I currently have DC running DNS for my domain. I want to setup another DC at a different location to serve as secondary DNS and for AD replication. My question is how to go about joining the second server to the first domain over a WAN. I tried just joining the domain and that didnt work. Do I need to setup VPN between them or is there an easier way?

You don't.

Well not entirely true, you could do it that way but there is a better way to do it. What you want to do is setup/configure the second DC at your present location. Give it all appropriate information (IP etc) for the remote site and connect to your network and then join it to the domain as if you were doing so remotely. Don't forget you'll have to have the site setup on your present DC first.

Once you have everything working properly, ship it and it should come up fine at the remote site if all is setup there properly.

This is not only easier, but should something go wrong, you have the DC sitting there with you physically. It's a lot easier to troubleshoot a machine you can easily get your hands on then to try and do so remotely.

An encrypted VPN tunnel between sites is a VERY good idea! In fact, unless you're running over a leased line between the two, I highly recommend you do it that way. Running unencrypted over the internet is basically giving anyone with a packet sniffer access to the data flowing between the two.

It sounds easy enough, but can you elaborate a bit on what you mean by setting up a 'site'? I've only been running WS2K3 for a few weeks, and all of this is for learning purposes on my own, but I'm assuming I need to create another site for where the second DC is going to be at.

The other problem I might run into is this. My first DC is also running NAT/DHCP for my internal network, which also includes a DC doing internal DNS using the same domain for external. I don't know that I will be able to join my new server to it as you suggest, as it will be inside the internal network connected to a switch getting addresses from the NAT server. So if I try to simply join the domain, it would see the one on the internal network, not the one I need it to.

Thanks for your help.

First off, I confess, my career in recent years has been moving away from domain admin toward networking so my admin skills are rusting. If I miss anything, or mess anything up it's accidental and I apologize up front.

As I remember, in AD you have a "sites and services" applet. Use it to configure any/all remote sites. If memory serves me, you'll be able to assign IP information and such.

Chances are you'll also have to configure a port (or ports) on a switch to match that subnet (VLAN if you're using them). Also, you'll have to ensure you have your routing setup between subnets to ensure connectivity. Once you have that "remote" subnet working, and communicating with the home office properly, then you can plug your server in, ensure it's connectivity, promote it to a DC and finally, test to ensure replication is working properly.

Once you've done this, then your DC is ready to ship to the remote site.

The above is of course assuming you're using enterprise level managed switches (or just switch) and have routing capabilities as well.

DHCP/DNS is no problem. Once you have the remote PC up and communicating on the other subnet and it's replicating you can then enable DHCP on it (if you want it doing DHCP for the remote site....a good idea). With regard to DNS, since it's a remote site you may as well configure the DNS on it to resolve internal requests and have it forward external requests directly to the provider at the remote site. This will reduce bandwidth usage between sites if you're not resolving the remote DNS to the home DNS server which in turn would have to send the request out and returning replies back across the WAN link to the remote site.