Multiple Tombstoned DC's
-
@PhlipElder said in Multiple Tombstoned DC's:
Just how much change is there between then and now?
I don't know. It's been 8 months so I imagine there has been quite a bit of changes.
Also, just to confirm. The KCC ONLY creates site links for sites that have network connectivity, correct? My coworker seems to think that the Highlands server was never connected to those 6 sites, but from what I recall, they need to be connected or KCC would not have created those links. Again my theory is someone removed those vpn tunnels, or the Highlands DC was configured at our Fort Worth Hub site, and later shipped to Highlands.
-
@Fredtx said in Multiple Tombstoned DC's:
@PhlipElder said in Multiple Tombstoned DC's:
Just how much change is there between then and now?
I don't know. It's been 8 months so I imagine there has been quite a bit of changes.
Also, just to confirm. The KCC ONLY creates site links for sites that have network connectivity, correct? My coworker seems to think that the Highlands server was never connected to those 6 sites, but from what I recall, they need to be connected or KCC would not have created those links. Again my theory is someone removed those vpn tunnels, or the Highlands DC was configured at our Fort Worth Hub site, and later shipped to Highlands.
If there are replication links (auto) then there was comms between the two site's DCs.
-
Sorry, I didn't mean links. I meant inbound partners. AKA "connections" when viewing in AD Sites and Services.
-
@Fredtx said in Multiple Tombstoned DC's:
Sorry, I didn't mean links. I meant inbound partners. AKA "connections" when viewing in AD Sites and Services.
Yes. That's what I understood to be said there.
If there are replication links there that were automatically generated then at one time the good site's DCs were replicating with the offline site's DCs.
-
@PhlipElder said in Multiple Tombstoned DC's:
@Fredtx said in Multiple Tombstoned DC's:
Sorry, I didn't mean links. I meant inbound partners. AKA "connections" when viewing in AD Sites and Services.
Yes. That's what I understood to be said there.
If there are replication links there that were automatically generated then at one time the good site's DCs were replicating with the offline site's DCs.
I have demoted all defective sites, did metadata and dns clean up, confirmed replication of changes across all domain controllers.
I promoted the first dc successfully. However, the KCC is automatically adding the site that has no network connectivity, which I can't seem to understand why. This is why the dc's tombstoned in the first place. I guess I could create the vpn tunnel? I would think the KCC would detect there is no connectivity, and add a connection that DOES have connectivity.
Any ideas @dbeato @PhlipElder ???
-
@Fredtx does the isolated site still exist in Sites and Services? What's the plan for that location if the ideal end goal is to have the vpn tunnel down and no site to site connection? (apologies if this was already covered)
-
@notverypunny said in Multiple Tombstoned DC's:
@Fredtx does the isolated site still exist in Sites and Services? What's the plan for that location if the ideal end goal is to have the vpn tunnel down and no site to site connection? (apologies if this was already covered)
Yes, the site still exist. I'm just confused as to why the KCC is adding the connection to the link when there is no network connectivity to that site. From my understanding, the whole purpose of the KCC is to create connections with the best paths, which this one would NOT be the best path since there's no network connectivity.
-
@Fredtx said in Multiple Tombstoned DC's:
@notverypunny said in Multiple Tombstoned DC's:
@Fredtx does the isolated site still exist in Sites and Services? What's the plan for that location if the ideal end goal is to have the vpn tunnel down and no site to site connection? (apologies if this was already covered)
Yes, the site still exist. I'm just confused as to why the KCC is adding the connection to the link when there is no network connectivity to that site. From my understanding, the whole purpose of the KCC is to create connections with the best paths, which this one would NOT be the best path since there's no network connectivity.
Is the defunct site's subnet set up in Sites? That's what is going to need to be changed or removed.
-
@PhlipElder said in Multiple Tombstoned DC's:
@Fredtx said in Multiple Tombstoned DC's:
@notverypunny said in Multiple Tombstoned DC's:
@Fredtx does the isolated site still exist in Sites and Services? What's the plan for that location if the ideal end goal is to have the vpn tunnel down and no site to site connection? (apologies if this was already covered)
Yes, the site still exist. I'm just confused as to why the KCC is adding the connection to the link when there is no network connectivity to that site. From my understanding, the whole purpose of the KCC is to create connections with the best paths, which this one would NOT be the best path since there's no network connectivity.
Is the defunct site's subnet set up in Sites? That's what is going to need to be changed or removed.
This is where my idea was headed, but wanted make sure that the OP realized that without AD connectivity it's going to be entirely off the domain and that his other domain machines are going to tombstone as well (if they haven't already)
-
@PhlipElder said in Multiple Tombstoned DC's:
@Fredtx said in Multiple Tombstoned DC's:
@notverypunny said in Multiple Tombstoned DC's:
@Fredtx does the isolated site still exist in Sites and Services? What's the plan for that location if the ideal end goal is to have the vpn tunnel down and no site to site connection? (apologies if this was already covered)
Yes, the site still exist. I'm just confused as to why the KCC is adding the connection to the link when there is no network connectivity to that site. From my understanding, the whole purpose of the KCC is to create connections with the best paths, which this one would NOT be the best path since there's no network connectivity.
Is the defunct site's subnet set up in Sites? That's what is going to need to be changed or removed.
Yes, it's setup in Sites with the correct subnet as well.
Also, I see all the sites are listed in the Sites/Inter-Site Transports/IP/Defaultipsite link properties. Is that normal? Highlands (defunct site) does have the appropriate subnet configured as I mentioned.
See below
-
@Fredtx I would just remove that site from being in Active Directory sites and services entirely.
-
@dbeato said in Multiple Tombstoned DC's:
I would just remove that site from being in Active Directory sites and services entirely.
What would be the effects if I remove that site from ADSS? Would it still be able to have an inbound rep parter?
-
My colleague is saying we should have all the sites connected via a Mesh topology. That's 11 sites, and I feel like that would be too much overhead just for AD. Also, that would also decrease the network security by connected branch office LANS together via site vpn.
I was thinking of having a Hub And Spoke topology to our main site, especially with the fact that our main site handles radius authentication for all the branch offices.
-
@Fredtx If you are going to do VPN, then do hub and spoke for sure. Mesh of multiple locations like you have is simply asking for crypto to hit all the things.
I mean your risk is already high by using insecure LAN methods, but yeah, why multiply it?
-
@Fredtx said in Multiple Tombstoned DC's:
My colleague is saying we should have all the sites connected via a Mesh topology. That's 11 sites, and I feel like that would be too much overhead just for AD. Also, that would also decrease the network security by connected branch office LANS together via site vpn.
Yeah, that's huge risk, and huge complication, all just for AD (if it is really just for AD.)
-
@Fredtx said in Multiple Tombstoned DC's:
I was thinking of having a Hub And Spoke topology to our main site, especially with the fact that our main site handles radius authentication for all the branch offices.
Definitely helps, but the fundamentally flawed network design is still the core issue.
-
@JaredBusch said in Multiple Tombstoned DC's:
Mesh of multiple locations like you have is simply asking for crypto to hit all the things.
Exactly what I've been telling them.
-
@Fredtx said in Multiple Tombstoned DC's:
@JaredBusch said in Multiple Tombstoned DC's:
Mesh of multiple locations like you have is simply asking for crypto to hit all the things.
Exactly what I've been telling them.
VPNs and AD the same. The mesh "should" not pose any threat because there should be nothing exposed over the mesh. But given the rest of the design, we can safely assume there are security holes everywhere and they are just trying to open more.
These are the flags that hackers look for for finding easy targets.
