Tutorials

How to add an additional Domain Controller from a remote office to the SBS domain - Part 2

We will want the new server to be running DHCP, WINS and DNS, so these services are going to be added. We will configure RRAS so it will have a persistent VPN connection to the SBS network. DCPROMO will be run so the server is becoming an additional Domain Controller in the SBS network. We will correct the network adapters configuration, configure DHCP server and correct DNS server. Then we will check if the replication has completed and enable remote desktop so we can RDP to this new Domain Controller from within the SBS network.

The third article will have the finishing steps that will need to be done to complete the remote office setup. These steps are different for the SBS server and the additional Domain Controller.

I would like to thank Brian Desmond, Directory Services MVP, for his valuable additions, in particular about the DHCP event 1056 and the add new subnet in Active Directory Sites and Services (part 1).

Add the DHCP, WINS and DNS services

Because the remote server will be acting as DHCP, WINS and DNS server, so it can serve the clients in the remote office, we will have to add these services first.

1. We will start from Control Panel, Add/Remove Programs, Add Windows Components, select the Networking services and choose Details:
   
2. Check DHCP, DNS and WINS and click OK:
   
3. You will be returned to the previous screen, where you now can see that the Networking services has a gray check mark in it. Click Next:
   
4. If files are needed from the Windows 2003 CD (which is the case when installing the WINS service), it will ask for it. Point to the right location and click OK:
   
5. When all files are installed, the message will show that it has successfully completed the Windows Components wizard. Click Finish:
   
6. Close the Add/Remove Programs. We don’t configure anything yet until after dcpromo has run.

Configure RRAS

We want to setup a persistent VPN PPTP connection to the SBS server. We will have to do that in the RRAS node. In our case we are using two network adapters, but it can be done with 1 network adapter too.

1. From the Administrative Tools select Routing and Remote Access:
   
2. Right click the server name and select Configure and Enable Routing and Remote Access:
   
3. The wizard appears and you click Next:
   
4. In the Configuration screen, select the Secure connection between two private networks and click Next:
   
5. In the Demand- Dial connections screen we confirm the default Yes and click Next:
   
6. In the IP addresses screen you decide if you want to use DHCP server or static IP addresses for the remote clients. Note: even if you don’t use the Branchoffice server as a RAS server, you still have to have an IP for this dial in server that it will create. We will use the DHCP server to assign IP addresses. Click Next:
   
7. A summary of the choices made appears, as well as the message that the next wizard will start automagically for creating the Demand-Dial interface. Click Finish:
   
8. The Demand Dial Interface wizard appears. Click Next:
   
9. The Demand Dial Interface needs a name, and default it will suggest Remote Router. You can change that to whatever you want. Then click Next:
   
10. In the Connection Type we confirm the default VPN connection and click Next:
    
11. The VPN type screen will default have the Automatic selected, but we will change that to the PPTP type and click Next:
    
12. The Destination address will be the public IP or FQDN from the SBS server. In this example we will use the 213.213.213.213 and click Next:
    
13. The Protocols and Security screen default only has the first option checked. As we don’t want to use the Branchoffice server as a RAS server and thus don’t have port 1723 inbound open on the firewall, we will leave it like it is and click Next:
    
14. In the Static Routes screen we need to add the SBS IP range, so click the Add button:
    
15. The internal network IP range of the SBS server is in our case in the 192.168.26.0 range with network mask 255.255.255.0, so we will fill that in and click OK:
    
16. The static route has been added, so click Next:
    
17. We need to fill in the Dial Out credentials. On the SBS server we have already created a special user BranchVPN for this, that only has dial in rights. After filling in these details, click Next:
    
18. The Completing Demand Dial Interface wizard screen appears and we click Finish:
    
19. Notice that RRAS has started and that the new interface Remote Router has appeared in the Network Interfaces. That has 4 other interfaces which were put there by the RRAS wizard:
    External is the external nic of the server.
    Local Area Connection is the internal nic of the server.
    Internal is the RAS server connection.
    Loopback is always created and uses the 127.0.0.1 IP.
    
20. In the node Ports you will see that 5 PPTP and 5 L2TP VPN ports have been created, as well as the PPPOE and LPT1 ports that can be deleted later:
    
21. In IP Routing, General we see the status of all 5 interfaces:
    The Remote Router is not active yet, so it has no IP address.
    Loopback always has the 127.0.0.1 IP.
    The Local Area Connection is our internal nic IP 192.168.90.5.
    As there is no VPN connection yet, the Internal interface has no IP yet.
    The External nic has IP 10.10.1.60.
    
