|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Do Child DC's need unrestricted IP access to Root DC's?Do all child DC's need unrestricted IP access to all root DC's for AD replication to work successfully? I ask because I have a scenario in which a child DC isn't trying to replicate-in the "ForstDNS" parition from another DC in its own domain, but instead is trying to obtain it from a root DC that is protected by a firewall. The topology consist of three ADsites/subnets, with two site-link-connectors connecting three sites supporting two domains: 1) contains root DCs, 2) contains DC1 for child domain "x", and 3) contains DC2 for child domain "x". site1------------(Firewall/VPN)---------------site2--------------(Firewall/VPN)--------------site3 | RootDomain ChildDomain "X" | | ChildDomain "X" | DC1 DC1 | | DC2 Notes: 1) IP routing is not enabled at site2. Enabling IP routing "full mesh" between all sites (i.e., all DC's) is not an option. 2) Site1 can't talk to site3. 3) Site2 can talk to both sites. 4) Site3 can't talk to site1. 5) FSMO Holders a) RootDomain = DC1 holds all roles. b) ChildDomain "X" = DC2 holds all roles. 6) Every DC has a complete copy of DNS. Questions: 1) Do all child DC's need unrestricted IP access to all root DC's for AD replication to work successfully? I was always under the assumption that that's where site-link-connectors also come in handy. 2) Shouldn't DC2 in site3 be able to replicate-in all (i.e., Schema, Configuration, ForestDNS, DomainDNS, & otherChildDomains) of its Active Directory partitions directly from DC1 in site2, which includes any partitions owned by the RootDC1, without having to contact RootDC1? Thanks, Michan Hello michan318,
All DC's in a forest should be able to replicate with each other. If you need the firewall between them configure the firewall according to this: http://support.microsoft.com/kb/555381 http://support.microsoft.com/kb/179442/ Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hello, > > Do all child DC's need unrestricted IP access to all root DC's for AD > replication to work successfully? I ask because I have a scenario in > which a child DC isn't trying to replicate-in the "ForstDNS" parition > from another DC in its own domain, but instead is trying to obtain it > from a root DC that is protected by a firewall. > > The topology consist of three ADsites/subnets, with two > site-link-connectors connecting three sites supporting two domains: 1) > contains root DCs, 2) contains DC1 for child domain "x", and 3) > contains DC2 for child domain "x". > > > site1------------(Firewall/VPN)---------------site2--------------(Fire > wall/VPN)--------------site3 > | > | > | > RootDomain ChildDomain > "X" > ChildDomain "X" > | > | > | > DC1 > DC1 > DC2 > Notes: > 1) IP routing is not enabled at site2. Enabling IP routing "full > mesh" > between all sites (i.e., all DC's) is not an option. > 2) Site1 can't talk to site3. > 3) Site2 can talk to both sites. > 4) Site3 can't talk to site1. > 5) FSMO Holders > a) RootDomain = DC1 holds all roles. > b) ChildDomain "X" = DC2 holds all roles. > 6) Every DC has a complete copy of DNS. > Questions: > 1) Do all child DC's need unrestricted IP access to all root DC's for > AD > replication to work successfully? I was always under the assumption > that > that's where site-link-connectors also come in handy. > 2) Shouldn't DC2 in site3 be able to replicate-in all (i.e., Schema, > Configuration, ForestDNS, DomainDNS, & otherChildDomains) of its > Active > Directory partitions directly from DC1 in site2, which includes any > partitions owned by the RootDC1, without having to contact RootDC1? > Thanks, > Michan Hello michan318,
Also see here about replciation: http://technet.microsoft.com/en-us/library/cc775549.aspx http://technet.microsoft.com/en-us/library/cc755994.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hello, > > Do all child DC's need unrestricted IP access to all root DC's for AD > replication to work successfully? I ask because I have a scenario in > which a child DC isn't trying to replicate-in the "ForstDNS" parition > from another DC in its own domain, but instead is trying to obtain it > from a root DC that is protected by a firewall. > > The topology consist of three ADsites/subnets, with two > site-link-connectors connecting three sites supporting two domains: 1) > contains root DCs, 2) contains DC1 for child domain "x", and 3) > contains DC2 for child domain "x". > > > site1------------(Firewall/VPN)---------------site2--------------(Fire > wall/VPN)--------------site3 > | > | > | > RootDomain