Menu
InformatiWeb Pro
  • Index
  • System admin
  • Virtualization

Login

Registration Password lost ?
FR
  • Windows Server
    • WMS 2012
    • WS2012 R2
    • WS2016
  • Citrix
    • Citrix NetScaler Gateway
    • Citrix XenApp / XenDesktop
    • Citrix XenServer
  • VMware
    • VMware ESXi
    • VMware vSphere
    • VMware Workstation
  • Microsoft
    • Hyper-V
  • RAID
    • Adaptec SmartRAID
  • UPS
    • APC Back-UPS Pro
  • InformatiWeb Pro
  • System admin
  • Windows Server
  • Courses
  • Learn how to deploy Active Directory (AD DS) on WS 2016
  • Configure a multi-site AD infrastructure
32 / 32
  • Reset a computer account
  •  
  • Windows Server
  • 19 November 2021 at 09:57 UTC
  • InformatiWeb
  • 1/5

Configure a multi-site Active Directory infrastructure on Windows Server 2016

When you work in a multinational corporation and therefore have offices in multiple countries, it's highly likely that you are deploying an Active Directory infrastructure with domain controllers spread across multiple countries.

When looking for how to create an Active Directory multi-site infrastructure on Google, you only find tutorials that show you how to configure Active Directory subnets and sites through the "Active Directory Sites and Services" console.
But none of them tell you how to link the different domain controllers even though they are physically in different countries.

In this tutorial, we will therefore show you step by step a technique to create a multi-site Active Directory infrastructure by connecting the different sites with VPN gateways configurable on Windows Server.
The use of these software VPN gateways is obviously an example (usable by all), but you can also use physical VPN devices available for the professional world.

Important : if you have never configured VPN gateways on Windows Server, we recommend that you first take a look at our tutorial : Routing and VPN gateways on Windows Server 2012
Thanks to this tutorial, you will have the basics necessary to understand the tutorial below.

  1. Inter-site Active Directory replication
  2. Active Directory best practices
  3. Network topology used
  4. Install the DHCP server
  5. Configuring hardware firewalls
  6. Remote access installation (VPN)
  7. Configure VPN servers
  8. Deployment of VPN gateways
    1. Create users for connection from the remote site
    2. Connection from Brussels to Paris
    3. Connection from Paris to Brussels
  9. Create your Active Directory forest on the 1st Active Directory site
  10. Add an Active Directory domain controller on site 1 at Brussels
  11. Add an Active Directory domain controller on site 2 at Paris
  12. Add a second Active Directory domain controller on site 2 at Paris
  13. Join VPN gateways to your Active Directory domain
  14. Update credentials for VPN gateways
  15. Configure Active Directory sites
    1. Create Active Directory sites
    2. Define the subnets used on the different Active Directory sites
    3. Define site links
    4. Move domain controllers to the correct Active Directory sites
    5. Manage replication by Active Directory site
  16. Static routing

1. Inter-site Active Directory replication

As explained in a previous article, the Active Directory replication topology is managed by the KCC service present on each domain controller.
By default, because all of your domain controllers are in the same Active Directory site, the KCC service considers them to be in the same physical location (for example : your company building).

In order for the KCC service to adapt the replication topology and replicate the data at an appropriate time (for example : at night), you must tell Active Directory in a logical way how your servers are physically located.
What is possible thanks to this notion of Active Directory sites.

The configuration of Active Directory sites is therefore essential in this type of Active Directory infrastructure, because it influences the way in which the data replication will be carried out between your different domain controllers.

2. Active Directory best practices

When you want to deploy a multisite Active Directory infrastructure, it's recommended to :

  • create an Active Directory site at every geographic location where you need quick access to information of your Active Directory
  • deploy at least 1 Active Directory domain controller per site and define at least one domain controller as a global catalog per site.
    Otherwise, the computers on the site that don't have a domain controller will be dependent on a domain controller located on one of your other Active Directory sites. This can greatly slow down session openings, ...
  • preferably, deploy at least 2 domain controllers per site in order to maintain an identical response time on the client PCs even in the event that one of the domain controllers fails on a site. And configure the client PCs to use these 2 domain controllers as primary and secondary DNS server.
  • only use internal DNS servers. Because if the primary DNS server is unavailable, the client PC may only use the secondary DNS (which may have been an external - remote DNS server) even when the primary DNS will be available again. This can prevent access to your Active Directory infrastructure, if the secondary DNS points to Google (8.8.8.8) for example.
  • client PCs should preferably use the DNS servers of the site where they are located before using those of remote Active Directory sites to avoid saturating your WAN bandwidth unnecessarily and to accelerate their DNS requests.
  • and more

Sources :

  • Active Directory Best practices
  • Best Practices for DNS Configuration in an Active Directory Domain

3. Network topology used

For this tutorial, we are going to create an Active Directory infrastructure step by step with 2 remote physical sites : 1 site at Brussels (in Belgium) and 1 site at Paris (in France).
Their physical location is obviously of no importance for the technical side of this tutorial, but the further away they are physically, the more the bandwidth (network) will obviously be reduced.