22. The Static Routes shows the route we created:
    
23. If you want to change the RAS dial in server from DHCP to static, or the other way around, you can do that by right clicking on the RAS server Branchoffice (local) and choose Properties:
    
24. The first tab General, shows that our server is NOT a RAS server:
    
25. Tab IP shows now that we want DHCP server to take care for assigning addresses and it also shows that it can choose which adapter RAS should use:
    
26. We need to change the last option and make sure that the internal server nic is selected. Click in the drop down button and select the Local Area Connection:
    
27. Tab Logging default only has the Log errors and warnings for logging. Select the Log all events as that will give the events in the system log every time a VPN connection is made or disconnected. It will also give events about the status of the nics. Then click OK:
    
28. As we don’t need that many VPN ports, we will change that. Right click the Ports node and choose Properties:
    
29. The first port we don’t need is the WAN miniport (PPPOE) so click the Configure button:
    
30. Uncheck the Demand-dial routing connections and click OK:
    
31. Select the WAN miniport (PPTP) and click Configure:
    
32. Change the Maximum ports from 5 to 1 (because the Branchoffice server is not acting as a RAS server for clients) and click OK:
    
33. You will see a pop up about the consequences of decreasing the ports, click Yes to confirm:
    
34. Select the WAN miniport (L2TP) and click Configure. Uncheck the Demand-Dial routing connections and decrease the ports from 5 to 0 and click OK. Confirm the warning message about the consequences of decreasing the ports with Yes.
    The Direct Parallel port is also not needed, so click Configure, uncheck the Demand-Dial routing connections and click OK. The result will be like this, then click OK:
    

Connect the Branchoffice server to the SBS network and make the VPN persistent

By default a newly installed Windows 2003 server will have the Windows Firewall service enabled and running.  By default this service is disabled on a freshly installed SBS 2003 server, and we will have to disable and stop this service on our Branchoffice server before we continue with the next steps. Open the Services applet from Administrative Tools, double click the Windows Firewall service, set the Startup type to disabled and click the Stop button. Click OK and close the Services applet:

We will first test if our VPN connection is working and then make the changes to get it persistent.

1. In the Network Interfaces right click on the Remote Router interface and choose Connect:
   
2. If the connection is successful, the Connection State will show Connected:
   
3. We need to make this connection persistent. Right click on the Remote Router interface, choose Properties, select tab Options:
   
4. Change the Connection type from Demand dial to the Persistent connection and change the Redial attempts to 3 (or more). The redial interval can be changed too. Keep in mind that when the SBS server is being rebooted, it takes some minutes before it is up again and the vpn connection can be established. Whenever the internet connection on either site would fail, the remote server will only try to redial as many times as you have set the redial attempts to:
   
5. When you click OK, the following message will pop up and you click OK:
   
6. When you right click the Remote Router interface you can Disconnect and Connect and then the connection should have the new settings applied.
   
7. In the system log you might see the DCOM 10016 error. The solution is the same as is described in Part 1 of this series, the last chapter.
   
8. When the vpn connection is up, you should see the Connection State showing Connected on the SBS server in the Network Interfaces of the RRAS node.  The vpn connection from the Branchoffice should NOT show in the Remote Access Clients node. The interface BranchVPN should show as Connected in the Network Interfaces node. However, if you do see a client BranchVPN connected in the Remote Access Clients node, something is very wrong and you need to go back to Part 1 of this series to check where you went wrong. You CAN'T continue with the next chapter, unless the vpn connection is truly a site to site connection with a Demand-dial Network interface:
   

DCPROMO the Branchoffice server

LAST WARNING!!
When the vpn connection is up between the Branchoffice server and the SBS server, you should see the Connection State showing Connected on the SBS server in the Network Interfaces of the RRAS node.  The vpn connection from the Branchoffice should NOT show in the Remote Access Clients node. The interface BranchVPN should show as Connected in the Network Interfaces node. However, if you do see a client BranchVPN connected in the Remote Access Clients node, something is very wrong and you need to go back to Part 1 of this series to check where you went wrong. You CAN'T continue with the next steps, unless the vpn connection is truly a site to site connection with a Demand-dial Network interface:

When you have a stable VPN connection into the SBS network, we can start the DCPROMO to join this server into the SBS network and make it an additional domain controller. Note: if the new server is an R2 server, make sure you have run the adprep on the SBS server to update the forest to the R2 schema. Part 1 of this series has the link to the article on how to run adprep.