ChildDomain > "X" > ChildDomain "X" > | > | > | > DC1 > DC1 > DC2 > Notes: > 1) IP routing is not enabled at site2. Enabling IP routing "full > mesh" > between all sites (i.e., all DC's) is not an option. > 2) Site1 can't talk to site3. > 3) Site2 can talk to both sites. > 4) Site3 can't talk to site1. > 5) FSMO Holders > a) RootDomain = DC1 holds all roles. > b) ChildDomain "X" = DC2 holds all roles. > 6) Every DC has a complete copy of DNS. > Questions: > 1) Do all child DC's need unrestricted IP access to all root DC's for > AD > replication to work successfully? I was always under the assumption > that > that's where site-link-connectors also come in handy. > 2) Shouldn't DC2 in site3 be able to replicate-in all (i.e., Schema, > Configuration, ForestDNS, DomainDNS, & otherChildDomains) of its > Active > Directory partitions directly from DC1 in site2, which includes any > partitions owned by the RootDC1, without having to contact RootDC1? > Thanks, > Michan Meinolf,
Thanks for your response. I'm currently reviewing all the references for a concrete statement that states that "every DC in the Forest, regardless of what domain or site it's in, MUST have IP (over the AD required ports) connectivity to every other DC in order for AD replication to function." Everything that I've read up to this point seems to only imply it or just say to use site-link-connectors when you need to only allow replication between two DC's because of hardware-firewall requirements. Also, note that my issue is specially with child-domains requiring access back to the rootdomain. We also support multi-domain/site Forests with unrestricted IP access without any issues, so I have some experience with the concepts, but this specific scenario with the hardware-firewalls at each site is kicking our butts. We're pretty sure we need the unrestricted IP access between all the DC's in the Forest, yet our "Experts" back at HQ's are confident about not needing the unrestricted IP access, as long as we limit AD replication using the Site-Link-Connectors based topology I mentioned. I hope I've painted a clear enough picture, but if not, please let me know. Thanks, Michan Show quoteHide quote "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message news:ff16fb661dae78cb79cd50aa1079@msnews.microsoft.com... > Hello michan318, > > Also see here about replciation: > http://technet.microsoft.com/en-us/library/cc775549.aspx > > http://technet.microsoft.com/en-us/library/cc755994.aspx > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and > confers no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> Hello, >> >> Do all child DC's need unrestricted IP access to all root DC's for AD >> replication to work successfully? I ask because I have a scenario in >> which a child DC isn't trying to replicate-in the "ForstDNS" parition >> from another DC in its own domain, but instead is trying to obtain it >> from a root DC that is protected by a firewall. >> >> The topology consist of three ADsites/subnets, with two >> site-link-connectors connecting three sites supporting two domains: 1) >> contains root DCs, 2) contains DC1 for child domain "x", and 3) >> contains DC2 for child domain "x". >> >> >> site1------------(Firewall/VPN)---------------site2--------------(Fire >> wall/VPN)--------------site3 >> | >> | >> | >> RootDomain ChildDomain >> "X" >> ChildDomain "X" >> | >> | >> | >> DC1 >> DC1 >> DC2 >> Notes: >> 1) IP routing is not enabled at site2. Enabling IP routing "full >> mesh" >> between all sites (i.e., all DC's) is not an option. >> 2) Site1 can't talk to site3. >> 3) Site2 can talk to both sites. >> 4) Site3 can't talk to site1. >> 5) FSMO Holders >> a) RootDomain = DC1 holds all roles. >> b) ChildDomain "X" = DC2 holds all roles. >> 6) Every DC has a complete copy of DNS. >> Questions: >> 1) Do all child DC's need unrestricted IP access to all root DC's for >> AD >> replication to work successfully? I was always under the assumption >> that >> that's where site-link-connectors also come in handy. >> 2) Shouldn't DC2 in site3 be able to replicate-in all (i.e., Schema, >> Configuration, ForestDNS, DomainDNS, & otherChildDomains) of its >> Active >> Directory partitions directly from DC1 in site2, which includes any >> partitions owned by the RootDC1, without having to contact RootDC1? >> Thanks, >> Michan > > In news:ebjUvU7qJHA.2552@TK2MSFTNGP04.phx.gbl, michan318 <michan***@okigeeks.net>, posted the following:Show quoteHide quote > Meinolf, Hello Michan,> > Thanks for your response. I'm currently reviewing all the references > for a concrete statement