When you work in a multinational corporation and therefore have offices in multiple countries, it's highly likely that you are deploying an Active Directory infrastructure with domain controllers spread across multiple countries.
When looking for how to create an Active Directory multi-site infrastructure on Google, you only find tutorials that show you how to configure Active Directory subnets and sites through the "Active Directory Sites and Services" console.
But none of them tell you how to link the different domain controllers even though they are physically in different countries.
In this tutorial, we will therefore show you step by step a technique to create a multi-site Active Directory infrastructure by connecting the different sites with VPN gateways configurable on Windows Server.
The use of these software VPN gateways is obviously an example (usable by all), but you can also use physical VPN devices available for the professional world.
Important : if you have never configured VPN gateways on Windows Server, we recommend that you first take a look at our tutorial : Routing and VPN gateways on Windows Server 2012
Thanks to this tutorial, you will have the basics necessary to understand the tutorial below.
As explained in a previous article, the Active Directory replication topology is managed by the KCC service present on each domain controller.
By default, because all of your domain controllers are in the same Active Directory site, the KCC service considers them to be in the same physical location (for example : your company building).
In order for the KCC service to adapt the replication topology and replicate the data at an appropriate time (for example : at night), you must tell Active Directory in a logical way how your servers are physically located.
What is possible thanks to this notion of Active Directory sites.
The configuration of Active Directory sites is therefore essential in this type of Active Directory infrastructure, because it influences the way in which the data replication will be carried out between your different domain controllers.
When you want to deploy a multisite Active Directory infrastructure, it's recommended to :
For this tutorial, we are going to create an Active Directory infrastructure step by step with 2 remote physical sites : 1 site at Brussels (in Belgium) and 1 site at Paris (in France).
Their physical location is obviously of no importance for the technical side of this tutorial, but the further away they are physically, the more the bandwidth (network) will obviously be reduced.
As explained in the intro, we are going to use VPN gateways that we will deploy thanks to servers on Windows Server. This choice simply allows everyone to be able to follow this tutorial.
But, you can obviously use professional VPN equipment rather than a simple server running Windows Server to connect your remote sites securely.
Note that in our case, we will only use a single Active Directory domain "informatiweb.lan" which will be unique (same domain SID on the 2 sites), but whose data will be replicated on 4 domain controllers (2 on each site).
For VPN gateways to work, the remote server (for example : paris-vpn) must be able to obtain an IP address on the destination network (the Brussels site).
You must therefore configure a DHCP server on the Brussels site so that the VPN gateway that we will install on the "brux-vpn" server can function correctly.
This principle will obviously be valid in the other direction as well. This means that you will also have to configure a DHCP server on the Paris site. In our case, on the "paris-vpn" server.
On site 1 at Brussels, the network range used is "10.0.1.20" to "10.0.1.30" with a subnet mask of "255.255.255.0".
The CIDR (or length) corresponding to this network ID is : 24. You will need this notation towards the end of the tutorial when you reference the subnets of your Active Directory sites through the "Active Directory Sites and Services" console.
For the DHCP scope options on the Brussels site, we have defined these :
On site 2 in Paris, the scope used is slightly different : 10.0.2.20 to 10.0.2.30.
The subnet mask is also 255.255.255.0 (which corresponds to a CIDR of 24).
And the DHCP scope options on this Paris site are :
In order for your VPN gateways to be reachable from the outside, it will be necessary to configure your hardware firewalls if you have them.
For that, see the "Which ports to unblock for VPN traffic to pass-through ?" available on Microsoft's Technet.
To deploy VPN gateways on Windows Server on our "brux-vpn" and "paris-vpn" servers, we must first install the "Remote Access" role.
For role services, check these boxes :
Once the "Remote Access" role is installed, click on the "Open the Getting Started Wizard" link.
A "Configure Remote Access" window appears.
Click on "Deploy VPN only".
Note : this must be done on the VPN server of each Active Directory site.
Right click "Configure and Enable Routing and Remote Access" on the name of your VPN server and follow step "4. Configure the VPN server and the router" from our tutorial about deploying VPN gateways on Windows Server 2012.
Info : if a warning tells you that there are less than 2 network interfaces, quit the wizard and open it again. Now, this warning will no longer appear.
The only difference from the tutorial mentioned above is that the IP address of the DHCP server is :
Windows Server 6/4/2021
Windows Server 9/3/2021
Windows Server 6/18/2021
Windows Server 10/29/2021
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2021 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.