[M420]

OK, here is our setup:

DC - SBS 2003 R2 Premium

Remote site -
Server 2003 configured as File/Print Server

Connection is ADSL VPN using Sonicwall Firewalls

Problem: When the VPN goes down, the remote site server won't allow local users access to its local files.


I've googled this a few times. It isn't an everyday issue, just when that site loses internet connection. Would the file server depend on the DC for ALL authentication? I would have thought that some of it would at least be replicated to the file server so that this problem doesn't happen. Any thoughts?

[Advertisements]

Would the file server depend on the DC for ALL authentication?

YEP!

I would have thought that some of it would at least be replicated to the file server so that this problem doesn't happen.

yeah you'd think so however....that's not the case...

the best solution would be to have a "backup" DC at the remote location that would replicate all of the domain settings from the primary...that way if the connection between the sites goes down...your domain is still accessible

in all honesty...even in a local domain situation (i.e. no remote sites) it's best practice to have at least 2 domain controllers at any given point in time...you never know what could go wrong....and if you can't get to the DC you can't get to the domain

[dsenette]

Would the file server depend on the DC for ALL authentication?

YEP!

I would have thought that some of it would at least be replicated to the file server so that this problem doesn't happen.

yeah you'd think so however....that's not the case...

the best solution would be to have a "backup" DC at the remote location that would replicate all of the domain settings from the primary...that way if the connection between the sites goes down...your domain is still accessible

in all honesty...even in a local domain situation (i.e. no remote sites) it's best practice to have at least 2 domain controllers at any given point in time...you never know what could go wrong....and if you can't get to the DC you can't get to the domain

[M420]

Only in a dream world.

Unfortunately, this is a SBS Environment. Small Business Server.

SBS is VERY selfish. It will not allow more than one DC in a single domain. And to my knowledge, you can't even share a second domain's DC. So, unless I have a second SBS server (unlikely) that only turns on at the remote site when they lose internet, I guess I'm stuck.


I really want to break free from SBS and move up to a standard server environment. But we don't have the budget yet. Thanks for the input though!

[dsenette]

SBS is VERY selfish. It will not allow more than one DC in a single domain

based on my research you can't have a second SBS DC....it seems that you CAN have a backup DC assuming it's 2k3 server not SBS

[M420]

Maybe. I've tried that but if they both get online at the same time, they end up fighting for control of the domain. The SBS always wins and then I have to reboot the other server just to get it right again.

[dsenette]

that SHOULDN'T be the case (of course i can't prove it...since i've not tried it)....if you do the DCPROMO on the 2k3 server and make sure that it's added as a second DC in an existing forest/domain then it should come up as an emulated BDC (i.e. the FSMO roles don't get seized nor does the GC service)

[M420]

ok, could that work on the existing file server that is already there? Since I don't have another server to throw in that office?

[dsenette]

should be able to...if it's a 2k3 server you SHOULD be able to DCpromo the thing in as a new DC in an existing Forrest

[M420]

Interesting, don't know why I haven't tried that. I'll give it a shot next week after the holidays. Thanks for the advice.

[dsenette]

just don't blame me if it doesn't work.....ok you can blame me a little hehe..

it should work though...and technically if it doesn't you should just be able to demote the server

[M420]

If it doesn't work I'm holding you 100% responsible. kn-ARGH!-xville isn't that far from me. You may have to come fix it.

[dsenette]

paducah is a little farther than i want to drive hehe

a good option might be (if you can) to download and install VMWare server on a machine...and install (if you've got your 2k3 disks) a virtual machine of 2k3 and try it there....i've thought of a downside to this attempt in a live environment....when you DCPromo the 2k3 file server things should go fine...HOWEVER if they don't and you have to demote the server from a DC...it MIGHT (i.e. if memory serves correct, it will) unjoin from the domain...which COULD mess up the file permissions on the files

[M420]

True, but right now, all file permissions are inherited from the existing DC. So, even if it does drop the domain, when I rejoin it, it should just update the syslog and be ok, right?

[dsenette]

well the user permissions etc (i.e. who they are and can they access the domain) would float back in....but the specific file/folder permissions that are set on the server (like read/write permissions on folderA) wouldn't....

it just feels safer to me for the test to be done outside of a production server.....just to be safe

[M420]

Can do.

Now, before I run off and blow up my VM, I have on last question.

Because of the whole DC problem, we use DFSR for a lot of file replication. Can you think of any extra precautions that I should take to make sure that it remains stable during the DCpromo process?