preparing work and actual joining and promoting of this remote server, will be described in the second article of this series.

When the new remote server is successfully joined and replication has taken place, there are a few more things that will need to be done at the SBS server to complete the new remote office connection. Also the remote DC will have some fine tuning. Those will be published in the third article of this series.


Prepare Active Directory for R2 Domain Controller

If there hasn't been an additional Windows 2003 R2 Domain Controller yet, we will need to prepare the domain first. This is a one time only action and needs to be done on the SBS server. The article "How to prepare the SBS domain for an additional R2 Domain Controller" has the complete steps with screen shots.


Create a new site for the Remote Office

With Active Directory Sites and Services we will add a new site and create the subnets that will be linked to the proper sites.

  1. Start, All Programs, Administrative Tools, Active Directory Sites and Services:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  2. Right click on Sites and choose New Site:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  3. Type a name for the new site, where you will have to keep in mind that you can't use spaces or other characters:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
    We will call our new site RemoteBranchOffice:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  4. We click on the Link Name DEFAULTIPSITELINK and click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  5. We will get the next message about the site being created and which other things we need to do and click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
    At the same time you might notice the next warning in the System event log:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
    You don't need to worry about this warning, it is perfectly normal at this stage. Active Directory Sites and Services will show the new site with 3 objects created in it:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
    When we expand the Inter-Site Transports and select the IP-node, the properties of the DEFAULTIPSITELINK will show that it has automagically added the new site in the Site Link:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1

Create the Subnets for both locations

  1. We will now create both subnets that will be used by the SBS network and the remote office by right clicking the Subnets node and selecting New Subnet:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  2. The New Object needs the subnet IP address and mask and needs to know to which site it belongs:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  3. We will first create the SBS subnet, and the address that our SBS server is using is the 192.168.26.0 with mask 255.255.255.0. Then we select the Default-First-Site-Name and click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  4. We right click the Subnets node again and choose New Subnet to add the remote subnet:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  5. Our remote subnet will be using 192.168.90.0 with mask 255.255.255.0, we select the RemoteBranchOffice site and click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  6. The result in Active Directory Sites and Services looks like this:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1

We can close Active Directory Sites and Services for now and will continue by creating a new Reverse Lookup Zone in DNS server.


Add a reverse DNS lookup zone for the remote subnet in DNS server

  1. Expand the SBS server name in DNS server, right click the Reverse Lookup Zones and choose New Zone:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  2. The Welcome to the New Zone Wizard appears, so click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  3. Accept the default settings and click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  4. Accept the default setting again and click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  5. The Network ID for the new reverse lookup zone is the IP range used in the Branch office. You only need to type the first three octets 192.168.90 and then click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  6. We accept the default setting for the Dynamic Update and click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  7. After reviewing the settings, we click Finish:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  8. The new reverse lookup zone appears in DNS server:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1

Create an account that will be used for the vpn connection only

The remote location will be using RRAS to set up a VPN connection with PPTP to the SBS server. That connection needs a dial-in user account that can be authenticated on the SBS and that account will be used ONLY for this VPN connection.

  1. In Active Directory Users and Computers, expand the local domain name (in our case ComputerWorks.lan) and right click the Users node, select New and select User:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  2. We fill in the First name, Last name and User logon name and click Next. For our account we will create user BranchVPN:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  3. We create a strong password for this user and uncheck the 'User must change password at next logon', check the 'User cannot change password' and check the 'Password never expires' boxes before clicking Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  4. This account doesn't need a mailbox, so we will uncheck the 'Create an Exchange mailbox' and click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  5. After reviewing the settings, we will click Finish:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  6. As we will have to make sure this account is enabled for remote access, we will add the group Mobile Users manually. In the right pane of ADUC we right click the new user and choose Properties:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  7. We click the 'Member of' tab and click Add:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  8. In the Object names we type Mobile Users and click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  9. The group has been added and we click OK to close the properties of this user:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1

Create the remote site vpn connection and add a network rule in ISA

ISA needs to know that the remote subnet is allowed to the internal SBS network, so it will accept the users and computers in that remote subnet and treat them as internal. We will first create the site-to-site vpn connection, then add the network rule and the firewall policies.

