Step 2 Configure the Multisite Infrastructure

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2012 R2, Windows Server 2012

To configure a multisite deployment, at that place are a number of steps required to alter network infrastructure settings including: configuring additional Active Directory sites and domain controllers, configuring additional security groups, and configuring Group Policy Objects (GPOs) if you are not using automatically configured GPOs.

Task Clarification
2.1. Configure additional Active Directory sites Configure additional Active Directory sites for the deployment.
2.2. Configure additional domain controllers Configure additional Active Directory domain controllers as required.
two.iii. Configure security groups Configure security groups for whatsoever Windows vii client computers.
2.4. Configure GPOs Configure additional Grouping Policy Objects as required.

Note

This topic includes sample Windows PowerShell cmdlets that yous can use to automate some of the procedures described. For more than information, see Using Cmdlets.

ii.i. Configure boosted Active Directory sites

All entry points tin reside in a unmarried Active Directory site. Therefore, at to the lowest degree one Active Directory site is required for the implementation of Remote Admission servers in a multisite configuration. Use this procedure if you demand to create the get-go Active Directory site, or if you desire to utilize boosted Agile Directory sites for the multisite deployment. Utilize the Active Directory Sites and Services snap-in to create new sites in your organization"south network.

Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest root domain, or equivalent, at a minimum is required to complete this process. Review details near using the appropriate accounts and group memberships at Local and Domain Default Groups.

For more data, encounter Adding a Site to the Forest.

To configure boosted Agile Directory sites

  1. On the principal domain controller, click Kickoff, and so click Active Directory Sites and Services.

  2. In the Active Directory Sites and Services console, in the panel tree, right-click Sites, and then click New Site.

  3. On the New Object - Site dialog box, in the Name box, enter a name for the new site.

  4. In Link Proper name, click a site link object, and and so click OK twice.

  5. In the console tree, aggrandize Sites, right-click Subnets, then click New Subnet.

  6. On the New Object - Subnet dialog box, under Prefix, type the IPv4 or IPv6 subnet prefix, in the Select a site object for this prefix list, click the site to associate with this subnet, and then click OK.

  7. Repeat steps v and 6 until yous have created all the subnets required in your deployment.

  8. Close Active Directory Sites and Services.

Windows PowerShell equivalent commands

The post-obit Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a unmarried line, even though they may announced give-and-take-wrapped across several lines here because of formatting constraints.

To install the Windows Feature "Active Directory module for Windows PowerShell":

              Install-WindowsFeature "Name RSAT-AD-PowerShell                          

or add the "Active Directory PowerShell Snap-In" via OptionalFeatures.

If running the following cmdlets on Windows seven" or Windows Server 2008 R2 , then the Active Directory PowerShell module must be imported:

              Import-Module ActiveDirectory                          

To configure an Active Directory site named "2nd-Site" using the built-in DEFAULTIPSITELINK:

              New-ADReplicationSite -Name "2nd-Site" Set-ADReplicationSiteLink -Identity "DEFAULTIPSITELINK" -sitesIncluded @{Add="Second-Site"}                          

To configure IPv4 and IPv6 subnets for the Second-Site:

              New-ADReplicationSubnet -Proper name "ten.two.0.0/24" -Site "Second-Site" New-ADReplicationSubnet -Proper name "2001:db8:2::/64" -Site "2d-Site"                          

ii.2. Configure additional domain controllers

To configure a multisite deployment in a single domain, information technology is recommended that y'all have at least one writeable domain controller for each site in your deployment.

To perform this procedure, at a minimum you must be a member of the Domain Admins grouping in the domain in which the domain controller is being installed.

For more information, see Installing an Boosted Domain Controller.

To configure additional domain controllers

  1. On the server that volition human activity as a domain controller, in Server Manager, on the Dashboard, click add roles and features.

  2. Click Adjacent 3 times to get to the server role choice screen

  3. On the Select Server Roles page, select Active Directory Domain Services. Click Add Features when prompted, and and then click Next 3 times.

  4. On the Confirmation folio, click Install.

  5. When the installation completes successfully, click Promote this server to a domain controller.

  6. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration page, click Add a domain controller to an existing domain.