that states that "every DC in the Forest, > regardless of what domain or site it's in, MUST have IP (over the AD > required ports) connectivity to every other DC in order for AD > replication to function." Everything that I've read up to this point > seems to only imply it or just say to use site-link-connectors when > you need to only allow replication between two DC's because of > hardware-firewall requirements. Also, note that my issue is > specially with child-domains requiring access back to the rootdomain. > > We also support multi-domain/site Forests with unrestricted IP access > without any issues, so I have some experience with the concepts, but > this specific scenario with the hardware-firewalls at each site is > kicking our butts. We're pretty sure we need the unrestricted IP > access between all the DC's in the Forest, yet our "Experts" back at > HQ's are confident about not needing the unrestricted IP access, as > long as we limit AD replication using the Site-Link-Connectors based > topology I mentioned. > I hope I've painted a clear enough picture, but if not, please let me > know. > Thanks, > Michan As you;ve read the links Meinolf provided, there must be complete unrestricted access between DCs in a forest. In summary, there are about 29 ports that need to be opened and available, including the ephemeral Windows response ports (UDP 1024-5000). This is extra work to try to configure all the ports between DCs, and which clients will also need to communicate with AD. I've seen some customers try to restrict ports to only find AD replication fails. Sometimes the best thing instead of trying to put in all of these rules to make it work, is to simply leave unrestricted traffic between the DCs. After all, it is all internal company private network traffic anyway, so why would you want to restrict ports? -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Hi
The DCs need connectivity to the DCs that are defined as replication partners in ADSS. Those COs are defined according with your ADSS configuration (IP site link, bridge all site links, etc...). The problem may appear when one or more partners defined on those COs are down and the Topology needs to be rewrite "probably to a partner" that is protected by a FW. Other thing to consider is the FRS for SYSVOL that had some problems (IIRC) in those scenarios. There're some ways to force COs or create additional configurations to pass those scenarios. Check Microsoft's documentation about Active Directory Replication over Firewalls, Google it. -- Show quoteHide quoteI hope that the information above helps you. Have a Nice day. Jorge Silva MVP Directory Services "michan318" <michan***@okigeeks.net> wrote in message news:Oor8Az6qJHA.4364@TK2MSFTNGP04.phx.gbl... > Hello, > > Do all child DC's need unrestricted IP access to all root DC's for AD > replication to work successfully? I ask because I have a scenario in > which a child DC isn't trying to replicate-in the "ForstDNS" parition from > another DC in its own domain, but instead is trying to obtain it from a > root DC that is protected by a firewall. > > The topology consist of three ADsites/subnets, with two > site-link-connectors connecting three sites supporting two domains: 1) > contains root DCs, 2) contains DC1 for child domain "x", and 3) contains > DC2 for child domain "x". > > > > site1------------(Firewall/VPN)---------------site2--------------(Firewall/VPN)--------------site3 > | | > | > RootDomain ChildDomain "X" > ChildDomain "X" > | | > | > DC1 DC1 > DC2 > > > Notes: > 1) IP routing is not enabled at site2. Enabling IP routing "full mesh" > between all sites (i.e., all DC's) is not an option. > 2) Site1 can't talk to site3. > 3) Site2 can talk to both sites. > 4) Site3 can't talk to site1. > 5) FSMO Holders > a) RootDomain = DC1 holds all roles. > b) ChildDomain "X" = DC2 holds all roles. > 6) Every DC has a complete copy of DNS. > > Questions: > 1) Do all child DC's need unrestricted IP access to all root DC's for AD > replication to work successfully? I was always under the assumption that > that's where site-link-connectors also come in handy. > 2) Shouldn't DC2 in site3 be able to replicate-in all (i.e., Schema, > Configuration, ForestDNS, DomainDNS, & otherChildDomains) of its Active > Directory partitions directly from DC1 in site2, which includes any > partitions owned by the RootDC1, without having to contact RootDC1? > > Thanks, > Michan > > > > Before starting to consider making your FW a cheese, have a look at:
