Solved

Quick overview of setting up SITE to SITE AD

Posted on 2007-04-06
4
598 Views
Last Modified: 2012-06-21
I would like a High level overview for SITE to Site AD.  Best pratice between bridgehead server ( should both bridgeheads be GC?) Also the replication settings

I have come to a site where there is a very large AD that is located in 2 datacenters

The one site has a DC DEVADC01 with all the FSMO roles
There is a second DC DEVADC02 that acts as a GC,DC.


In the other network is another 2 DC's
DEVBDC01
DEVBDC02

Under sites and services NTDS properties settings Connections tab for DEVADC01
Replicate From DEVBDC02
Replicate to  DEVBDC02 ( not a typo)
Under sites and services NTDS properties settings Connections tab for DEVADC02
Replicate From DEVADC01 DEVBDC01
Replicate To DEVADC01 DEVBDC02

Under sites and services NTDS properties settings Connections tab for DEVBDC01
Replicate From DEVBDC02
Replicate to DEVADC01 DEVBDC02

Under sites and services NTDS properties settings Connections tab for DEVBDC02
Replicate From DEVADC02 DEVBDC01
Replicate to DEVBDC01


Finally Update Sequence numbers are off

I think this above configuration is not best pratice.




0
Comment
Question by:cogit
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18868106
A few points based on your description:

[1] Are you in a single domain environment?  If so, make every DC a GC; there's no overhead involved on a GC in a single-domain environment, and it decreases the likelihood of authentication failure due to a user being unable to find a GC.

[2] Ensure that your physical sites and subnets are accurately represented within AD Sites & Services (under the Administration Tools); AD will use this information to generate a replication topology. Additionally, client authentication is "site-aware", so you want your sites & subnets correctly configured so that clients will authenticate to a DC in their local site rather than wasting time & resources by authenticating across the WAN.

[3] Are all of these replication objects "automatically created", or have they been created manually?  (If you don't see the words "automatically created" when you click on the server and see the connection objects in the right-hand pane of ADS&S, they have been manually created. With only 4 DCs in the mix, I would simply allow AD to create the replication topology on its own - if there are any manually-created repl. objects, I would delete them and then re-trigger the KCC by right-clicking on the server's NTDS Settings and selecting All Tasks-->Check Replication Topology.  (Recommend you do this during off-hours since there will be a slight delay in replication while the KCC does its job.)

[4] What do you mean by "Update Sequence Numbers are off"?  Which Properties sheet are you looking at, and what is the exact text of the option you're describing.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:cogit
ID: 18868132
When you go on the NTDS settings, and select the object tab.

Also doing the following "With only 4 DCs in the mix, I would simply allow AD to create the replication topology on its own - if there are any manually-created repl. objects, I would delete them and then re-trigger the KCC by right-clicking on the server's NTDS Settings and selecting All Tasks-->Check Replication Topology.  (Recommend you do this during off-hours since there will be a slight delay in replication while the KCC does its job.)"

Would that create the bridgehead servers?

I'm mean there is only 16,800 users accounts ... lets do it during the day:)
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18868191
If you do not manually specify a bridgehead server for a particular site, the KCC will automatically select a bridgehead in each site when it creates replication objects.

Keep in mind that Active Directory creates multiple replication "rings" for the different segments of the AD database that need to be replicated - separate replication topologies are created for domain, configuration, and schema information. The KCC will attempt to load balance between available DCs when creating these different topologies, so you may have 1 DC in SiteA designated a bridgehead for the Domain NC while a 2nd DC is designated the bridgehead for the Schema & Configuration NCs. This load-balancing takes place one-time with the connection objects are first created.  You can designate a preferred bridgehead on the General tab of the server's properties sheet, but if you have full connectivity between all 4 DCs in both sites, I'd recommend just letting the KCC do its job.  (For a domain of only 4 DCs, the KCC will likely do as good a job as anything in creating an optimal replication topology.)

As for USNs being "off" - do you mean that you are seeing an object where the originating USN is the same as the current USN?  This simply means that whatever object it is (site, site link, etc.) has not been modified since it was originally created.  USNs are integral to the functioning of AD replication, they cannot be "turned off."

0
 

Author Comment

by:cogit
ID: 18868756
Thanks for the info.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Learn about cloud computing and its benefits for small business owners.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now