Configure a multi-site Active Directory infrastructure on Windows Server 2016 - Windows Server - Tutorials

When you work in a multinational corporation and therefore have offices in multiple countries, it's highly likely that you are deploying an Active Directory infrastructure with domain controllers spread across multiple countries.

When looking for how to create an Active Directory multi-site infrastructure on Google, you only find tutorials that show you how to configure Active Directory subnets and sites through the "Active Directory Sites and Services" console.
But none of them tell you how to link the different domain controllers even though they are physically in different countries.

In this tutorial, we will therefore show you step by step a technique to create a multi-site Active Directory infrastructure by connecting the different sites with VPN gateways configurable on Windows Server.
The use of these software VPN gateways is obviously an example (usable by all), but you can also use physical VPN devices available for the professional world.

Important : if you have never configured VPN gateways on Windows Server, we recommend that you first take a look at our tutorial : Routing and VPN gateways on Windows Server 2012
Thanks to this tutorial, you will have the basics necessary to understand the tutorial below.

1. Inter-site Active Directory replication

As explained in a previous article, the Active Directory replication topology is managed by the KCC service present on each domain controller.
By default, because all of your domain controllers are in the same Active Directory site, the KCC service considers them to be in the same physical location (for example : your company building).

In order for the KCC service to adapt the replication topology and replicate the data at an appropriate time (for example : at night), you must tell Active Directory in a logical way how your servers are physically located.
What is possible thanks to this notion of Active Directory sites.

The configuration of Active Directory sites is therefore essential in this type of Active Directory infrastructure, because it influences the way in which the data replication will be carried out between your different domain controllers.

2. Active Directory best practices

When you want to deploy a multisite Active Directory infrastructure, it's recommended to :

create an Active Directory site at every geographic location where you need quick access to information of your Active Directory
deploy at least 1 Active Directory domain controller per site and define at least one domain controller as a global catalog per site.
Otherwise, the computers on the site that don't have a domain controller will be dependent on a domain controller located on one of your other Active Directory sites. This can greatly slow down session openings, ...
preferably, deploy at least 2 domain controllers per site in order to maintain an identical response time on the client PCs even in the event that one of the domain controllers fails on a site. And configure the client PCs to use these 2 domain controllers as primary and secondary DNS server.
only use internal DNS servers. Because if the primary DNS server is unavailable, the client PC may only use the secondary DNS (which may have been an external - remote DNS server) even when the primary DNS will be available again. This can prevent access to your Active Directory infrastructure, if the secondary DNS points to Google (8.8.8.8) for example.
client PCs should preferably use the DNS servers of the site where they are located before using those of remote Active Directory sites to avoid saturating your WAN bandwidth unnecessarily and to accelerate their DNS requests.
and more

Sources :

3. Network topology used

For this tutorial, we are going to create an Active Directory infrastructure step by step with 2 remote physical sites : 1 site at Brussels (in Belgium) and 1 site at Paris (in France).
Their physical location is obviously of no importance for the technical side of this tutorial, but the further away they are physically, the more the bandwidth (network) will obviously be reduced.

As explained in the intro, we are going to use VPN gateways that we will deploy thanks to servers on Windows Server. This choice simply allows everyone to be able to follow this tutorial.
But, you can obviously use professional VPN equipment rather than a simple server running Windows Server to connect your remote sites securely.

Note that in our case, we will only use a single Active Directory domain "informatiweb.lan" which will be unique (same domain SID on the 2 sites), but whose data will be replicated on 4 domain controllers (2 on each site).

4. Install the DHCP server

For VPN gateways to work, the remote server (for example : paris-vpn) must be able to obtain an IP address on the destination network (the Brussels site).
You must therefore configure a DHCP server on the Brussels site so that the VPN gateway that we will install on the "brux-vpn" server can function correctly.

This principle will obviously be valid in the other direction as well. This means that you will also have to configure a DHCP server on the Paris site. In our case, on the "paris-vpn" server.

On site 1 at Brussels, the network range used is "10.0.1.20" to "10.0.1.30" with a subnet mask of "255.255.255.0".
The CIDR (or length) corresponding to this network ID is : 24. You will need this notation towards the end of the tutorial when you reference the subnets of your Active Directory sites through the "Active Directory Sites and Services" console.

For the DHCP scope options on the Brussels site, we have defined these :

003 Router : 10.0.1.10
006 DNS Servers : 10.0.1.11 et 10.0.1.12
015 DNS Domain Name : informatiweb.lan

On site 2 in Paris, the scope used is slightly different : 10.0.2.20 to 10.0.2.30.

The subnet mask is also 255.255.255.0 (which corresponds to a CIDR of 24).

And the DHCP scope options on this Paris site are :

003 Router : 10.0.2.10
006 DNS Servers : 10.0.2.11 et 10.0.2.12
015 DNS Domain Name : informatiweb.lan

5. Configuring hardware firewalls

In order for your VPN gateways to be reachable from the outside, it will be necessary to configure your hardware firewalls if you have them.
For that, see the "Which ports to unblock for VPN traffic to pass-through ?" available on Microsoft's Technet.

6. Remote access installation (VPN)

To deploy VPN gateways on Windows Server on our "brux-vpn" and "paris-vpn" servers, we must first install the "Remote Access" role.

For role services, check these boxes :

DirectAccess and VPN (RAS)
Routing

Once the "Remote Access" role is installed, click on the "Open the Getting Started Wizard" link.

7. Configure VPN servers

A "Configure Remote Access" window appears.
Click on "Deploy VPN only".

Note : this must be done on the VPN server of each Active Directory site.

Right click "Configure and Enable Routing and Remote Access" on the name of your VPN server and follow step "4. Configure the VPN server and the router" from our tutorial about deploying VPN gateways on Windows Server 2012.

Info : if a warning tells you that there are less than 2 network interfaces, quit the wizard and open it again. Now, this warning will no longer appear.

The only difference from the tutorial mentioned above is that the IP address of the DHCP server is :

10.0.1.10 for the "brux-vpn" VPN server of site 1 (Brussels)
10.0.2.10 for the "paris-vpn" VPN server of site 2 (Paris)