Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
northbayteky

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #1 
I have a server (FCC) that wants to replicate with a server on a subnet it really can't fully communicate with (TS.) It's behind a firewall that we don't control. 

FCC has two NICs on two different subnets, one for staff, one for public. The county won't give us access on the public subnet and FCC REALLY wants to communicate over that IP. 

As a work around, I have established a replication partner with a different server (SCL) that has no public subnet and the county has allowed full IP access between those two servers.

So, how do I stop FCC from trying to establish a connection with TS? It has a connection with SCL and SCL has a connection to FCC. 

The main issue as I see it is that there were some tombstones on the old server at TS and I can't seem to clear them out of AD and it's causing some issues with WSUS. 

is there a way to force FCC to communicate over the staff IP for replication? 

Here's some more information that you may or may not find useful. FCC is server 2003, SCL is 2008 and TS is 2012 R2. 



__________________
When you're left out of the club, you know it.
When you're in the club, you don't see what the problem is. 
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 228
Reply with quote  #2 
Pamela,

if you need to prevent two domain controllers from establishing a rpelication partnership, the most reliable way to achieve that is by

1. defining Subnets, Sites and Site Links according to your physical topology
2. preventing unwanted secondary IP addresses of DCs from registering in DNS

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
northbayteky

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #3 
I'm not sure how to do #1 and I'm pretty sure we can't do #2. 

Thank you

__________________
When you're left out of the club, you know it.
When you're in the club, you don't see what the problem is. 
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #4 

So we have 3 DCs, in this configuration:

FCC -- TS: no network
SCL -- TS: OK
SCL -- FCC: OK

FCC has 2 NICs.
SCL and FCC are in the same location.

Correct?


Without writing a whitepaper (bing on google for what you need), this is what you need to do:

  • Open AD sites and services.
  • Create 2 sites (Site1 and Site2), add them to the default sitelink. Each site corresponds to a physical location (usually)
  • Add the IP subnets for location 1 (DCs SCL and FCC) to Site1
  • Add the IP subnets for location 2 (DC TS) to Site2
  • In AD Sites & Services, browse to Sites --> Intersite Transports, open properties of "IP" and disable "Bridge All Sitelinks"
  • Move SCL and FCC to the Site1
  • Move TS to Site2
Wait a couple of hours for the configuration to stabilize.

> I'm pretty sure we can't do #2

Oh yes you can, and you should. There should never be unroutable IP addresses in DNS. You changes this in the IP properties in the NIC, and in the properties of the DNS server.



__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
northbayteky

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #5 
Quote:
Originally Posted by wkasdo

...

Without writing a whitepaper (bing on google for what you need), this is what you need to do:

  • Open AD sites and services.
  • Create 2 sites (Site1 and Site2), add them to the default sitelink. Each site corresponds to a physical location (usually)
  • Add the IP subnets for location 1 (DCs SCL and FCC) to Site1
  • Add the IP subnets for location 2 (DC TS) to Site2
  • In AD Sites & Services, browse to Sites --> Intersite Transports, open properties of "IP" and disable "Bridge All Sitelinks"
  • Move SCL and FCC to the Site1
  • Move TS to Site2
Wait a couple of hours for the configuration to stabilize.

> I'm pretty sure we can't do #2

Oh yes you can, and you should. There should never be unroutable IP addresses in DNS. You changes this in the IP properties in the NIC, and in the properties of the DNS server.




Thank you. That gave me lots to think about and I even got a lot of reading in. 
What I ended up doing, after trying to figure out if SMTP could work for us and deciding it wasn't the way to go, I created a new site link and a new site link bridge. In the new site link I added the 2 sites that need to replicate with each other and I added the defaultsitelink and the new site link to the new site link bridge and all the DCs seem to be happy, are replicating without trying to create a spanning tree with a DC that's behind a firewall. Now I can go back to figuring out why my WSUS issue. 

On the topic of #2, our entire IP scheme is built on non-route-able IPs. We only own so many route-able IPs so the non-route-able ones are NATed at the firewall. We have public Internet access and staff at each of our library branches and each branch has a server. The staff subnets can 'see' the public subnets but the public subnets are restricted to their own. And with our print management application (that's a total pain in the behind) we have to bind the public IP NIC to the top to allow for our customers with laptops on our wireless network to print. 

__________________
When you're left out of the club, you know it.
When you're in the club, you don't see what the problem is. 
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #6 
> our entire IP scheme is built on non-route-able IPs.
>  we have to bind the public IP NIC to the top

you are using internal sources with external IP addresses...? I'm glad I don't have your job!

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 166
Reply with quote  #7 
Sounds like a school
__________________
Have SpaceSuit, Will Travel

0
northbayteky

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #8 
Quote:
Originally Posted by Infradeploy
Sounds like a school


It's a library.

__________________
When you're left out of the club, you know it.
When you're in the club, you don't see what the problem is. 
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.