  7. In Domain, enter the domain name; for instance, corp.contoso.com.

  8. Nether Supply the credentials to perform this operation, click Change. On the Windows Security dialog box, provide the user name and countersign for an account that can install the additional domain controller. To install an additional domain controller, you must be a fellow member of the Enterprise Admins grouping or the Domain Admins group. When you lot are finished providing credentials, click Next.

  9. On the Domain Controller Options folio, do the following:

    1. Brand the following selections:

      • Domain Proper name System (DNS) server"This option is selected by default so that your domain controller can function as a Domain Name System (DNS) server. If you lot do not want the domain controller to be a DNS server, articulate this option.

        If the DNS server function is not installed on the Primary Domain Controller (PDC) emulator in the woods root domain, and then the pick to install DNS server on an boosted domain controller is not available. Every bit a workaround in this situation, yous can install the DNS server role before or after the Ad DS installation.

        Note

        If you select the option to install DNS server, yous might receive a message that indicates that a DNS delegation for the DNS server could not exist created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution. If y'all are installing an additional domain controller in either the forest root domain or a tree root domain, you do not have to create the DNS delegation. In this case, click Yep and condone the message.

      • Global Catalog (GC)"This option is selected by default. It adds the global catalog, read-only directory partitions to the domain controller, and it enables global catalog search functionality.

      • Read-only domain controller (RODC)"This choice is not selected by default. Information technology makes the additional domain controller read only; that is, it makes the domain controller an RODC.

    2. In Site name, select a site from the listing.

    3. Nether Blazon the Directory Services Restore Style (DSRM) password, in Password and Confirm password, type a strong password twice, and then click Side by side. This password must be used to start AD DS in DSRM for tasks that must be performed offline.

  10. On the DNS Options page, select the Update DNS delegation check box if you desire to update DNS delegation during role installation, and then click Next.

  11. On the Boosted Options page, type or scan to the volume and binder locations for the database file, the directory service log files, and the system book (SYSVOL) files. Specify replication options as required, and and then click Next.

  12. On the Review Options page, review the installation options, and then click Side by side.

  13. On the Prerequisites Cheque page, later the prerequisites are validated, click Install.

  14. Wait until the wizard completes the configuration, and and then click Shut.

  15. Restart the calculator if information technology did non restart automatically.

2.three. Configure security groups

A multisite deployment requires an additional security group for Windows seven client computers for every entry point in the deployment that allows access to Windows vii client computers. If there are multiple domains containing Windows 7 client computers, then it is recommended to create a security group in each domain for the same entry point. Alternatively, one universal security group containing the customer computers from both domains can be used. For example, in an surroundings with two domains, if y'all desire to allow access to Windows 7 customer computers in entry points 1 and 3, merely not in entry bespeak 2, then create ii new security groups to contain the Windows vii client computers for each entry point in each of the domains.

To configure additional security groups

  1. On the primary domain controller, click Start, so click Active Directory Users and Computers.

  2. In the panel tree, right-click the binder in which you lot desire to add together a new group, for example, corp.contoso.com/Users. Bespeak to New, and then click Grouping.

  3. On the New Object - Group dialog box, under Group proper name, type the proper noun of the new group, for example, Win7_Clients_Entrypoint1.

  4. Under Group scope, click Universal, under Group type, click Security, so click OK.

  5. To add computers to the new security grouping, double-click the security grouping, and on the <Group_Name> Properties dialog box, click the Members tab.

  6. On the Members tab, click Add together.

  7. Select the Windows seven computers to add to this security group, and so click OK.

  8. Repeat this procedure to create a security grouping for every entry indicate as required.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

To install the Windows Feature "Agile Directory module for Windows PowerShell":

              Install-WindowsFeature "Name RSAT-AD-PowerShell                          

or add together the "Agile Directory PowerShell Snap-In" via OptionalFeatures.

If running the post-obit cmdlets on Windows 7" or Windows Server 2008 R2 , so the Active Directory PowerShell module must exist imported:

              Import-Module ActiveDirectory                          

To configure a security group named Win7_Clients_Entrypoint1 and to add a client computer named CLIENT2:

              New-ADGroup -GroupScope universal -Proper noun Win7_Clients_Entrypoint1 Add together-ADGroupMember -Identity Win7_Clients_Entrypoint1 -Members CLIENT2$                          

ii.4. Configure GPOs

A multisite Remote Access deployment requires the following Group Policy Objects:

  • A GPO for every entry point for the Remote Access server.

