Post by Claus Greck [MVP]Answer inline ....
Post by MikeRThanks for the reply but that does not address the question.
For example, installing DNS on the server in the remote location requires
access to the server with the FSMO "domain naming".
No, since when do you need a FSMO to install DNS?!
DNS is being installed post-dcpromo, since it is active directory integrated
it wants to talk to the role holder. From my event logs..
EVENT ID 4510
The DNS server was unable to connect to the domain naming FSMO
tdsjdc01.xxx.xxx.xxx.xxx.com. No modifications to Directory Partitions are
possible until the FSMO server is available for LDAP connections. The event
data contains the error code.
Post by Claus Greck [MVP]Post by MikeRFurhtermore, changing passwords at that site will require access to the "pdc
emulator".
Nope. That'd be true only for Pre-Windows 2000-Clients without AD-Client
installed. 2000 and above can change the password on any DC.
But there may be some operations which need a specila DC role, i.E.
changing/adding/removing Sites or Subnets or their respective properties, of
course Schema Changes and .......
The question was raised as to what happens in the case of a user password
change at the remote site when intersite replication has a high latency. MS
documentation states that there are certain events that trigger "urgent
replication", password changes being one of them.
Specifically the documentation states "Active Directory replication remedies
this situation by forwarding password changes immediately to a single domain
controller in the domain, the PDC emulator."
reference (bottom of document, urgent replication):
http://technet2.microsoft.com/windowsserver/en/library/1465d773-b763-45ec-b971-c23cdc27400e1033.mspx?mfr=true
Post by Claus Greck [MVP]Post by MikeRI need to know if there is a way around this without installing 2008 RODC's.
I can't follow you now. What does your problem has to do with 2008 RODC?
ahem.. well.. since it seems that an intersite DC won't work (or at least
install) without being able to communicate with a server that holds all of
the roles (we did not want to open all of our DC's up to the firewalls), the
only other solution was to establish a 2008 DC at the primary site then a
RODC at the remote site. Supposedly from what I have read, the RODC only
needs to communicate with a 2008 DC.
Post by Claus Greck [MVP]To resume: you want Branhc Office DCs to replicate only with a specific DC
in the Hub Site because of traffic restrictions (firewall settings??)
YES
Post by Claus Greck [MVP]The first question is, why are DCs in the Branch sites restricted with their
traffic to only one DC in the Hub Site. Better allow them to connect to any DC
in the Hub Site , it needn't to be the whole Subnet in the Hub.
Just seem like a good security measure. We only have 2 DC's at the hub site,
so at this point we have opened up to both.
Post by Claus Greck [MVP]And as Meinolf said correctly you can create replication objects through the
AD Sites and Services Console manually if you need. But basic task is to
plan and deploy a correct replication topology which fits your needs, e.g.
to disable automatic Site-Link-Bridging and so on.
Hub and spoke is what we were aiming for. I have disabled bridging between
all sites and setup appropriate site links and all seems to be well.
Just seems like there should be a way to restrict traffic to a single DC for
security reasons. Probably one of the reasons MS developed RODC's in 2008.
Thanks for your input.
Post by Claus Greck [MVP]Greetings
Claus Greck
[MVP - Server Directory Services]
Post by MikeRPost by Meinolf WeberHello Miker,
In Active Directory sites and services by default replication will be set
automatically, but you can also specify your own replication between the
DC's.
Best regards
Meinolf Weber