http://technet.microsoft.com/en-us/library/bb727063.aspx -- Show quoteHide quoteI hope that the information above helps you. Have a Nice day. Jorge Silva MVP Directory Services "Jorge Silva" <jorgesilva***@hotmail.com> wrote in message news:9E6A79EC-3AF0-46C7-838F-EF18B21C48AD@microsoft.com... > Hi > The DCs need connectivity to the DCs that are defined as replication > partners in ADSS. Those COs are defined according with your ADSS > configuration (IP site link, bridge all site links, etc...). The problem > may appear when one or more partners defined on those COs are down and the > Topology needs to be rewrite "probably to a partner" that is protected by > a FW. Other thing to consider is the FRS for SYSVOL that had some problems > (IIRC) in those scenarios. There're some ways to force COs or create > additional configurations to pass those scenarios. Check Microsoft's > documentation about Active Directory Replication over Firewalls, Google > it. > -- > > I hope that the information above helps you. > Have a Nice day. > > Jorge Silva > MVP Directory Services > > "michan318" <michan***@okigeeks.net> wrote in message > news:Oor8Az6qJHA.4364@TK2MSFTNGP04.phx.gbl... >> Hello, >> >> Do all child DC's need unrestricted IP access to all root DC's for AD >> replication to work successfully? I ask because I have a scenario in >> which a child DC isn't trying to replicate-in the "ForstDNS" parition >> from another DC in its own domain, but instead is trying to obtain it >> from a root DC that is protected by a firewall. >> >> The topology consist of three ADsites/subnets, with two >> site-link-connectors connecting three sites supporting two domains: 1) >> contains root DCs, 2) contains DC1 for child domain "x", and 3) contains >> DC2 for child domain "x". >> >> >> >> site1------------(Firewall/VPN)---------------site2--------------(Firewall/VPN)--------------site3 >> | | | >> RootDomain ChildDomain "X" >> ChildDomain "X" >> | | | >> DC1 DC1 >> DC2 >> >> >> Notes: >> 1) IP routing is not enabled at site2. Enabling IP routing "full mesh" >> between all sites (i.e., all DC's) is not an option. >> 2) Site1 can't talk to site3. >> 3) Site2 can talk to both sites. >> 4) Site3 can't talk to site1. >> 5) FSMO Holders >> a) RootDomain = DC1 holds all roles. >> b) ChildDomain "X" = DC2 holds all roles. >> 6) Every DC has a complete copy of DNS. >> >> Questions: >> 1) Do all child DC's need unrestricted IP access to all root DC's for AD >> replication to work successfully? I was always under the assumption that >> that's where site-link-connectors also come in handy. >> 2) Shouldn't DC2 in site3 be able to replicate-in all (i.e., Schema, >> Configuration, ForestDNS, DomainDNS, & otherChildDomains) of its Active >> Directory partitions directly from DC1 in site2, which includes any >> partitions owned by the RootDC1, without having to contact RootDC1? >> >> Thanks, >> Michan >> >> >> >> > Hello Michan318,
I am not an expert, but see inline for my suggested response. "michan318" <michan***@okigeeks.net> wrote in message Not necessarilynews:Oor8Az6qJHA.4364@TK2MSFTNGP04.phx.gbl... > Hello, > > Do all child DC's need unrestricted IP access to all root DC's for AD > replication to work successfully? I ask because I have a scenario in which > a child DC isn't trying to replicate-in the "ForstDNS" parition from Configure proper site links, disable Intersite topology generator (istg) and > another DC in its own domain, but instead is trying to obtain it from a > root DC that is protected by a firewall. configure replication manually Show quoteHide quote > The topology consist of three ADsites/subnets, with two Not necessarily> site-link-connectors connecting three sites supporting two domains: 1) > contains root DCs, 2) contains DC1 for child domain "x", and 3) contains > DC2 for child domain "x". > > > > site1------------(Firewall/VPN)---------------site2--------------(Firewall/VPN)--------------site3 > | | > | > RootDomain ChildDomain "X" > ChildDomain "X" > | | > | > DC1 DC1 > DC2 > > > Notes: > 1) IP routing is not enabled at site2. Enabling IP routing "full mesh" > between all sites (i.e., all DC's) is not an option. > 2) Site1 can't talk to site3. > 3) Site2 can talk to both sites. > 4) Site3 can't talk to site1. > 5) FSMO Holders > a) RootDomain = DC1 holds all roles. > b) ChildDomain "X" = DC2 holds all roles. > 6) Every DC has a complete copy of DNS. > > Questions: > 1) Do all child DC's need unrestricted IP access to all root DC's for AD > replication to work successfully? I was always under the assumption that > that's where site-link-connectors also come in handy. > 2) Shouldn't DC2 in site3 be able to