  • A GPO for whatsoever Windows 8 client computers for each domain.

  • A GPO in each domain that contains Windows 7 client computers for each entry point configured to support Windows 7 clients.

    Note

    If you do not have any Windows 7 customer computers, you lot do not need to create GPOs for Windows 7 computers.

When you configure Remote Access, the magician automatically creates the required Grouping Policy Objects if they don"t already exist. If you practice not have the required permissions to create Group Policy Objects, they must be created prior to configuring Remote Admission. The DirectAccess administrator must have full permissions on the GPOs (Edit + change security + delete).

Important

Later on manually creating the GPOs for Remote Access you must allow sufficient fourth dimension for Active Directory and DFS replication to the domain controller in the Active Directory site that is associated with the Remote Access server. If Remote Access automatically created the Group Policy Objects, so no wait time is required.

To create Group Policy Objects, see Create and Edit a Group Policy Object.

Domain controller maintenance and downtime

When a domain controller running as the PDC emulator, or domain controllers managing server GPOs experience reanimation, it is not possible to load or change the Remote Access configuration. This does not affect client connectivity if other domain controllers are available.

To load or modify the Remote Access configuration, you can transfer the PDC emulator function to a different domain controller for the client or awarding server GPOs; for server GPOs, change the domain controllers that manage the server GPOs.

Important

This performance can be performed only by a domain administrator. The bear upon of changing the main domain controller is not confined to Remote Admission; therefore, apply caution when transferring the PDC emulator office.

Note

Before modifying domain controller association, brand certain that all of the GPOs in the Remote Access deployment have been replicated to all of the domain controllers in the domain. If the GPO is not synchronized, recent configuration changes may be lost after modifying domain controller association, which may atomic number 82 to a corrupt configuration. To verify GPO synchronization, run across Bank check Grouping Policy Infrastructure Status.

To transfer the PDC emulator role

  1. On the Starting time screen, typedsa.msc, and and so printing ENTER.

  2. In the left pane of the Active Directory Users and Computers console, correct-click Active Directory Users and Computers, and and then click Change Domain Controller. On the Change Directory Server dialog box, click This Domain Controller or AD LDS case, in the list click the domain controller that will be the new role holder, and then click OK.

    Note

    You must perform this step if you are not on the domain controller to which you want to transfer the office. Do not perform this pace if you are already connected to the domain controller to which you lot want to transfer the role.

  3. In the console tree, right-click Agile Directory Users and Computers, point to All Tasks, and then click Operations Masters.

  4. On the Operations Masters dialog box, click the PDC tab, and then click Change.

  5. Click Yeah to confirm that y'all want to transfer the role, and and then click Close.

To change the domain controller that manages server GPOs

  • Run the Windows PowerShell cmdlet Set-DAEntryPointDC on the Remote Access server and specify the unreachable domain controller name for the ExistingDC parameter. This control modifies the domain controller association for the server GPOs of the entry points that are currently managed by that domain controller.

    • To replace the unreachable domain controller "dc1.corp.contoso.com" with the domain controller "dc2.corp.contoso.com", do the following:

                            Set-DAEntryPointDC "ExistingDC 'dc1.corp.contoso.com' "NewDC 'dc2.corp.contoso.com' "ErrorAction Inquire                                          
    • To supercede the unreachable domain controller "dc1.corp.contoso.com" with a domain controller in the closest Active Directory site to the Remote Access server "DA1.corp.contoso.com", do the post-obit:

                            Set-DAEntryPointDC "ExistingDC 'dc1.corp.contoso.com' "ComputerName 'DA1.corp.contoso.com' "ErrorAction Inquire                                          

Alter ii or more domain controllers that manage server GPOs

In a minimal number of cases, 2 or more domain controllers that manage server GPOs are unavailable. If this occurs, more steps are required to change the domain controller association for the server GPOs.

Domain controller association data is stored both in the registry of the Remote Access servers and in all server GPOs. In the following example, at that place are two entry points with two Remote Admission servers, "DA1" in "Entry point i" and "DA2" in "Entry indicate 2". The server GPO of "Entry point 1" is managed in the domain controller "DC1", while the server GPO of "Entry point 2" is managed in the domain controller "DC2". Both "DC1" and "DC2" are unavailable. A third domain controller is still bachelor in the domain, "DC3", and the information from "DC1" and "DC2" was already replicated to "DC3".

