ericargyle

Hello, I am currently running a multi-site Windows 2008 R2 functional level domain between 2 sites. I have Sites and Services seperated by subnets (172.17.0.0) and (172.16.0.0) and replication all works properly. This design works great to keep things local that should stay local, and to ensure policy goes to proper site. DNS is ADI. Clients point to local site DNS first, secondary site DNS second. Is there a way that I can ensure that if Site A's DCs are downed completely, we cross campus to Site B. With this simply work with my current design, pointing to second sites DNS, which references all DCs? To be fair, I haven't pulled a DC down to test, and it might work already, but since Server 2008 r2 won't broadcast it's services over the WAN link, I'm not certain. Thanks, let me know if you need any more info. Eric

Cluberti, thanks for the reply. I am using DFS-R. I did manage to fix SYSVOL replication by setting DC1 as authorative and DC2 as non-authorative, and pushing DC2 to DC1 as the parent computer. However, DNS, which is fully ADI, seems to be replicating only from DC1 to DC2, and not vice versa. I'm wondering if you have any suggestions for that?

Thanks Allen. Unfortunately that is mainly dealing with frs. Mines 2008 functional , dfsr through and through. I think I should AdSiedit to make dc1 primary dfsr point. Then I should non authorative restore dc2 dfsr. Does that sound about right? Thanks as always Allen. Not the first time you've helped me.

repadmin runs clean as well. C:\Windows\system32>repadmin /showrepl Repadmin: running command /showrepl against full DC localhost East\DC1 DSA Options: IS_GC Site Options: (none) DSA object GUID: b90d4c8c-fde8-439f-82aa-50d5c8022040 DSA invocationID: 2dc9628e-4f4b-40da-b567-2fa6a1a9f9ce ==== INBOUND NEIGHBORS ====================================== DC=leyden,DC=local West\DC2 via RPC DSA object GUID: 56afd570-f325-4bf5-a05a-b7762ef5ff19 Last attempt @ 2011-06-17 10:06:11 was successful. CN=Configuration,DC=leyden,DC=local West\DC2 via RPC DSA object GUID: 56afd570-f325-4bf5-a05a-b7762ef5ff19 Last attempt @ 2011-06-17 10:06:11 was successful. CN=Schema,CN=Configuration,DC=leyden,DC=local West\DC2 via RPC DSA object GUID: 56afd570-f325-4bf5-a05a-b7762ef5ff19 Last attempt @ 2011-06-17 10:06:11 was successful. DC=DomainDnsZones,DC=leyden,DC=local West\DC2 via RPC DSA object GUID: 56afd570-f325-4bf5-a05a-b7762ef5ff19 Last attempt @ 2011-06-17 10:06:11 was successful. DC=ForestDnsZones,DC=leyden,DC=local West\DC2 via RPC DSA object GUID: 56afd570-f325-4bf5-a05a-b7762ef5ff19 Last attempt @ 2011-06-17 10:06:11 was successful.

PREFACE: I recently had to restore an image of our 2 DCs due to a DNS issue we were having. I restored from the previous night prior to the issue. The restore went cleanly. However, since then, GPOs have not replicated. SYSVOL is replicating. Login scripts have transferred over. Policies are not. Domain policies are not replicating from Dc1 to DC2 in my ADI domain. DNS is clean. Clients are able to log in, new clients are able to join the domain, and authenticate cleanly at each site. DNS updates dynamically for my clients. DFSR throws no errors, and communicates cleanly, even mapping drives over the WAN. It's 2008 R2 entirely, so FSR is not running, that fix won't work in my world. I have rebooted DC2 (which is having the issues), have pushed over with sites and services, and have checked DC2 for DFSR errors. Latest info on DC2: The DFS Replication service successfully established an inbound connection with partner DC1 for replication group Domain System Volume. To me, this would allow group policy objects to make the jump. No AV, no firewall running. I'm running out of ideas. Any help appreciated.

Root of drive is DEPT. In drive is MATH, ART, and READING. I want members of said groups to have modify rights on all contents in the folder, but not delete the folder itself. I've tried giving DENY rights on DEPT for THIS FOLDER ONLY and applying the special permission DELETE SUBFOLDERS AND FILES. I figured this would take precedence over a potential delete, but doesn't seem to do so. Even with the rule, users can still delete the folder. What is the proper way to accomplish this? Hopefully this post makes sense.