As explained in the intro, we are going to use VPN gateways that we will deploy thanks to servers on Windows Server. This choice simply allows everyone to be able to follow this tutorial.
But, you can obviously use professional VPN equipment rather than a simple server running Windows Server to connect your remote sites securely.

Note that in our case, we will only use a single Active Directory domain "informatiweb.lan" which will be unique (same domain SID on the 2 sites), but whose data will be replicated on 4 domain controllers (2 on each site).

4. Install the DHCP server

For VPN gateways to work, the remote server (for example : paris-vpn) must be able to obtain an IP address on the destination network (the Brussels site).
You must therefore configure a DHCP server on the Brussels site so that the VPN gateway that we will install on the "brux-vpn" server can function correctly.

This principle will obviously be valid in the other direction as well. This means that you will also have to configure a DHCP server on the Paris site. In our case, on the "paris-vpn" server.

On site 1 at Brussels, the network range used is "10.0.1.20" to "10.0.1.30" with a subnet mask of "255.255.255.0".
The CIDR (or length) corresponding to this network ID is : 24. You will need this notation towards the end of the tutorial when you reference the subnets of your Active Directory sites through the "Active Directory Sites and Services" console.

For the DHCP scope options on the Brussels site, we have defined these :

  • 003 Router : 10.0.1.10
  • 006 DNS Servers : 10.0.1.11 et 10.0.1.12
  • 015 DNS Domain Name : informatiweb.lan

On site 2 in Paris, the scope used is slightly different : 10.0.2.20 to 10.0.2.30.

The subnet mask is also 255.255.255.0 (which corresponds to a CIDR of 24).

And the DHCP scope options on this Paris site are :

  • 003 Router : 10.0.2.10
  • 006 DNS Servers : 10.0.2.11 et 10.0.2.12
  • 015 DNS Domain Name : informatiweb.lan

5. Configuring hardware firewalls

In order for your VPN gateways to be reachable from the outside, it will be necessary to configure your hardware firewalls if you have them.
For that, see the "Which ports to unblock for VPN traffic to pass-through ?" available on Microsoft's Technet.

6. Remote access installation (VPN)

To deploy VPN gateways on Windows Server on our "brux-vpn" and "paris-vpn" servers, we must first install the "Remote Access" role.

For role services, check these boxes :

  • DirectAccess and VPN (RAS)
  • Routing

Once the "Remote Access" role is installed, click on the "Open the Getting Started Wizard" link.

7. Configure VPN servers

A "Configure Remote Access" window appears.
Click on "Deploy VPN only".

Note : this must be done on the VPN server of each Active Directory site.

Right click "Configure and Enable Routing and Remote Access" on the name of your VPN server and follow step "4. Configure the VPN server and the router" from our tutorial about deploying VPN gateways on Windows Server 2012.

Info : if a warning tells you that there are less than 2 network interfaces, quit the wizard and open it again. Now, this warning will no longer appear.

The only difference from the tutorial mentioned above is that the IP address of the DHCP server is :

  • 10.0.1.10 for the "brux-vpn" VPN server of site 1 (Brussels)
  • 10.0.2.10 for the "paris-vpn" VPN server of site 2 (Paris)

Next page

Share this tutorial

Partager
Tweet

To see also

  • Windows Server - AD DS - How Active Directory replication works

    Windows Server 4/16/2021

    Windows Server - AD DS - How Active Directory replication works

  • Windows Server - AD DS - Overview of Active Directory functional levels

    Windows Server 4/30/2021

    Windows Server - AD DS - Overview of Active Directory functional levels

  • Windows Server - AD DS - The basics of Active Directory

    Windows Server 4/3/2021

    Windows Server - AD DS - The basics of Active Directory

  • WS 2016 - AD DS - Add a domain controller to an existing AD domain

    Windows Server 5/21/2021

    WS 2016 - AD DS - Add a domain controller to an existing AD domain

Comments

You must be logged in to post a comment

Share your opinion

Pinned content

  • Software (System admin)
  • Linux softwares
  • Our programs
  • Terms and conditions
  • Share your opinion

Contact

  • Guest book
  • Technical support
  • Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.