Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Correct NTDS Settings

Posted on 2013-01-23
Medium Priority
Last Modified: 2013-01-23
I have 4 domain controllers running over 4 different WAN connections inside a VPN Cloud.

I have them all setup under subnets and sites in ADS&S.

They all have NTDS settings that are installed by default, but i have not created any manual connections.

What is the best practice for NTDS settings?



Should there be an NTDS setting for each server?

Should all of them come back to the main server rather than server B?

What is best practice here?


Question by:elevatecs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38812648
If there are no manual created connections let it be ...

Read below article which says to let KCC handle how and from where to where connections to be made

You Are Not Smarter Than The KCC

If you are concerned about replication status then Just run repadmin /replsum so you will get the replication status
LVL 16

Expert Comment

by:Bruno PACI
ID: 38812660

I suppose that saying "NTDS settings" you're talking about replication connectors that are supposed to appear under the "NTDS Settings" container !?

The best practice is to let the ISTG service on your domain controllers to create their own replication topology. Then the connector shoudl be automatically created under "NTDS Settings".

To help ISTG to build an efficient replication topology you should have declared your physical network links in ADS&S by creating "Site links" between AD sites.
By default there is only one site link that is created and that connects all sites, like if all sites where physically connected to each other.
This is usually not true because physical networks usually have a central site to which all remote sites are connected but remotes sites are not directly connected to each other.

As you're talking about a VPN cloud are we supposed to understand that 2 sites are able to dialog through the VPN directly and not passing through the central site network ??
If yes you can leave the default site link like that.
If no, you should create an IP site link for each physical network connection between sites.

If the site link topology is coherent the ISTG should create an efficient replication tree.
So to answer to your question "Should all of them come back to the main server rather than server B" the answer is no, not always. It depends of your physical topology and the way your declared it in ADS&S.
Does "site A" a central site talking about physical network links ? If yes your AD site links in ADS&S should express that and the ISTG tree will take care of that.

The problem sometimes when installing new DC in a new site is about DNS. Usually you'll use an AD integrated DNS zone. That means that DNS records are stored in AD. DNS records are necessary for the ISTG to locate other DCs and build a replication tree.
AD content needs the ISTG to have built its replication tree before AD content can replicate from other DCs.
At the DCPROMO time the installation process creates an initial copy of AD and this initial copy will be used to built the replication topology at first time, but if something changes in the topology before ISTG on the new DC has created its replication tree and start tis first replication you may be in a situation where your new DC will never be able to build the tree because informations in its AD copy are obsolete and then information in its DNS zone are obsolete also.

So when I build AD forests, I made an habit to configure IP settings on the remote DC I'm about to promote so that it uses ONLY the DNS server in the central site.
Doinf like that the newly promoted DC use good DNS informations and is able to build its replication tree. The process may take time, may be hours between ad sites, but it finally success.
When the topology has been built by the ISTG I can change IP settings so that the newly promoted remote DC interrogates its own DNS service at first, and the central DNS server as a secondary DNS.

Also, DO NOT FORGET to make all your DCs to be Global Catalogs. This is by default when you promote a Windows 2008 Domain Controller but this is not with Windows 2003 DCs.
So your should verify on properties of each "NTDS Settings" container that the Global Catalog checkbox is enabled.

Have a good day.

Author Comment

ID: 38812679
We have a WAN cloud, its pretty simple stuff. I just assumed best practice would be to have ALL servers with a connection back to the master.

Currently they all rely on a small site server for replication information, i thought this was strange, but it was created automatically so i left it.

I just wanted the best practice for NTDS replication connections.

All site links, site containers etc are created. They are all interconnected by a managed VPN network, all subnets are there, intersite transports. Its all working, i just thought it was strange that other DC's are relying on the smallest DC for replication information.

I assumed it would be better to have the master set as the inbound / outbound partner for all other DC's.
LVL 16

Accepted Solution

Bruno PACI earned 2000 total points
ID: 38812700

"Master" means nothing with AD domains... there is no domain controller that is master against other that are slaves... All DCs are masters.

With a "cloud" network the only question is from you: do you want to have a centralized topology ? Do you want one particular DC to be the "hub" of the AD replication ?
If not, trust the ISTG and KCC to build an efficient tree.

Oh... something I forget: By default the IP site link that connects AD sites is configured to allow ad replications every 180 minutes only. That is much too long in my opinion and even if it might be a good idea at the beginning of Active Directory in 2000, I strongly think it's a bad idea now to leave it like that. I always reduce the replication interval to 15 minutes for my customers.
In your case that means that your whole forest should be uptodate after 30 minutes instead of 6 hours by default. So in my opinion you should reduce the replication interval on the IP site lik in ADS&S.

Author Comment

ID: 38812711
Thanks, i will investigate.

Cloud is probably a bad word, it is a managed WAN.. hard to explain.

Anyways i will trust in the KCC to be doing the right thing and i have the interval @ 60. Ill reduce it, i dont mind that idea.



Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question