Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Setting Up a domain across a ISA 2k4 site-site
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Setting Up a domain across a ISA 2k4 site-site - 26.Oct.2005 4:13:00 PM
|
|
|
m.tzitzikalakis
Posts: 5
Joined: 26.Oct.2005
Status: offline
|
Here is my scenario: I have one main office and one branch office. Right now we have 2 separate domains 2 separate exchange 2k3 organizations and ISA 2k4 servers at each office providing internet access and client VPN connectivity. Each office uses a different range of private IP address space (10.10.10.x and 172.17.0.x respectively).
We would like to consolidate the domain and exchange organizations into one to eliminate duplicate accounts and simplify administration among other things. We would also like exchange servers on both sites to be MX for our external FQDN .
What is the best way to go about setting this up? I donÆt really mind re-creating the AD installations as I donÆt have much information in them (<50 users total) especially if it would result in a better configuration.
The way I imagine a configuration like this should be setup is as follows
1. Setup ISA site-site at the branch office as a stand alone server and configure the site-site connection
2. Join the ISA server to the main office domain
3. Using the site-site connection create a domain controller and exchange server at the branch office that are members of the main office domain and exchange organizations respectively
4. setup external DNS on both isa servers to provide dns services for our external domain name and point to our exchange servers published thru ISA
I am familiar with the walkthroughs on the site and I have Dr ShinderÆs book but are there any other things I should keep in mind when setting up this configuration? If I am way off please let me know I have a lot of the basics down and I have been using ISA/Proxy since 1.0 so I am familiar with the concepts but this situation is quite frankly the most complex scenario I have ever had to deploy.
Thanks in advance for everyoneÆs help
Michael G Tzitzikalakis
Mike.tzitzikalakis _at_ gmail.com
|
|
|
|
|
RE: Setting Up a domain across a ISA 2k4 site-site - 27.Oct.2005 10:43:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Michael,
Looks like you're on the right track.
In fact, it looks like a fun idea to include for a future how-to series for this site.
Thanks!
Tom
|
|
|
|
|
RE: Setting Up a domain across a ISA 2k4 site-site - 14.Nov.2005 8:42:24 PM
|
|
|
m.tzitzikalakis
Posts: 5
Joined: 26.Oct.2005
Status: offline
|
Ok setup the site to site connection and it connects fine. I can ping form each ISA machine onto either network (remote or local). I cannot however join the branch ISA machine to the main office domain. I also cannot ping the remote networks from clients. For example a client at the branch office cannot ping anything on the Main office network and vice versa. I did create the access rules and triple checked them just like toms book instructed.
I am getting the following error message on both ISA server machines.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 11/14/2005
Time: 2:07:49 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: HERA
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BA126AD1-2166-11D1-B1D0-00805FC1270E}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
When I try to join the Branch office ISA machine to the main office i get the following:
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain bayridge.synthesisonfy.local:
The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc._msdcs.bayridge.synthesisonfy.local
Common causes of this error include the following:
- The DNS SRV records required to locate a domain controller for the domain are not registered in DNS. These records are registered with a DNS server automatically when a domain controller is added to a domain. They are updated by the domain controller at set intervals. This computer is configured to use DNS servers with following IP addresses:
10.10.10.1
216.231.41.2
216.254.95.2
- One or more of the following zones do not include delegation to its child zone:
bayridge.synthesisonfy.local
synthesisonfy.local
local
. (the root zone)
For information about correcting this problem, click Help.
Some more backround about my networks:
main office:
Internal range: 10.10.10.x
Branch office
Internal range: 172.17.0.x
If I left any important information out or anyone has any ideas please feel free to contact me. I am really stumped on this one it all seems configured correctly just like the book says but I get no functionality. Oddly enough I created connectivity verifiers on the remote machine to the AD of the main office and it reports its up
Thanks in advance
Mike Tzitzikalakis
mike.tzitzikalakis _AT_ gmail.com
|
|
|
|
|
RE: Setting Up a domain across a ISA 2k4 site-site - 18.Nov.2005 7:52:34 PM
|
|
|
clayman
Posts: 8
Joined: 29.Jul.2003
From: Canada
Status: offline
|
Mike,
Here is what I have done in the past to get a DC at a remote site:
I set up a new install of w2k3 as a member server and then initiate a vpn connection directly to the DC from the new member server (not the isa machine). i.e. the member server acts as a vpn client to the upstream domain that you want to use. I then join the new Member server to the domain, reboot connect again and then perform the DC promo accross the VPN. Once it is operational, I disconnect the vpn. Delete or disable it. Now join the ISA server computer to the domain locally and initiate the site to site VPN between the two isa machines.
Once the connection is up, Verify replication using replmon.exe to ensure that the machines are replicating properly.
Clayton
|
|
|
|
|
RE: Setting Up a domain across a ISA 2k4 site-site - 18.Nov.2005 8:32:55 PM
|
|
|
m.tzitzikalakis
Posts: 5
Joined: 26.Oct.2005
Status: offline
|
Right now I have a ISA server at the branch office that isnt a member of a domain. The site to site connection can only ping but nothing else. it does connect successfully though. There is no domain controller at the branch office right now as I would like to get the connection up and running before merging into one domain.
Thanks Clayton for the info but I dont have a seccond server to use as a DC. I need to leave the existing branch office setup running until I am sure my new setup is 100% operational. I only have one spare machine to do this with.
< Message edited by m.tzitzikalakis -- 18.Nov.2005 8:59:08 PM >
|
|
|
|
|
RE: Setting Up a domain across a ISA 2k4 site-site - 21.Nov.2005 1:29:47 PM
|
|
|
E.A.R.
Posts: 1
Joined: 21.Nov.2005
Status: offline
|
Hi Mike,
Make sure that on the branch ISA you are pointing to the internal DNS of the main office, in order to join you need to resolve the data store at _msdcs.*
About the 10016 event, after setting up a couple of site to site tunels I´ve encounter such in both ends, I´m researching it (again :-)), last time it had to do with netman not having the correct permissions on "Component Services". Google it using 10016 and netman and you should get and answer. I´m doing that after finishing this posting. HIH.
Regards,
E.A.R.
P.S. Look at http://forums.techarena.in/archive/index.php/t-77421.html ;-). IIRC that was the post I followed last time.
< Message edited by E.A.R. -- 21.Nov.2005 1:35:55 PM >
|
|
|
|
|
RE: Setting Up a domain across a ISA 2k4 site-site - 21.Nov.2005 5:26:23 PM
|
|
|
m.tzitzikalakis
Posts: 5
Joined: 26.Oct.2005
Status: offline
|
thanks for the reply. I am going to try formatting the machine and trying again. maybee a clean install will clear some things up.
|
|
|
|
|
RE: Setting Up a domain across a ISA 2k4 site-site - 22.Nov.2005 4:36:01 PM
|
|
|
daniilkireev
Posts: 12
Joined: 10.Aug.2004
From: Moscow, Russia
Status: offline
|
I had this event when I spanned two domains (HQ and branch) across Internet using Microsoft ISA 2004 Site-to-Site VPN connections.
The branch office connects to HQ by VPN Site-to-Site and gets the error: Remote server closed the connection. From the HQ side I see this (10016) event every time the branch office tries to connect.
From MS site I read that this may happen after you install SP1 on W2K3 system or SP2 on ISA 2004 (as a result of increased security level). They recommended checking "Enable network COM+ access" and "Enable network DTS access" in Application Server details ("Add/Remove Windows components"). I did so, rebooted and the branch office got to connect normally.
You may search MS site for this event.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