Thanks Allen. The issue was Domain Admins were in the local admins group, administrators on the domain were not. I pushed it out with Restricted Groups and that did the trick for affected users.

Besides the usual stuff... pointing to local WSUS server with updates defined, setting power saving, pointing to internal AV defs servers, making certain users local admins, and pushing Office and AV to all workstations... what else is in your default group policy on your domain(s)? I'm not a fan of pushing frequently updated apps, or limiting my users' experience to a fault, but I'm curious of any tweaks or policy that's good to push either to a group of users, machines, etc. Let me know! Thanks guys.

I ran net user username \domain The funny thing is that it tells me I'm a member of the local group: administrators. However, I have no access to control panel, or installing apps, etc. Any help would be great.

Ever hear of domain admin rights not propagating to the user at the workstation level when logged in? No changes have been made to default domain policy. Seems to have occurred out of nowhere. Any suggestions on how to fix this? Clearly the joined domain machine recognizes the domain user and authenticates. However, rights do not push. Any help would be excellent. Of note, it seems to be any new users I create in AD. Previously created admins do pull appropriate rights on logged in workstations. Also, this on consistent on Win7 and WinXP clients. Thanks guys.

Thanks Cluberti. I really, desperately would have loved them to be on the same domain, ie: campus.local, but how do I dictate different physical workstations to connect to the appropriate DC? Ideally, someone at West, should authenticate and pull DHCP from West DC, and east should pull authenticate and pull DHCP from EAST DC. Only reason this even matters, is because the gateway will be different to get out. Otherwise, I'm open to design ideas you can point me to, or explain in greater detail. Thanks again.

Cheers Allen. One more question, because I don't want to change the subnet in the middle of the year, what about keeping it at 172.17.6.2 to 172.17.15.250? Will that work?

Hey guys, Can you verify my proposed install? I am replacing ancient Novell Netware servers with Windows Server 2008 R2 DCs and FileServers. My environment consists of two campuses with a 100MB Opt-e-man link between them. I have already pieced out filstructure and permissions for user data, I am now in the process of planning the actual introduction of the new servers. The servers are all HP. Each campus has a DL360 and a DL370 x5660 with 36GB RAM. I would like to set up the DC as east-dc.local and east-fs.local. I will be running DHCP on this as a class B, and my scope will be 172.17.6.2 to 172.17.30.254 255.255.240.0 subnet DNS will also be running locally. Currently all DHCP and DNS is being done through the Sonicwall. I know, it's unfortunate. I inherited this. Secondly I would like to set up a DC as west-dc.local and west-fs.local. I will be running DHCP on this as a class B, and my scope will be 172.16.6.2 to 172.16.30.254 255.255.240.0 subnet File servers at both campuses will be configured as vanilla file servers on server-core. Shares will be made per user per campus. On the East AD, I'm going to structure the AD so that it looks like this: East (top level OU), Staff (under East), Students (under East), and Teachers (under East). West (top level OU), Staff (under West), Students (under West), and Teachers (under West). I do this per school to make sure shares are created at the desired physical location. I'm going to set up AD Replication between the 2 DCs, however, they will not be primary and secondary, they will still be their own individual DCs, as I don't want cross campus authentication, however, I do want them to be able to log in when at the opposite school. This should do that cleanly, while only mapping their minimal data home directories cross campus. Scripts are written for all users, and templates are set up. Printers will be added post clean install and user testing. There are additional, less Windows Server specific things, like print auditing, and some WSUS I'll set up later. From an onlookers perspective, does that all look like it will work cleanly? Anything to keep in consideration? Thanks.

Buy this product. I can vouch for it. I have it as an AP client to a Linksys N router. I have that in the living room, uplinked to a switch; and then I plug in the media pc, and the tv (internet connected) to it, and they all pull DHCP from the original router. Works a trick, can get it all for about 35 bucks. http://www.newegg.com/Product/Product.aspx?Item=N82E16833180035 Looks deactivated now, but ebay it, or google shop for it.

Question, currently our network has a DHCP scope of 172.17.6.2 to 172.17.9.250. I would like to expand it to 172.17.6.2 to 172.17.30.250. Is this possible? Just double-checking before expansion.