1. From the command prompt type dcpromo. This will start the Active Directory Installation wizard and you click Next:
   
2. A message about Operating System compatibility appears and you click Next:
   
3. Default it will have the Domain controller for a new domain selected, but we will want this server to be added to an existing domain. So select the second option and click Next:
   
4. We will have to provide the domain administrator’s credentials. Note that you will have to type the local domain addy here (in our case .lan) and then click Next:
   
5. The wizard needs to know the domain name and we can click the Browse button:
   
6. It has found the right domain, so select it and click OK:
   
7. The domain name is filled in, click Next:
   
8. Leave the locations for the Database and logs default and click Next:
   
9. Leave the location for the Shared System Volume default and click Next:
   
10. Provide the Directory Restore Mode password which can be different from the domain administrator password and click Next. Note: keep this password in a safe place as that will be your only way to get access to the server if you would need to start in Directory Services Restore Mode:
    
11. A summary of the choices will appear, so click Next:
    
12. The Active Directory Installation wizard will start now:
    
13. The wizard will change the domain membership of the server, it will replicate the schema directory partition, it will replicate the domain directory partition, and it will be assigned to the Default-First-Site-Name. After at least five minutes the wizard has completed and you can click Finish. Note that it will have put the new DC into the Default-First-Site-Name:
    
14. A message will appear that the server needs to reboot, so click the Restart now button:
    

Note that it can take a while before the new DC has restarted completely. The Preparing network connections might take some time. This is expected as we haven’t configured the network adapters properly yet, and DNS server will be running now as well. The login screen will show the domain field and it will show the COMPUTERWORKS domain in our case:

After the reboot, the replication still has to be completed as the Shares are not showing the Sysvol and Netlogon shares yet:

In the mean time we will start the finishing of the configuration by correcting the network adapters, configure DHCP server and correct DNS server. Somewhere during this process the Shares will show the Sysvol and Netlogon shares, which will tell us that the DC replication has successfully finished.

Configure the network adapter(s)

The internal server nic needs to point to itself for DNS and WINS.

1. In Network Connections right click the Local Area Connection (our internal server nic) and choose Properties:
   
2. Click the Advanced button and select the DNS tab:
   
3. It doesn't have the "Register this connection's addresses in DNS" checked yet. Check it and select the WINS tab next:
   
4. Make sure that NetBIOS over TCP/IP is enabled and click Add to add the server IP 192.168.90.5 for the WINS address and click OK twice out of this adapter:
   
5. Right click the External nic and choose Properties. Make sure that only the Internet Protocol is checked, so uncheck others if they are check marked:
   
6. Select the Internet Protocol (TCP/IP) entry and click Properties. Add the internal server IP to the DNS entry, then click Advanced:
   
7. Select the WINS tab and make sure that there is no WINS address listed and that NetBIOS over TCP/IP is set to disabled. OK out of this network adapter:
   
8. In the Network Connections select menu Advanced, select Advanced Settings and make sure that the internal nic is on top in the binding order:
   
9. Close the Network Connections.

Configure DHCP Server

We have only added the DHCP server, but not configured it yet.

1. From Administrative Tools, select DHCP server. Right click the Branchoffice server and choose New scope:
   
2. The New Scope wizard appears, click Next:
   
3. Type a name for this scope and a description and click Next:
   
4. Type the starting and ending IP’s for this range. It will automatically give the proper length and subnet mask, then click Next:
   
5. We want IP’s 192.168.90.1 to 192.168.90.20 to be excluded from being assigned to clients:
   
6. Click the Add button then click Next:
   
7. We will leave the lease duration to the default 8 days, so click Next:
   
8. We will want to configure the Options, so click Next:
   
9. Because we are using 2 nics in the Branchoffice server, the router IP needs to point to the internal server IP. Fill 192.168.90.5 in and click the Add button. Then click Next:
   
10. Type the local AD domain name and the server name and click the Resolve button:
    
11. The IP 192.168.90.5 will have been resolved, click the Add button to add it as the DNS server option, then click Next:
    
12. The Branchoffice server is also running WINS, so type the 192.168.90.5 IP, click Add, then click Next:
    
13. Click Next to activate the scope now:
    
14. The DHCP scope wizard has finished, click Finish:
    
15. DHCP server also has a need for setting credentials. The first time that DHCP server service has started, you will see event 1056 in the event log which also has the solution:
    
16. The 1056 event is only a warning. You can simply ignore that warning or use a normal User account for the DNS dynamic updates registration credentials. (See Installing Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) on a Domain Controller.) For this article I created a common User with the Active Directory Users and Computers (DHCPUser) with a strong password. The password won't expire and the user will only be a member of the Domain Users group. For extra security you can deny this user VPN dial in and TS login. The second option in the description of 1056 can be done by right clicking the Branchoffice DHCP server and then choose Properties:
    
