ad site with conection only to specific network segment

J Z 1 Reputation point
2021-11-10T10:57:31.733+00:00

Hi we have som design problem with AD, we must create one ad site with 2 DC behind VPN tunnel and that tunnel will not have acces to all domain controllers in whole AD organization, network connection only will be to main office not branches. Is there some problems that can occur? KCC will want to automatically connect to some DC in branches or its possible to avoid that with manually configure replication links to main office and this will guarantee that no problem will occur with replication?

Thank you

OSO

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,880 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Gary Reynolds 9,591 Reputation points
    2021-11-10T20:33:31.333+00:00

    Hi @J Z

    Yes is it possible to have DCs at the end of the VPN link with only a single connection to the main site, without impacting the replication of the other DCs in the forest. If the existing AD site topogoly has a hub and spoke topology, you can create a new AD site for the remove site at the end of the VPN link and then create a AD site link to the main site. This will limit the replication traffic to just these two sites.

    Have a read of the following pages for more information on AD replication

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/designing-the-site-topology

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts

    I would also specific check the bridging configuration to ensure that the replication is controlled.

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts#BKMK_8

    Gary.


  2. Limitless Technology 39,801 Reputation points
    2021-11-11T10:41:16.677+00:00

    Hi there,

    To avoid any problems you can try the multisite Infrastructure.

    To configure a multisite deployment, there are a number of steps required to modify network infrastructure settings including configuring additional Active Directory sites and domain controllers, configuring additional security groups, and configuring Group Policy Objects (GPOs) if you are not using automatically configured GPOs.

    Here is a link as well that might help you with the process

    https://learn.microsoft.com/en-us/windows-server/remote/remote-access/ras/multisite/configure/step-2-configure-the-multisite-infrastructure
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-create-an-active-directory-subnet-site-with-32-or-128-and/ba-p/256105

    ------------------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.