replicate-in all (i.e., Schema, Yes, if you configure proper site links [site1 <-> site2 and site2 <-> > Configuration, ForestDNS, DomainDNS, & otherChildDomains) of its Active > Directory partitions directly from DC1 in site2, which includes any > partitions owned by the RootDC1, without having to contact RootDC1? > site3], disable Intersite topology generator (istg) and configure replication manually . May also want to make DC1 in site 2 a GC? The only problem I may forsee is that there wouldn't be any transitive route between site1 and site3 thus if DC1 in site2 goes down or bad network then you might have a problem. Show quoteHide quote > Thanks, > Michan > > > > Thanks to everyone who's responded. With your input I'll continue working
the issue behind the scenes. Show quoteHide quote "Isaac Oben [MCITP:EA, MCSE]" <isaac.oben@nospam.gmail.com> wrote in message news:eH4yjWDrJHA.3848@TK2MSFTNGP02.phx.gbl... > Hello Michan318, > > I am not an expert, but see inline for my suggested response. > > "michan318" <michan***@okigeeks.net> wrote in message > news:Oor8Az6qJHA.4364@TK2MSFTNGP04.phx.gbl... >> Hello, >> >> Do all child DC's need unrestricted IP access to all root DC's for AD >> replication to work successfully? > > Not necessarily > > I ask because I have a scenario in which >> a child DC isn't trying to replicate-in the "ForstDNS" parition from >> another DC in its own domain, but instead is trying to obtain it from a >> root DC that is protected by a firewall. > > Configure proper site links, disable Intersite topology generator (istg) > and configure replication manually > >> The topology consist of three ADsites/subnets, with two >> site-link-connectors connecting three sites supporting two domains: 1) >> contains root DCs, 2) contains DC1 for child domain "x", and 3) contains >> DC2 for child domain "x". >> >> >> >> site1------------(Firewall/VPN)---------------site2--------------(Firewall/VPN)--------------site3 >> | | | >> RootDomain ChildDomain "X" >> ChildDomain "X" >> | | | >> DC1 DC1 >> DC2 >> >> >> Notes: >> 1) IP routing is not enabled at site2. Enabling IP routing "full mesh" >> between all sites (i.e., all DC's) is not an option. >> 2) Site1 can't talk to site3. >> 3) Site2 can talk to both sites. >> 4) Site3 can't talk to site1. >> 5) FSMO Holders >> a) RootDomain = DC1 holds all roles. >> b) ChildDomain "X" = DC2 holds all roles. >> 6) Every DC has a complete copy of DNS. >> >> Questions: >> 1) Do all child DC's need unrestricted IP access to all root DC's for AD >> replication to work successfully? I was always under the assumption that >> that's where site-link-connectors also come in handy. > > Not necessarily > >> 2) Shouldn't DC2 in site3 be able to replicate-in all (i.e., Schema, >> Configuration, ForestDNS, DomainDNS, & otherChildDomains) of its Active >> Directory partitions directly from DC1 in site2, which includes any >> partitions owned by the RootDC1, without having to contact RootDC1? >> > > Yes, if you configure proper site links [site1 <-> site2 and site2 <-> > site3], disable Intersite topology generator (istg) and configure > replication manually . May also want to make DC1 in site 2 a GC? The only > problem I may forsee is that there wouldn't be any transitive route > between site1 and site3 thus if DC1 in site2 goes down or bad network then > you might have a problem. > >> Thanks, >> Michan >> >> >> >> > > In news:%23MZayzHrJHA.1492@TK2MSFTNGP03.phx.gbl, michan318 <michan***@okigeeks.net>, posted the following:> Thanks to everyone who's responded. With your input I'll continue You are welcome. Let us know how you make out.> working the issue behind the scenes. > Will do.
Show quoteHide quote "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastn***@hotmail.com> wrote in message news:u9P73EIrJHA.4592@TK2MSFTNGP06.phx.gbl... > In news:%23MZayzHrJHA.1492@TK2MSFTNGP03.phx.gbl, > michan318 <michan***@okigeeks.net>, posted the following: >> Thanks to everyone who's responded. With your input I'll continue >> working the issue behind the scenes. >> > > You are welcome. Let us know how you make out. > > >  
Thread options
Other interesting topics
After 2000 to 2003 upgrade sysvol is not accessable
Manually removing cert server from AD Validation for 2000 to 2003 upgrade DNS/DHCP problem while migrating computers using ADMT Group Domain Admins cannot be found Logon issue in a 2 domain trust - Win 2003 DC fails when isolated from network GPO Version mismatch in Sysvol Way to set using Active Directory, which ports for remote desktop? Transfering/seizig of PDC role |
|||||||||||||||||||||||
