Inter-server communication

[Paul Kinyanjui]

Hi Guys,
How is it possible to have two physical servers (ideally one user account in two servers) in different locations under the same domain communicating without having conflict. The issue at hand is, I have a user account that is registered under one server AD. Then, I set up a different user under a new server AD (the new server) and now when the user is closer to the old server, there is a conflict message appearing on the desktop on the user.
How can I go about this? Do I need to create an OU in the old server or permanently delete the old user account from the old server?

PST The user account has been added to both domains but the two servers have a different IP

 

[C0RR0SIVE]

What is the exact error they are getting? When someone logs into an AD Domain, they select the domain they log into (DomainName/Username), it's not a physical presence thing as long as they can route traffic to/from the domain they have selected, and their computer is a member of the selected domain.

If you have a single domain, you need to make sure the domain controllers can talk to each other, and are replicating to each other. If you make a change on one DC (whether that's usernames, GPO's, or DNS entries), it should replicate with in a few minutes to the other DC. You should never have a single domain, where there are two controllers that aren't replicating to each other, you will get some really strange crap happening.

 

[Paul Kinyanjui]

The Error I get is that windows needs to check your credentials. How does one ensure that the two domain contollers are replicating? would the use of Veeam backup and replication software allow me to achieve this? I only have a trial version at best at the moment. Please advise on an alternative you would use to ensure this works

 

[C0RR0SIVE]

When you setup the second domain controller, did you tell it to join a forest? Or did you mistakenly create a new forest? It sounds like you are using the same domain name, but two different forests? I am going to assume that these are two seperate networks, yes?

You are going to need to do a few things, especially if the domain controllers are hosted behind different WAN connections... I am not 100% positive, but, the following is what I would do... Never had a need to connect multiple networks under one domain over a WAN...

1: Create a VPN between both physical networks, and routing rules on your network routers so that the domain controllers can talk to one another, and so that domain connected devices can talk to either of the controllers. Make sure, 100%, that the Domain Controllers can talk to one another, a simple ping should be enough to see if they are talking.
2: Back up the secondary domain controller, and note all the users, policies, etc.
3: Setup a NEW secondary domain controller, set it up and have it join the primary domain forest. Do not create a new forest. Pretty sure you can just remove the role and reinstall it and create a new setup.
4: Make sure replication is working by checking the secondary domain controllers users, and GPO's to see if it pulled from the primary controller.
5: Once replication starts, you can add users and policies on the primary, if needed you can create separate User/Computer Groups if policies at the two locations are different.
6: Have each network look at either of the Domain Controllers (that's the purpose of having more than one Domain Controller in a Domain), but setup DHCP so that each network is only sending queries to the local DC DNS, this would reduce load on the VPN side.
7: Make 100% sure that no Hostname is used more than once on the entire infrastructure. If you use fileserver.domainXYZ.local on Site One, do not use fileserver.domainXYZ.local on Site Two, otherwise DNS will replicate that between both controllers, and you will run into some strange, annoying, and time consuming headaches.

This should allow users that travel between both sites the ability to log into either site and not get an authentication issue, and to also use work laptops between both sites with out login issues.

Veeam wouldn't be of use for this, this is purely a network, and server configuration issue... If you can't create a VPN between the two networks so that they can communicate with one another, I think your only other option is to use something like Azure Active Directory, but I am unsure on that. If none of those options are viable, use a different domain name for each network, and login to each domain separately when at the specific location. For example, at the first location use yourdomain01.local and at the second location use yourdomain02.local and instruct users with machines that travel between locations on how to log into that specific locations domain.

Note that if you use a VPN to connect the two networks, the link between them needs to be rather decent, and routers at both ends need to be able to support a fair amount of traffic.

 

[PP Mguire]

When you setup the second domain controller, did you tell it to join a forest? Or did you mistakenly create a new forest? It sounds like you are using the same domain name, but two different forests? I am going to assume that these are two seperate networks, yes?

Can bet money this is it. 2 different areas, 2 different DCs, and different forests with the same domain name and probably FQDN.

 

[Paul Kinyanjui]

Thanks so much for this. Allow me to point out a few things based on my assessment. For the sake of this thread, we shall call the old/main server, A while the new one shall be server B.
1. Unfortunately, I am not able to create a VPN on B because I am still waiting for some information from the ISP critical to the setup of the VPN. I am however able to create a VPN and connect to the VPN on B. Once connected, I can successfully ping A from the VPN connection. Until I have this info therefore, I will be stuck here for a while.
2.While setting up the DC B, I remember creating a new forest and then joining the already existing domain. I am not sure what the effect of removing the role then setting it up afresh would be since I already have users connected to the server and actively making use of the resource.
3. On Server A under the domain controllers list, the two DCs are visible but when I check on the B, the domain controllers lists only the server A on it.
This is now my current situation. I will need some time in order to try out your suggestions.

Much appreciated.

 

[C0RR0SIVE]

On your second point, you would basically have to go through your infrastructure on side B and disjoin the domain, and rejoin it for each and every machine. If you have management software (Acronis, or similar) that lets you remotely reimage your computers, it would be a rather simple over-night task you could run. However, all users would have to know to back up any and all of their data thats stored on their computer. Also, any file servers, or other servers that are domain joined on B would need to be rejoined in a similar fashion... This isn't a simple or easy fix sadly... The best solution for now, is to have a unique user account at both sites for any employee that travels between the two until you have the resources and time to execute any plans/steps you would partake in.

 

[Paul Kinyanjui]

This has really been helpful. I believe I have cleared so many doubts with your counsel and will be moving forward with a more clearer thought of action. I still have another server waiting to rejoin the main domain (Call is server C) But I am positive I will be able to establish a VPN from there for a start. Then I just have to follow these guidelines. I should be able to report on the progress soon as I am done.