17. Tab Advanced has the Credentials button which we select:
    
18. Type in the credentials that this service should be using and click OK:
    
19. We need to correct the Bindings option on the Advanced tab as well, so click the Bindings button where we will see that both nics are checked. Uncheck the external nic IP and click OK:
    
20. Then click the DNS tab of the DHCP server properties as it will default have the first two options checked. Uncheck both options, then click OK to close the DHCP server properties:
    
21. We still need to authorize the DHCP server:
    
22. With the server name selected, from the Action menu, choose Authorize:
    
23. You might need to hit the F5 refresh button a few times, but then the DHCP server should be running and have the green check mark. The Scope options are all defined like they should be:
    
24. The remote office clients will need to know the server IP of the SBS server. Right click the 006 DNS Servers option in the right pane and choose Properties:
    
25. Type the server name of the SBS and click the Resolve button. It will give the 192.168.26.2 IP, then click Add to add it to this option:
    
26. Move the SBS IP up so it will be the first DNS server, then click OK:
    
27. The final result looks like this:
    
28. Close DHCP server MMC.

Correct DNS Server

The DCPROMO process has already configured DNS server for us. There are a few things that need to be corrected though.

1. From Administrative Tools, choose DNS server. Right click the DNS server name and choose Properties:
   
2. The tab Interfaces is configured to listen to all IP’s. We will want it to listen to the internal server IP only though:
   
3. Select the radio button Only the following IP addresses, and remove all addresses except the internal server IP 192.168.90.5:
   
4. Tab Forwarders will be empty, but it will need the DNS numbers from the ISP of the internet connection:
   
5. Fill in the ISP DNS numbers, click the Add button, then click OK:
   
6. The DNS server can be restarted with a right click on the Branchoffice DNS server, All Tasks, Restart. Then the DNS MMC can be closed.

Global Catalog Server, move to the remote site, check replication and enable Remote Desktop

The replication should have been completed by now. The shares Sysvol and Netlogon should have been appeared automagically, you should have event 1404 in the Directory Services event log, you should have event 13516 in the File Replication Service event log and there should be no Userenv errors in the Application log.

If you don't see the Netlogon and Sysvol shares and if you don't have the 1404 and 13516 events, something is wrong and you will need to review your steps. Check if the vpn connection is right and if all the network settings are configured properly. Double check that the Windows Firewall service on the Branchoffice server is set to Disabled and NOT running.

If everything looks fine and there are no errors, we will finish the configuration of the AD Sites and Services by making the Branchoffice server a Global Catalog server and move it to the remote site.

1. From Administrative Tools, open Active Directory Sites and Services. Drill down the Sites, Default-First-Site-Name, Servers, Branchoffice and right click the NTDS settings and choose Properties:
   
2. Check the Global Catalog box and OK:
   
3. We will now move the Branchoffice server to the site RemoteBranchOffice site. Right click the Branchoffice server and choose Move:
   
4. Select the RemoteBranchOffice site and click OK:
   
5. To check if replication is still working, drill down in the RemoteBranchOffice site, Servers, Branchoffice, NTDS settings and right click the connection in the right pane and choose Replicate Now:
   
6. The following message will show and you click OK:
   
7. After the move of the Branchoffice server in the RemoteBranchOffice site, you will see events on the SBS server in the System log: 5787, 5785 and 5793 (twice).
   
   
   
8. If we want to be able to RDP to this server from the SBS network, we will need to enable that. Right click My Computer (or Control Panel, System), tab Remote and check the Remote Desktop box. Then click OK:
   
9. If you open Network Neighborhood on the Branchoffice server, you will see the SBS server and its clients.
   
   Let’s reboot the Branchoffice server to do a last check and see if all is well. It should get the login screen a lot faster now.
   You will always get a Netlogon warning in the System log (event 3096) and some W32time errors on the remote DC, because it can’t find the the Primary Domain Controller which makes sense as the vpn connection isn’t up yet.
   
   The File Replication Service event log should show event 13501 and 13516, which means the replication has worked and the DC is a true DC.
   Make sure that the Branchoffice server is time syncing with the SBS server by issuing the following commands just once:
   Net time /setsntp:sbs2k3test (replace sbs2k3test with your sbs server name)
   W32tm /resync

In the Part 3 of this series we will fine tune both servers and do some additional configuring in IIS and the Group Policies.