Sites and Services NTDS settings for AD with 8 sites

Posted on 2009-05-15
Medium Priority
Last Modified: 2012-05-07
We have an AD with 8 sites. The main DC's are in our head office. Located on the other sites we have 7 more DC's. The domain is Windows 2003 Native AD. Under Active Directory Sites and Services I noticed that some connections are automatically generated, but most of them are not and were created manually.

The sites are connected through 2Mbit SDSL connections which are up 24/7. Most site to site connections are now set to one or two DC's at the main office replicating over IP twice per hour. DC's at the head office are connected to the other DC's at the head office by RPC connections four times per hour.

My questions is how many NTDS connection should any DC on a site have. Should it only be connected to one DC at the main office? All DC's at the main office or should it be connected to every possible DC on every possible site (making it mandatory to create lots of NTDS connection objects by hand).
Question by:Hotzenwalder
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 22

Expert Comment

ID: 24393435
Do you know who created the original design?  You might want to confer with them as to why they designed your Sites and Services in the way that they did.

Since you have a pretty small Sites and Service design, you could go a couple ways on this one.  You could let the ISTG/KCC take care of your replication topology or you could create the links manually.  Since you have a small number of sites and a fairly fast connection, it is usually best to let the ISTG take care of it - this allows for fault-tolerance.  To let ISTG do its job on "full auto" mode, ensure that all sites are bridged:
Open Sites
Open Inter-Site Transports
Open IP
Double-click the site link in the right-pane (normally named DEFAULTSITELINK)
Ensure all of your sites are in this bridge  (if you have mutiple bridges, you should collapse them into one)

Next, delete all of the manually defined connections under NTDS Settings.

The ISTG should run automatically in a few minutes, but if you're in a hurry you can force it to run right-away.  To do so:
Right-click each NTDS Settings
Select All Tasks, Check Replication Topology

If you have some bandwidth issues, then you might have to tweak the design.  In most cases a hub-and-spoke design is a good idea.  In this case, you would assess where most of your AD changes take place and establish that Site as the hub.  After that's done, you would manually configure site links from the spokes to the hub.  In this case, you minimize your convergence time.  Microsoft has a pretty good guide on designing branch offices at:

Author Comment

ID: 24393633
I think it was just setup and no specific thinking was done about the sites and services configuration.

Currently we have 8 different site links. Each site links contains the head office site and a branch office site so there are no more than two sites in a site link. The cost of every site link is 100, the replication interval 30. All branch offices are connected over SDSL lines with the same speed.

So.... Site link A for instance contains Head Office Site and Branch A.
Site link B contains Head Office site and Branch B
Site link C contains Head Office site and Branch C etcetera

There is no site link bridge present under Inter-Site Transports.

I guess the site links are set up ok, but we seem to be missing a site link bridge with all site links in it?

LVL 22

Expert Comment

ID: 24393870
The site link bridge will allow multiple site links to "converse" with each other.  Since the design looks like a classical hub-and-spoke - you should be good to go.

Author Comment

ID: 24394528
Created a site link bridge, added all the site links to it and hit the 'check replication topology' several times on several DC's. The DC's in the main site have different connection objects. One DC has links to almost any DC. The other DC's at the head office have only two connections. In the eventviewer we have messages like

'The following directory partition is no longer replicated from the source domain controller at the following network address because there is no Connection object for the domain controller'

DC's at the branch offices sometimes have only one connection.

Is this just a case of wait and be patient?

Also... the site links were created automatically and some links are set to only replicate one time per hour. If we change it we get warnings that the changes will be overwritten since the link was automatically generated and if we wish to mark it as not automatically generated. We'd like to change some links because the schedule for replication between the DC's in the head office is set to only once per hour. Does that mean any change on a DC will not be visisble on another DC in the head office for 60 minutes?
LVL 22

Accepted Solution

Paka earned 1000 total points
ID: 24394641
Getting used to some of the delays in sites and services does require some patience.  The topology should stablize over one or two replication intervals.  

To change the replication frequency, you will change the site link bridge properties (it's at the bottom).

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question