Correct NTDS Settings

Posted on 2013-01-23
Medium Priority
Last Modified: 2013-01-23
I have 4 domain controllers running over 4 different WAN connections inside a VPN Cloud.

I have them all setup under subnets and sites in ADS&S.

They all have NTDS settings that are installed by default, but i have not created any manual connections.

What is the best practice for NTDS settings?



Should there be an NTDS setting for each server?

Should all of them come back to the main server rather than server B?

What is best practice here?


Question by:elevatecs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38812648
If there are no manual created connections let it be ...

Read below article which says to let KCC handle how and from where to where connections to be made

You Are Not Smarter Than The KCC

If you are concerned about replication status then Just run repadmin /replsum so you will get the replication status
LVL 16

Expert Comment

by:Bruno PACI
ID: 38812660

I suppose that saying "NTDS settings" you're talking about replication connectors that are supposed to appear under the "NTDS Settings" container !?

The best practice is to let the ISTG service on your domain controllers to create their own replication topology. Then the connector shoudl be automatically created under "NTDS Settings".

To help ISTG to build an efficient replication topology you should have declared your physical network links in ADS&S by creating "Site links" between AD sites.
By default there is only one site link that is created and that connects all sites, like if all sites where physically connected to each other.
This is usually not true because physical networks usually have a central site to which all remote sites are connected but remotes sites are not directly connected to each other.

As you're talking about a VPN cloud are we supposed to understand that 2 sites are able to dialog through the VPN directly and not passing through the central site network ??
If yes you can leave the default site link like that.
If no, you should create an IP site link for each physical network connection between sites.

If the site link topology is coherent the ISTG should create an efficient replication tree.
So to answer to your question "Should all of them come back to the main server rather than server B" the answer is no, not always. It depends of your physical topology and the way your declared it in ADS&S.
Does "site A" a central site talking about physical network links ? If yes your AD site links in ADS&S should express that and the ISTG tree will take care of that.

The problem sometimes when installing new DC in a new site is about DNS. Usually you'll use an AD integrated DNS zone. That means that DNS records are stored in AD. DNS records are necessary for the ISTG to locate other DCs and build a replication tree.
AD content needs the ISTG to have built its replication tree before AD content can replicate from other DCs.
At the DCPROMO time the installation process creates an initial copy of AD and this initial copy will be used to built the replication topology at first time, but if something changes in the topology before ISTG on the new DC has created its replication tree and start tis first replication you may be in a situation where your new DC will never be able to build the tree because informations in its AD copy are obsolete and then information in its DNS zone are obsolete also.

So when I build AD forests, I made an habit to configure IP settings on the remote DC I'm about to promote so that it uses ONLY the DNS server in the central site.
Doinf like that the newly promoted DC use good DNS informations and is able to build its replication tree. The process may take time, may be hours between ad sites, but it finally success.
When the topology has been built by the ISTG I can change IP settings so that the newly promoted remote DC interrogates its own DNS service at first, and the central DNS server as a secondary DNS.

Also, DO NOT FORGET to make all your DCs to be Global Catalogs. This is by default when you promote a Windows 2008 Domain Controller but this is not with Windows 2003 DCs.
So your should verify on properties of each "NTDS Settings" container that the Global Catalog checkbox is enabled.

Have a good day.

Author Comment

ID: 38812679
We have a WAN cloud, its pretty simple stuff. I just assumed best practice would be to have ALL servers with a connection back to the master.

Currently they all rely on a small site server for replication information, i thought this was strange, but it was created automatically so i left it.

I just wanted the best practice for NTDS replication connections.

All site links, site containers etc are created. They are all interconnected by a managed VPN network, all subnets are there, intersite transports. Its all working, i just thought it was strange that other DC's are relying on the smallest DC for replication information.

I assumed it would be better to have the master set as the inbound / outbound partner for all other DC's.
LVL 16

Accepted Solution

Bruno PACI earned 2000 total points
ID: 38812700

"Master" means nothing with AD domains... there is no domain controller that is master against other that are slaves... All DCs are masters.

With a "cloud" network the only question is from you: do you want to have a centralized topology ? Do you want one particular DC to be the "hub" of the AD replication ?
If not, trust the ISTG and KCC to build an efficient tree.

Oh... something I forget: By default the IP site link that connects AD sites is configured to allow ad replications every 180 minutes only. That is much too long in my opinion and even if it might be a good idea at the beginning of Active Directory in 2000, I strongly think it's a bad idea now to leave it like that. I always reduce the replication interval to 15 minutes for my customers.
In your case that means that your whole forest should be uptodate after 30 minutes instead of 6 hours by default. So in my opinion you should reduce the replication interval on the IP site lik in ADS&S.

Author Comment

ID: 38812711
Thanks, i will investigate.

Cloud is probably a bad word, it is a managed WAN.. hard to explain.

Anyways i will trust in the KCC to be doing the right thing and i have the interval @ 60. Ill reduce it, i dont mind that idea.



Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month9 days, 7 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question