active directory servers synchronization
I have 3 AD servers with windows server 2008 R2 at 3 different places, main server is at datacenter and 2 are in our local office which are at 2 different place.
I want to synchornize all the 3 server together, were datacenter server should be central server and rest 2 servers should synch with the datacenter server. Please provide us the steps or tutorial to do this.
Also we want that once the changes are done in 1 of the AD server the changes are automatically done in all the servers. For example if I change the password of user in our local server it should be updated in our main AD server and other branch server too.
Please provide us the steps or tutorial to do this asap.
I have one more question I have already created main datacenter AD as domain.local and other domains as xyz.local and abc.local, how can I replicate the additional AD domains with main datacenter DC, also do we require VPN connection, is there any other way to replicate the servers without using VPN connection?
Solution 1:
we want that once the changes are done in 1 of the AD server the changes are automatically done in all the servers
You don't need to do anything. The standard Active Directory topology does this automagically.
I want to synchornize all the 3 server together, w[h]ere datacenter server should be central server and rest 2 servers should synch with the datacenter server.
If you want to explicitly enforce that all changes MUST be replicated through the "central" server, and not directly from node-to-node, you can do this. Have a poke around in the Active Directory Sites and Services MMC, as this is where the replication rules are controlled from.
What you need to do is set up all of the physical sites as sites in Sites and Services, and then move each domain controller into their appropriate site. Then, expand each domain controller and go to its NTDS settings. From here you can either delete or create new links between the domain controllers.
What you want to do is have each domain controller contact each other domain controller that is in the same site (so servers within each physical location sync immediately with each other), and then create an additional connection to the central domain controller.
Also, I have the main domain say for example xyz.local and two additional domain controllers. How can I synchornize them with .local domains how can we replicate it? Do we require a VPN connection in order to replicate the data of xyz.local to our other branch domain controller?
Solution 2:
As Mark said, domain controllers within the same domain automatically replicate Active Directory data and changes between them, so you should not need to do anything at all, other than properly defining sites in the "Active Directory Sites and Services" console. Quick tutorial here:
- Define subnets based on IP address/subnet mask.
- Define sites.
- Associate subnets with sites so that AD knows which site does an IP address belong to.
- When creating a new DC, it will be automatically placed in the right site.
- If DCs have already been created, just move them manually to the proper site.
After you wait a while, an Active Directory background process (called the "Knowledge Consistency Checker" or KCC) will detect che new topology and build proper replication connections between DCs (i.e. who replicates with who); you could then tweak this manually, if you want to.
To add a new domain controller to an existing domain, you need to add the "Active Directory Domain Services" role to the server, and then run the command dcpromo.exe
; the following wizard will ask you various informations, and you should simply tell it to add a new DC to an existing domain (and make it a DNS server and Global Catalog, since you only have one of them per site); replication will then begin automatically.
This all applies to domain controllers being in the same domain. If you need more domains, things get somewhat more complex, so you should really avoid this if you don't actually need more than one domain (hint: there are very good chances you don't).
Update:
Looks like you already created three different domains. Things are a lot trickier now: different domain in the same forest (I hope they are...) actually synchronizes something between them, but each one of them has a different user database; so, if you create a user account in domain A, there's no way to have that user account pop up in domain B: you'll have to use trusts and permissions to allow the user in domain A to access resources in domain B. I strongly suggest you remove those two additional domains and go back to a single domain design, since you don't seem to be in production stage yet.
For replication to work, you'll need either a WAN link or a VPN. I'm assuming each of your servers has a private IP address, so they won't be able to communicate without any of them... but even if they had public IPs (and that would be quite unusual), that's not the kind of traffic you'd like to see flowing openly on the Internet.
Solution 3:
You can't do what you want without a VPN. It's possible to replicate some things without a VPN, but user accounts and passwords aren't part of that.
Also, since you have 3 domains, you'll need 3 domain controllers at each site if you want to replicate everything to each site. This isn't a great way of doing things. Here's what I recommend you do:
- Setup site-to-site VPNs between the sites
- Choose a domain to keep and install ADMT on this domain
- Migrate all users and computer accounts from the other 2 domains to the domain you're going to keep
- Run dcpromo on the other servers to destroy those domains
- Join those other servers to your one-and-only domain
- Run dcpromo on those servers to promote them back to domain controllers in the same domain
- Use Active Directory Sites and Services to setup proper sites and make each server a global catalog server