Solved

Correct NTDS Settings

Posted on 2013-01-23
5
4,031 Views
Last Modified: 2013-01-23
I have 4 domain controllers running over 4 different WAN connections inside a VPN Cloud.

I have them all setup under subnets and sites in ADS&S.

They all have NTDS settings that are installed by default, but i have not created any manual connections.

What is the best practice for NTDS settings?

Currently

SERVERA (master) - NTDS to ALL SITES
SERVER B - NTDS to SERVERA
SERVER C - NTDS to SERVERB
SERVER D - NTDS to SERVERB

Should there be an NTDS setting for each server?

Should all of them come back to the main server rather than server B?

What is best practice here?

Thanks,

Adam
0
Comment
Question by:elevatecs
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38812648
If there are no manual created connections let it be ...

Read below article which says to let KCC handle how and from where to where connections to be made

You Are Not Smarter Than The KCC
http://blogs.technet.com/b/markmoro/archive/2011/08/05/you-are-not-smarter-than-the-kcc.aspx

If you are concerned about replication status then Just run repadmin /replsum so you will get the replication status
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38812660
Hi,

I suppose that saying "NTDS settings" you're talking about replication connectors that are supposed to appear under the "NTDS Settings" container !?

The best practice is to let the ISTG service on your domain controllers to create their own replication topology. Then the connector shoudl be automatically created under "NTDS Settings".

To help ISTG to build an efficient replication topology you should have declared your physical network links in ADS&S by creating "Site links" between AD sites.
By default there is only one site link that is created and that connects all sites, like if all sites where physically connected to each other.
This is usually not true because physical networks usually have a central site to which all remote sites are connected but remotes sites are not directly connected to each other.

As you're talking about a VPN cloud are we supposed to understand that 2 sites are able to dialog through the VPN directly and not passing through the central site network ??
If yes you can leave the default site link like that.
If no, you should create an IP site link for each physical network connection between sites.

If the site link topology is coherent the ISTG should create an efficient replication tree.
So to answer to your question "Should all of them come back to the main server rather than server B" the answer is no, not always. It depends of your physical topology and the way your declared it in ADS&S.
Does "site A" a central site talking about physical network links ? If yes your AD site links in ADS&S should express that and the ISTG tree will take care of that.


The problem sometimes when installing new DC in a new site is about DNS. Usually you'll use an AD integrated DNS zone. That means that DNS records are stored in AD. DNS records are necessary for the ISTG to locate other DCs and build a replication tree.
AD content needs the ISTG to have built its replication tree before AD content can replicate from other DCs.
At the DCPROMO time the installation process creates an initial copy of AD and this initial copy will be used to built the replication topology at first time, but if something changes in the topology before ISTG on the new DC has created its replication tree and start tis first replication you may be in a situation where your new DC will never be able to build the tree because informations in its AD copy are obsolete and then information in its DNS zone are obsolete also.

So when I build AD forests, I made an habit to configure IP settings on the remote DC I'm about to promote so that it uses ONLY the DNS server in the central site.
Doinf like that the newly promoted DC use good DNS informations and is able to build its replication tree. The process may take time, may be hours between ad sites, but it finally success.
When the topology has been built by the ISTG I can change IP settings so that the newly promoted remote DC interrogates its own DNS service at first, and the central DNS server as a secondary DNS.

Also, DO NOT FORGET to make all your DCs to be Global Catalogs. This is by default when you promote a Windows 2008 Domain Controller but this is not with Windows 2003 DCs.
So your should verify on properties of each "NTDS Settings" container that the Global Catalog checkbox is enabled.


Have a good day.
0
 

Author Comment

by:elevatecs
ID: 38812679
We have a WAN cloud, its pretty simple stuff. I just assumed best practice would be to have ALL servers with a connection back to the master.

Currently they all rely on a small site server for replication information, i thought this was strange, but it was created automatically so i left it.

I just wanted the best practice for NTDS replication connections.

All site links, site containers etc are created. They are all interconnected by a managed VPN network, all subnets are there, intersite transports. Its all working, i just thought it was strange that other DC's are relying on the smallest DC for replication information.

I assumed it would be better to have the master set as the inbound / outbound partner for all other DC's.
0
 
LVL 16

Accepted Solution

by:
PaciB earned 500 total points
ID: 38812700
Hi,

"Master" means nothing with AD domains... there is no domain controller that is master against other that are slaves... All DCs are masters.

With a "cloud" network the only question is from you: do you want to have a centralized topology ? Do you want one particular DC to be the "hub" of the AD replication ?
If not, trust the ISTG and KCC to build an efficient tree.

Oh... something I forget: By default the IP site link that connects AD sites is configured to allow ad replications every 180 minutes only. That is much too long in my opinion and even if it might be a good idea at the beginning of Active Directory in 2000, I strongly think it's a bad idea now to leave it like that. I always reduce the replication interval to 15 minutes for my customers.
In your case that means that your whole forest should be uptodate after 30 minutes instead of 6 hours by default. So in my opinion you should reduce the replication interval on the IP site lik in ADS&S.
0
 

Author Comment

by:elevatecs
ID: 38812711
Thanks, i will investigate.

Cloud is probably a bad word, it is a managed WAN.. hard to explain.

Anyways i will trust in the KCC to be doing the right thing and i have the interval @ 60. Ill reduce it, i dont mind that idea.

Cheers,

Adam
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now