Solved

Correct NTDS Settings

Posted on 2013-01-23
5
3,636 Views
Last Modified: 2013-01-23
I have 4 domain controllers running over 4 different WAN connections inside a VPN Cloud.

I have them all setup under subnets and sites in ADS&S.

They all have NTDS settings that are installed by default, but i have not created any manual connections.

What is the best practice for NTDS settings?

Currently

SERVERA (master) - NTDS to ALL SITES
SERVER B - NTDS to SERVERA
SERVER C - NTDS to SERVERB
SERVER D - NTDS to SERVERB

Should there be an NTDS setting for each server?

Should all of them come back to the main server rather than server B?

What is best practice here?

Thanks,

Adam
0
Comment
Question by:elevatecs
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:sarang_tinguria
ID: 38812648
If there are no manual created connections let it be ...

Read below article which says to let KCC handle how and from where to where connections to be made

You Are Not Smarter Than The KCC
http://blogs.technet.com/b/markmoro/archive/2011/08/05/you-are-not-smarter-than-the-kcc.aspx

If you are concerned about replication status then Just run repadmin /replsum so you will get the replication status
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38812660
Hi,

I suppose that saying "NTDS settings" you're talking about replication connectors that are supposed to appear under the "NTDS Settings" container !?

The best practice is to let the ISTG service on your domain controllers to create their own replication topology. Then the connector shoudl be automatically created under "NTDS Settings".

To help ISTG to build an efficient replication topology you should have declared your physical network links in ADS&S by creating "Site links" between AD sites.
By default there is only one site link that is created and that connects all sites, like if all sites where physically connected to each other.
This is usually not true because physical networks usually have a central site to which all remote sites are connected but remotes sites are not directly connected to each other.

As you're talking about a VPN cloud are we supposed to understand that 2 sites are able to dialog through the VPN directly and not passing through the central site network ??
If yes you can leave the default site link like that.
If no, you should create an IP site link for each physical network connection between sites.

If the site link topology is coherent the ISTG should create an efficient replication tree.
So to answer to your question "Should all of them come back to the main server rather than server B" the answer is no, not always. It depends of your physical topology and the way your declared it in ADS&S.
Does "site A" a central site talking about physical network links ? If yes your AD site links in ADS&S should express that and the ISTG tree will take care of that.


The problem sometimes when installing new DC in a new site is about DNS. Usually you'll use an AD integrated DNS zone. That means that DNS records are stored in AD. DNS records are necessary for the ISTG to locate other DCs and build a replication tree.
AD content needs the ISTG to have built its replication tree before AD content can replicate from other DCs.
At the DCPROMO time the installation process creates an initial copy of AD and this initial copy will be used to built the replication topology at first time, but if something changes in the topology before ISTG on the new DC has created its replication tree and start tis first replication you may be in a situation where your new DC will never be able to build the tree because informations in its AD copy are obsolete and then information in its DNS zone are obsolete also.

So when I build AD forests, I made an habit to configure IP settings on the remote DC I'm about to promote so that it uses ONLY the DNS server in the central site.
Doinf like that the newly promoted DC use good DNS informations and is able to build its replication tree. The process may take time, may be hours between ad sites, but it finally success.
When the topology has been built by the ISTG I can change IP settings so that the newly promoted remote DC interrogates its own DNS service at first, and the central DNS server as a secondary DNS.

Also, DO NOT FORGET to make all your DCs to be Global Catalogs. This is by default when you promote a Windows 2008 Domain Controller but this is not with Windows 2003 DCs.
So your should verify on properties of each "NTDS Settings" container that the Global Catalog checkbox is enabled.


Have a good day.
0
 

Author Comment

by:elevatecs
ID: 38812679
We have a WAN cloud, its pretty simple stuff. I just assumed best practice would be to have ALL servers with a connection back to the master.

Currently they all rely on a small site server for replication information, i thought this was strange, but it was created automatically so i left it.

I just wanted the best practice for NTDS replication connections.

All site links, site containers etc are created. They are all interconnected by a managed VPN network, all subnets are there, intersite transports. Its all working, i just thought it was strange that other DC's are relying on the smallest DC for replication information.

I assumed it would be better to have the master set as the inbound / outbound partner for all other DC's.
0
 
LVL 16

Accepted Solution

by:
PaciB earned 500 total points
ID: 38812700
Hi,

"Master" means nothing with AD domains... there is no domain controller that is master against other that are slaves... All DCs are masters.

With a "cloud" network the only question is from you: do you want to have a centralized topology ? Do you want one particular DC to be the "hub" of the AD replication ?
If not, trust the ISTG and KCC to build an efficient tree.

Oh... something I forget: By default the IP site link that connects AD sites is configured to allow ad replications every 180 minutes only. That is much too long in my opinion and even if it might be a good idea at the beginning of Active Directory in 2000, I strongly think it's a bad idea now to leave it like that. I always reduce the replication interval to 15 minutes for my customers.
In your case that means that your whole forest should be uptodate after 30 minutes instead of 6 hours by default. So in my opinion you should reduce the replication interval on the IP site lik in ADS&S.
0
 

Author Comment

by:elevatecs
ID: 38812711
Thanks, i will investigate.

Cloud is probably a bad word, it is a managed WAN.. hard to explain.

Anyways i will trust in the KCC to be doing the right thing and i have the interval @ 60. Ill reduce it, i dont mind that idea.

Cheers,

Adam
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now