  1. Choose the Virtual Private Networks (VPN) node, click tab Remote Sites. In the right pane choose Add Remote Site Network:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  2. The Welcome to the New Network Wizard appears where you type the new Network Name that has to be the same as the dial in user BranchVPN and click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  3. Select the Point-to-Point Tunneling Protocol (PPTP) and click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  4. The message appears making sure that you understand that the Network Name has to be the same as the dial in user, click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  5. The Remote Site Gateway is the public IP of the remote site, in this case we use 134.134.134.134, then click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  6. Although we don't have 1723 open inbound on the remote site, but to prevent errors in the SBS system log, we do fill in the Remote Authentication and click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  7. We have to define the IP range of the remote site, which will be the 192.168.90.0. Click the Add button and type 192.168.90.0 for the starting address and 192.168.90.255 for the ending address. Click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  8. The range has been added, click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  9. The summary shows, click Finish:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  10. The message shows that Remote Access might need to be restarted, click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  11. As we are not done in ISA yet, we will wait with the big Apply and continue:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  12. Create the Network Rule to allow traffic to and from this network.
    Expand Configuration, Networks, tab Network Rules, in the right pane Tasks, Create a New Network Rule:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  13. The Welcome to the New Network Rule Wizard appears, type in a name like Branch to SBS and click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  14. The Traffic Sources will be the remote network, click Add, expand Networks, select BranchVPN, click Add and then Close to close the Add Network Entities:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  15. The source BranchVPN has been added, so click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  16. The Destination will be the Internal network, so click Add, expand Networks, select Internal, click Add and then Close. Click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  17. The traffic between the source and destination needs to be routed, so select the Route option and click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  18. The summary shows the options we have configured, click Finish:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  19. We don't need to create a network rule for traffic from the Branch to the SBS, because route relationships are bidirectional in ISA. If a route relationship is defined for traffic from the Branch to the SBS, a route relationship also exists for traffic sent from the SBS to the Branch. We won’t Apply the configuration changes yet:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1

Create access rules to allow traffic to and from this network with the Firewall Policy

We will need to add two rules to allow traffic from the Branch Office to the SBS and from the SBS to the Branch Office. We will also need to edit the System Policies to allow the several protocols that are used by the Active Directory when promoting a remote server to be an additional domain controller.

  1. In the Firewall Policy node, in the right pane at Tasks, choose Create New Access Rule:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  2. The Welcome to the New Access Rule Wizard appears where you type a name for the access rule, e.g. Branch to SBS, click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  3. Default the Rule Action is set to Deny, so we change that to Allow, then click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  4. All outbound protocols from the Branch should be allowed, so just click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  5. The source will be the BranchVPN network entity, so click Add, expand Networks, select BranchVPN, click Add, then Close. Click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  6. The Destination will be the Internal network. Click Add, expand networks, select Internal, click Add and Close. Click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  7. We will leave the User Sets to the default All Users, so click Next:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  8. A summary appears, so click Finish:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  9. We need another rule for access from the SBS to the Branch. We can create this rule like we have done, but we can also copy and paste the rule and then change the name of the rule, and the network entities in the From and To tab.
    Right click the just created Access Rule and choose Copy:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  10. Right click again and choose Paste:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  11. The pasted rule has the same name but has the (1) added to it. Right click this rule and choose Properties:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  12. Change the name of this rule to SBS to Branch but don’t click OK yet:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  13. Select the From tab, select BranchVPN and click Remove:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  14. Click Add, expand Networks, select Internal, click Add, click Close:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  15. Select the To tab, select Internal and click Remove:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  16. Click Add, expand Networks, select BranchVPN, click Add, click Close, click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  17. Now click the Apply button at the top of the screen to apply all the changes we have made:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  18. If the changes are successful, the message will say so, click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  19. The only thing left to do in ISA, is to make sure that the several Active Directory protocols will be allowed by ISA. We need to edit the System Policy for this. In the right pane, Tasks, select the Edit System Policy:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  20. In the left pane, select NTP in the Network Services of the Configuration Groups and select the To tab in the right pane:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  21. Only the Internal network is listed here, so click Add, expand Networks, select BranchVPN, click Add, click Close:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  22. Don't click OK yet, because you will need to do the same for the Active Directory in the Authentication Services, the Firewall Client Installation in the Firewall Client option, and the Windows Networking in the Diagnostic Services.
    When you have added the BranchVPN network to these four options in the System Policy, you can close it with OK. It always takes some time before this screen will close and disappear after you have clicked OK. Then you will have to Apply the configuration changes to ISA again.

Set the Intersite Messaging service to automatic and start it and fix DCOM 10016

As we have created a new Site in AD Sites and Services, we will need to set this service to automatic and start it. Default this service doesn't run on SBS and is set to Disabled.

  1. In Services, right click the Intersite Messaging service and choose Properties:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  2. Click the drop down box at the Startup type field and select Automatic, then click Apply:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  3. Click the Start button to start the service:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  4. When the service has started, click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  5. About 10 minutes after this service was started, you will notice a few Netlogon information events in the System event log:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
    As long as you don't have any true errors in the event logs, you don't need to worry yet.
  6. You might see the following DCOM 10016 error:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  7. The description has the solution and the CLSID is pointing to the Netman application, so with Administrative Tools, Component Services drill down to the DCOM Config Node:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  8. It is the Netman component which we will have to correct. Right click on the Netman component and choose Properties:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  9. Select tab Security, then click the Edit button in the Launch and Activation Permissions:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  10. It is missing the Network Service, so click the Add button:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  11. Type network service and click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  12. Check mark the Local Activation box and click OK:
    How to add an additional Domain Controller from a remote office to the SBS domain - Part 1
  13. Select OK, and OK and close the Component Services.

The SBS server is now ready for a new remote Domain Controller. Part 2 of this series will describe all the steps that are needed to configure the remote server and dcpromo it into the SBS domain. Part 3 will have the finishing steps described and some fine tuning.

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings


 
Contact Us
(030) 2250455

International: +31302250455

 

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

The layout of this page is made to be viewed online.