Windows Server

Paul Bishop · Guest

Hi there,

I would like to add a remote office onto a small business server network. I
will be getting the required number of CALs on the main server and a CAL for
the member server which will be running Windows Server 2003.

I know how to make a persistant VPN connection using the Routing and Remote
access controll pannel however the server is unable to browse for machines or
even see the remote server by name but can ping I.P. address only.

I would love to configure the remote server so it is a DNS server and I
really need it to be able to serve logon requests so I need it to be a Global
Catalogue server. How do I get these setup so they work over the VPN link?

Charles Yang [MSFT] · Guest

HI Paul,

Welcome to SBS newsgroup.

Issue description:
================

I understand that you encountered problem when you try to browsing through
VPN connections.

Analyzing and suggestions:
================

Generally speaking, from your description, it seems you want to add an
additional DC for logon request from remote site so that the remote site
clients does not need to logon SBS server via VPN connections. You also
want to deploy DNS on that server.

It is a good idea to deploy a DC on the remote site while establish a VPN
connection to main site where SBS exists, it will reduce a lot of traffic.
The local workstation will logon to the local DC. For your convenience, I
would like to give you some suggestion on this issue:

Here I suggest you use the configure site in Active directory to create
multiple sites for your branch office. Sites are one or more TCP/IP subnets
with highly reliable and fast network connections. Site information allows
administrators to configure Active Directory access and replication to
optimize usage of the physical network. Sites are represented in Active
Directory as site objects. Site objects are a set of subnets, and each
domain controller in a forest is associated with an Active Directory site
according to its IP address. You can refer to the following link for more
detailed information about site object in Active Directory:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKi
t/1038d210-c07c-4cde-ad08-a4079b9a8ff0.mspx

Based on my knowledge, replication between sites is compressed to minimize
the cost of transmission over WAN links. When replication occurs between
sites, a single domain controller per domain at each site collects and
stores the directory changes and communicates them at a scheduled time to a
domain controller in another site. Due to low speed of WAN link, it your
best interest to deploy site link for branch office and customize the site
link to synchronize data with SBS server for example 2 hours once. You can
refer to the steps below to configure and customize the site link:

Replication within and between site:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechR
ef/0ac09f72-a790-48a9-a72f-d7328f9d937f.mspx

244368 How to Optimize Active Directory Replication in a Large Network
http://support.microsoft.com/?id=244368

Also as your convenience, I would like to give you some information about
deploying additional DC on SBS 2003 domain. Generally speaking, there is no
much difference between the SBS 2003 server and standard 2003 server to
setup additional DC. You can refer to the following documents to deploy
additional DC in branch office on SBS domain:

http://www.microsoft.com/technet/archive/windows2000serv/technologies/active
directory/deploy/adguide/addeploy/addch07.mspx

In addition, you may need to know about the properly configuration for the
license on every additional DC, please refer to the following section for
detailed steps:

A. Go to the additional Windows servers, open Services console in
''Administrative Tools''. Make sure that the ''License Logging services''
is running.

B. Go to the SBS 2003 server, open ''Active Directory Sites and
Services''. Click on Default-First-Site-Name and the double click on
Licensing Site on the right. Make sure that the SBS 2003 server is the
Licensing Computer.

C. Go to the additional servers, open ''Licensing'' console in
''Administrative Tools''. Set the licensing mode of the additional Windows
server to ''Per Seat''/''Per Device'' mode. The number of licenses should
be set to be equal to the number of SBS client access license (CAL). You
can select License->New License from the menu and then select Windows
Server from the dropdown and specify the same number of license that your
SBS server has.

You can follow the article below to deploy a Site to site VPN:

Site to Site VPN lab via RRAS
http://www.microsoft.com/downloads/details.aspx?FamilyID=7424168e-f745-4450-
b671-aac2c79568eb&DisplayLang=en

After you deploy the site to site VPN, the AD data will be sync with
between two sites, the local site user will be able to logon local DC, if
you want to browse the main site, you can browse it through VPN
connections, then it will use the DNS server on SBS domain to browsing the
main site computer.

I appreciate your understanding on this issue, in the meantime, if you have
any further concerns, please let me know. I am glad to be any further
updates.

Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Paul Bishop · Guest

Charles thank you very much for such an informative response.

I will read through the links and try to work through the tasks details and
I will get back to you with the results

Charles Yang [MSFT] · Guest

HI Paul,

Thanks for letting us know that you will take the action to go through my
steps. Thanks again for your updates.

I will be here waitting for your updates.

Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Paul Bishop · Guest

I think I have hit a problem with my ISA 2004 server blocking my replication
traffic.

I have a number of RPC server unavailable in the Directory service event log.

I would like to demote my Domain controller however when running through the
Active Directory wizard it also tells me that the RPC server is unavailable.

Currently both systems are connected together on the same switch and the
member server has recived it's IP from the SBS2003 server.

