Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Quick overview of setting up SITE to SITE AD

Posted on 2007-04-06
4
600 Views
Last Modified: 2012-06-21
I would like a High level overview for SITE to Site AD.  Best pratice between bridgehead server ( should both bridgeheads be GC?) Also the replication settings

I have come to a site where there is a very large AD that is located in 2 datacenters

The one site has a DC DEVADC01 with all the FSMO roles
There is a second DC DEVADC02 that acts as a GC,DC.


In the other network is another 2 DC's
DEVBDC01
DEVBDC02

Under sites and services NTDS properties settings Connections tab for DEVADC01
Replicate From DEVBDC02
Replicate to  DEVBDC02 ( not a typo)
Under sites and services NTDS properties settings Connections tab for DEVADC02
Replicate From DEVADC01 DEVBDC01
Replicate To DEVADC01 DEVBDC02

Under sites and services NTDS properties settings Connections tab for DEVBDC01
Replicate From DEVBDC02
Replicate to DEVADC01 DEVBDC02

Under sites and services NTDS properties settings Connections tab for DEVBDC02
Replicate From DEVADC02 DEVBDC01
Replicate to DEVBDC01


Finally Update Sequence numbers are off

I think this above configuration is not best pratice.




0
Comment
Question by:cogit
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18868106
A few points based on your description:

[1] Are you in a single domain environment?  If so, make every DC a GC; there's no overhead involved on a GC in a single-domain environment, and it decreases the likelihood of authentication failure due to a user being unable to find a GC.

[2] Ensure that your physical sites and subnets are accurately represented within AD Sites & Services (under the Administration Tools); AD will use this information to generate a replication topology. Additionally, client authentication is "site-aware", so you want your sites & subnets correctly configured so that clients will authenticate to a DC in their local site rather than wasting time & resources by authenticating across the WAN.

[3] Are all of these replication objects "automatically created", or have they been created manually?  (If you don't see the words "automatically created" when you click on the server and see the connection objects in the right-hand pane of ADS&S, they have been manually created. With only 4 DCs in the mix, I would simply allow AD to create the replication topology on its own - if there are any manually-created repl. objects, I would delete them and then re-trigger the KCC by right-clicking on the server's NTDS Settings and selecting All Tasks-->Check Replication Topology.  (Recommend you do this during off-hours since there will be a slight delay in replication while the KCC does its job.)

[4] What do you mean by "Update Sequence Numbers are off"?  Which Properties sheet are you looking at, and what is the exact text of the option you're describing.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:cogit
ID: 18868132
When you go on the NTDS settings, and select the object tab.

Also doing the following "With only 4 DCs in the mix, I would simply allow AD to create the replication topology on its own - if there are any manually-created repl. objects, I would delete them and then re-trigger the KCC by right-clicking on the server's NTDS Settings and selecting All Tasks-->Check Replication Topology.  (Recommend you do this during off-hours since there will be a slight delay in replication while the KCC does its job.)"

Would that create the bridgehead servers?

I'm mean there is only 16,800 users accounts ... lets do it during the day:)
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18868191
If you do not manually specify a bridgehead server for a particular site, the KCC will automatically select a bridgehead in each site when it creates replication objects.

Keep in mind that Active Directory creates multiple replication "rings" for the different segments of the AD database that need to be replicated - separate replication topologies are created for domain, configuration, and schema information. The KCC will attempt to load balance between available DCs when creating these different topologies, so you may have 1 DC in SiteA designated a bridgehead for the Domain NC while a 2nd DC is designated the bridgehead for the Schema & Configuration NCs. This load-balancing takes place one-time with the connection objects are first created.  You can designate a preferred bridgehead on the General tab of the server's properties sheet, but if you have full connectivity between all 4 DCs in both sites, I'd recommend just letting the KCC do its job.  (For a domain of only 4 DCs, the KCC will likely do as good a job as anything in creating an optimal replication topology.)

As for USNs being "off" - do you mean that you are seeing an object where the originating USN is the same as the current USN?  This simply means that whatever object it is (site, site link, etc.) has not been modified since it was originally created.  USNs are integral to the functioning of AD replication, they cannot be "turned off."

0
 

Author Comment

by:cogit
ID: 18868756
Thanks for the info.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question