Correct NTDS Settings

Posted on 2013-01-23
Last Modified: 2013-01-23
I have 4 domain controllers running over 4 different WAN connections inside a VPN Cloud.

I have them all setup under subnets and sites in ADS&S.

They all have NTDS settings that are installed by default, but i have not created any manual connections.

What is the best practice for NTDS settings?



Should there be an NTDS setting for each server?

Should all of them come back to the main server rather than server B?

What is best practice here?


Question by:elevatecs
  • 2
  • 2
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38812648
If there are no manual created connections let it be ...

Read below article which says to let KCC handle how and from where to where connections to be made

You Are Not Smarter Than The KCC

If you are concerned about replication status then Just run repadmin /replsum so you will get the replication status
LVL 16

Expert Comment

ID: 38812660

I suppose that saying "NTDS settings" you're talking about replication connectors that are supposed to appear under the "NTDS Settings" container !?

The best practice is to let the ISTG service on your domain controllers to create their own replication topology. Then the connector shoudl be automatically created under "NTDS Settings".

To help ISTG to build an efficient replication topology you should have declared your physical network links in ADS&S by creating "Site links" between AD sites.
By default there is only one site link that is created and that connects all sites, like if all sites where physically connected to each other.
This is usually not true because physical networks usually have a central site to which all remote sites are connected but remotes sites are not directly connected to each other.

As you're talking about a VPN cloud are we supposed to understand that 2 sites are able to dialog through the VPN directly and not passing through the central site network ??
If yes you can leave the default site link like that.
If no, you should create an IP site link for each physical network connection between sites.

If the site link topology is coherent the ISTG should create an efficient replication tree.
So to answer to your question "Should all of them come back to the main server rather than server B" the answer is no, not always. It depends of your physical topology and the way your declared it in ADS&S.
Does "site A" a central site talking about physical network links ? If yes your AD site links in ADS&S should express that and the ISTG tree will take care of that.

The problem sometimes when installing new DC in a new site is about DNS. Usually you'll use an AD integrated DNS zone. That means that DNS records are stored in AD. DNS records are necessary for the ISTG to locate other DCs and build a replication tree.
AD content needs the ISTG to have built its replication tree before AD content can replicate from other DCs.
At the DCPROMO time the installation process creates an initial copy of AD and this initial copy will be used to built the replication topology at first time, but if something changes in the topology before ISTG on the new DC has created its replication tree and start tis first replication you may be in a situation where your new DC will never be able to build the tree because informations in its AD copy are obsolete and then information in its DNS zone are obsolete also.

So when I build AD forests, I made an habit to configure IP settings on the remote DC I'm about to promote so that it uses ONLY the DNS server in the central site.
Doinf like that the newly promoted DC use good DNS informations and is able to build its replication tree. The process may take time, may be hours between ad sites, but it finally success.
When the topology has been built by the ISTG I can change IP settings so that the newly promoted remote DC interrogates its own DNS service at first, and the central DNS server as a secondary DNS.

Also, DO NOT FORGET to make all your DCs to be Global Catalogs. This is by default when you promote a Windows 2008 Domain Controller but this is not with Windows 2003 DCs.
So your should verify on properties of each "NTDS Settings" container that the Global Catalog checkbox is enabled.

Have a good day.

Author Comment

ID: 38812679
We have a WAN cloud, its pretty simple stuff. I just assumed best practice would be to have ALL servers with a connection back to the master.

Currently they all rely on a small site server for replication information, i thought this was strange, but it was created automatically so i left it.

I just wanted the best practice for NTDS replication connections.

All site links, site containers etc are created. They are all interconnected by a managed VPN network, all subnets are there, intersite transports. Its all working, i just thought it was strange that other DC's are relying on the smallest DC for replication information.

I assumed it would be better to have the master set as the inbound / outbound partner for all other DC's.
LVL 16

Accepted Solution

PaciB earned 500 total points
ID: 38812700

"Master" means nothing with AD domains... there is no domain controller that is master against other that are slaves... All DCs are masters.

With a "cloud" network the only question is from you: do you want to have a centralized topology ? Do you want one particular DC to be the "hub" of the AD replication ?
If not, trust the ISTG and KCC to build an efficient tree.

Oh... something I forget: By default the IP site link that connects AD sites is configured to allow ad replications every 180 minutes only. That is much too long in my opinion and even if it might be a good idea at the beginning of Active Directory in 2000, I strongly think it's a bad idea now to leave it like that. I always reduce the replication interval to 15 minutes for my customers.
In your case that means that your whole forest should be uptodate after 30 minutes instead of 6 hours by default. So in my opinion you should reduce the replication interval on the IP site lik in ADS&S.

Author Comment

ID: 38812711
Thanks, i will investigate.

Cloud is probably a bad word, it is a managed WAN.. hard to explain.

Anyways i will trust in the KCC to be doing the right thing and i have the interval @ 60. Ill reduce it, i dont mind that idea.



Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Looking for a MFP for a small office network 26 123
Group policy update error 8 25
AD Activation of KMS Key 6 52
file name warning 4 20
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now