My current ISA version is 4.0.2163.213

I
I have read the following articles -
http://support.microsoft.com/kb/887222
http://support.microsoft.com/kb/899148

Which both say this is likely to be caused by ISA server not understanding
RPC calls from 2k3 SP1 and blocking them, I have checked my ISA server and it
is dropping RPC connections between the two servers.

I don't know how to switch off this protection and to be honest the last
thing I want to do is disable any RPC protection on my firewall. The ISA 2004
SP1 is supposed to fix this however when I download it and try to install it
gives me a error saying that the product is either not found or the incorrect
version.

Please help :S

Best wishes

Paul Bishop

Charles Yang [MSFT] · Guest

Hi Paul,

Thanks for updates.

From your description, it seems ISA 2004 on SBS 2003 SP1 blocked the AD
replication between Windows 2003 server on the remote site and main site.
Here I would like to give you some suggestion on this issue:

As I know, to perform the AD Replication between the main office and the
remote office, the best way is to establish a site-to-site VPN connection.
I am not sure what type of the firewall that you use in your 2 sites. If
you are using ISA/RRAS as the firewall in both sites, you may refer to the
following documents to configure a site-to-site replication:

Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Branch Office ISA Server/Domain Controller - Part 1
http://www.isaserver.org/tutorials/gatewaytogatewaywithdc.html

Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Branch Office ISA Server/Domain Controller - Part 2
http://www.isaserver.org/tutorials/gatewaytogatewaywithdcpart2.html

Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Windows 2000 RRAS - Part 1
http://www.isaserver.org/tutorials/g2gisa2rraspart1.html

Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Windows 2000 RRAS - Part 2
http://www.isaserver.org/articles/g2gisa2rraspart2.html

You need to open the following ports for FRS and AD Replication:

Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC *
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB

So, we strongly recommend you use site-to-site VPN connection to perform
the replication. If you are not using Microsoft Product as the firewall on
2 sites, please contact the vendor to see how to establish the site-to-site
VPN connection. As I know, most of these products have such features.

As I know, you could not demote the DC on remote site from SBS domain, as
you can not contact the SBS server so that the DC will not demote from SBS
domain, you have to demote by force, but we suggest you go through the art

Thanks for your understanding on this issue, please go through the article
above to see how to configure ISA 2004 for AD replication. I will be here
waiting for your updates.

Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Charles Yang [MSFT] · Guest

Hi,

Thanks for updates.

If you just connect the additional DC locally, you can refer to my first
reply join the additional DC to the SBS domain first then the AD
replication will be replicated automatically. Please kindly put the
additional DC inside the domain not connects to SBS external NIC, the
replicate will be done successfully then you can follow my steps to deploy
a site to site link and put the DC there.

This would correct your issue. Thanks for your understanding on this issue.
Please feel free to post back your concerns.

Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Paul Bishop · Guest

Thanks again.

The links should be very helpfull when I setup the AD on the remote site
however currently I don't have a site to site link as the member server is
still on the local network. It is plugged directly into the switch that the
main small business server is connected to.

Charles Yang [MSFT] · Guest

HI,

Thanks for updates.

In order to make the issue more clarify. Please help gather the following
information:

1. Check the event view and paste the detailed error event to the
newsgroup, please check it on SBS domain and Windows 2003 member server.
2. Have you point the DNS server on Windows 2003 member server to SBS
internal NIC and have you install firewall client on Windows 2003 member
server, if not the problem might be the ISA have blocked the traffic, so it
is your best interest to install firewall client computer on Windows 2003
member server or point the default gateway on Windows 2003 member server to
the SBS internal NIC.
3. Please also paste the ipconfig/all on the windows 2003 member server and
SBS 2003 server

We appreciate your effort on this issue, please feel free to post back. I
am glad to be of further assistance.

Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

Paul Bishop · Guest

The network is currently configured as you describe with the member server
connected to the internal network port on the Small Business server.

Unfortunatly I still get the message RPC server is unavailable.

As mentioned I am looking to solve this issue then resume setting up the
multi-site connections in a Lab enviroment before trying again on a live
server.

Is my ISA server version 4.0.2163.213 running SP1 as I can't find out
anywhere what the correct version number for Pre and Post SP1.

Best Wishes

Paul Bishop

Paul Bishop · Guest

Thanks for all your help...

I didn't have the firewall client installed on the server and this has now
been installed.

This didn't stop the issue however on looking deeply at the event logs the
commupter account for the member server had become disjoined from the domain
- the member server was a virtual server which had moved from one server to
another during this configuration.

I have decided to move the whole exersise to a virtual server enviroment
which I am am setting up now. I will begin again taking an board all of your
advice and wait until it is all working before trying again in the production
enviroment.

Thanks for everything I am sure I will be making more posts to the SBS2003
forum soon as I really do need to make this work using real hardware within a
few months.

Best Wishes

	Windows Server Forum Index -> Small Business Server 2003	All times are GMT
Page 1 of 1