Configure Multisite Infrastructure

To modify two or more domain controllers that manage server GPOs
  1. To replace the unavailable domain controller "DC2" with the domain controller "DC3", run the following command:

                      Set-DAEntryPointDC "ExistingDC 'DC2' "NewDC 'DC3' "ComputerName 'DA2' "ErrorAction Continue                                  

    This command updates the domain controller association for the "Entry point ii" server GPO in the registry of DA2 and in the "Entry point 2" server GPO itself; still, it does non update the "Entry point 1" server GPO because the domain controller that manages it is unavailable.

    Tip

    This command uses the Continue value for the ErrorAction parameter, which updates the "Entry betoken 2" server GPO despite the failure to update "Entry bespeak i" server GPO.

    The resulting configuration is shown in the following diagram.

    Diagram showing the resulting configuration.

  2. To replace the unavailable domain controller "DC1" with the domain controller "DC3", run the following control:

                      Set-DAEntryPointDC "ExistingDC 'DC1' "NewDC 'DC3' "ComputerName 'DA2' "ErrorAction Go on                                  

    This command updates the domain controller association for the "Entry signal 1" server GPO in the registry of DA1 and in the "Entry point ane" and "Entry point 2" server GPOs. The resulting configuration is shown in the following diagram.

    Diagram showing the update to th domain controller association.

  3. To synchronize the domain controller clan for the "Entry point ii" server GPO in the "Entry bespeak 1" server GPO, run the command to replace "DC2" with "DC3", and specify the Remote Access server whose server GPO is non synchronized, in this instance "DA1", for the ComputerName parameter.

                      Set-DAEntryPointDC "ExistingDC 'DC2' "NewDC 'DC3' "ComputerName 'DA1' "ErrorAction Go along                                  

    The concluding configuration is shown in the following diagram.

    Diagram showing the final configuration.

Optimization of configuration distribution

When making configuration changes, the changes are applied but after the server GPOs propagate to the Remote Admission servers. To reduce the configuration distribution time, Remote Access automatically selects a writable domain controller which is closest to the Remote Admission server when creating its server GPO.

In some scenarios, it may exist required to manually modify the domain controller that manages a server GPO in order to optimize configuration distribution fourth dimension:

  • In that location were no writable domain controllers in the Agile Directory site of a Remote Access server at the time of adding it as an entry betoken. A writable domain controller is now existence added to the Active Directory site of the Remote Access server.

  • An IP accost change, or an Active Directory Sites and Subnets change may have moved the Remote Admission server to a dissimilar Agile Directory site.

  • The domain controller association for an entry bespeak was manually modified due to maintenance work on a domain controller, and now the domain controller is back online.

In these scenarios, run the PowerShell cmdlet Fix-DAEntryPointDC on the Remote Access server and specify the proper name of the entry bespeak you desire to optimize using the parameter EntryPointName. You should practice this just after the GPO data from the domain controller currently storing the server GPO was already fully replicated to the desired new domain controller.

Note

Earlier modifying domain controller association, brand certain that all of the GPOs in the Remote Access deployment accept been replicated to all of the domain controllers in the domain. If the GPO is not synchronized, contempo configuration changes may be lost after modifying domain controller association, which may pb to a corrupt configuration. To verify GPO synchronization, see Check Group Policy Infrastructure Condition.

To optimize the configuration distribution fourth dimension, practise 1 of the following:

  • To manage the server GPO of entry point "Entry indicate ane" on a domain controller in the closest Agile Directory site to the Remote Access server "DA1.corp.contoso.com", run the following command:

                      Set-DAEntryPointDC "EntryPointName 'Entry point 1' "ComputerName 'DA1.corp.contoso.com' "ErrorAction Inquire                                  
  • To manage the server GPO of entry point "Entry bespeak 1" on the domain controller "dc2.corp.contoso.com", run the following command:

                      Set up-DAEntryPointDC "EntryPointName 'Entry point i' "NewDC 'dc2.corp.contoso.com' "ComputerName 'DA1.corp.contoso.com' "ErrorAction Inquire                                  

    Note

    When modifying the domain controller associated with a specific entry point, you must specify a Remote Access server that is a fellow member of that entry point for the ComputerName parameter.

  • Step iii: Configure the multisite deployment
  • Step 1: Implement a single server Remote Admission deployment