Solved

Active Directory Sites and Services / Domain Replication across Branch offices

Posted on 2013-10-22
14
1,941 Views
Last Modified: 2013-12-03
Ive just started working at a new place and noticed their intersite domain replication is all over the place.  So dig dig dig.  It's turned into my first project here.  NO PRESSURE!!  haha :) So pretty much I need to clean everything up and redesign all of it.  Its a mixed 2003/2008 R2 environment.

The MS 2008 Branch Office Guide documentation is lacking...

http://www.microsoft.com/en-us/download/details.aspx?id=22199

The 2003 Branch Office Guide is awesome but outdated.

http://www.microsoft.com/en-us/download/details.aspx?id=5838

Here is a Visio I created trying to figure out how to detangle how things are setup.  All sites are connected via a 10mbps MPLS VPN) line.  As you can see DNS is all over the place too.  I'm hoping for some advice on how to set that up also.

Domain Controller/DNS Setup
After running AD best practices analyzer i found that KCC was turned off at one at WESTPALM.  Amazed this even works without KCC.  For anyone who doesn't know what KCC does

DEFINITION: KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed. The KCC recognizes changes that occur in the environment and ensures that domain controllers are not orphaned in the replication topology.

DC best practices complains KCC is turned off for West-Palm
Here is what my bridgeheads look like.  Notice, WESTPALM is not listed!

My BridgeHead Servers
Here is what Intersite Transports IP looks like

Intersite Transports
Here is what my NTDS settings look like

NTDS Settings
OK!

1) Whats going to happen when i turn KCC back on?  Think it will cause any issues?

2) Suggestions on how to set up this network.  WestPalm and Atlanta are equally important.  I believe I'm looking to setup a HYBRID setup.  I'm looking for a LOT of redundancy between the sites (but not going overboard)

3) How should I handle DNS?  suggestions?  I'm looking for a LOT of redundancy between the sites. (but not going overboard)
0
Comment
Question by:vrmanrtell
  • 7
  • 3
  • 3
  • +1
14 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 200 total points
ID: 39592063
You can disable the KCC and create manual connection objects.  Is that what they have done in that site.  More on that here   http://blogs.technet.com/b/markmoro/archive/2011/08/05/you-are-not-smarter-than-the-kcc.aspx

If you turn on the KCC then it will create the connection objects for you.

Would you consider WestPalm or Atlanta a "hub" or HQ?

Why do some of the DCs have two IP addresses.

For DNS point them to another DC/DNS in their own site for primary and itself for secondary.  More on that with this question I helped with   http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27523692.html

Looks like they have an excellent  new hire there...good project.

Do you currently have any replication issues (test with repadmin or the AD replication status tool)

Thanks

Mike
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 300 total points
ID: 39592115
Answers are below...

Question 1
When you turn KKC on it will create/calculate connections where necessary on already created "automatic connections" As you have listed in your diagram there are several connections where they were created manually. At this point the KCC ignores these connections and will not do anything with them. It is recommended that you let your KCC do all of the connections for you as you have site redundancy if a server goes down.

When you have manully created connections AD replication partner will not replicate AD traffic while these servers are down. Using Automatic Connections the KCC will re-calculate over a time-out period and create new connections when necessary.

Question 2
Typically it is a good practice to have all of your sites to the same site link unless you have bandwidth restrictions which you need to replicate between high latency sites during off hours due to cost or reliability for production data.

Question 3
For DNS, what i would recommend is having each site use a local DC/DNS for resolution and use a the seconadry DNS entry from a DC/DNS server in the primary site. With that said, it would be recommended to disable round robin DNS at your branch offices as it will send queries to the secondary DNS IP for every second DNS request. This way your users will only use the DNS Primary IP and if this DC goes down it will use the DNS Secondary IP whcih points to the DC your primary site. You don't have to disable round robin but it will send DNS traffic across the WAN. DNS queries are not heavy traffic but it is unnecessary.

Another suggestion, make sure that you are not using a preferred "Bridgehead server" as this is the same concept for intersite replication. If you have a "preferred bridgehead server" the KCC will not change this server to another server in the site as it has a manual connection.

Here is a great article for understanding the replication/generation process.
http://technet.microsoft.com/en-us/library/cc961781.aspx

Also to create new automatic connections using the KCC do the following...
- delete the manually created connections
- Right click on the NTDS setting in the respective site
- Under All Tasks, select "check replication topology"

Will.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39592154
Hi,

Let me say this is a wet-dream setup, very cool to swim in a pawn like this.
That being said.
1) KCC is a machanism that creates connection objects automatically. If it is not done automatically someone before you has configured it manually, thats no problem.
From the Inter-Site-Transports---NTDS we see 8 sites are configured to sync with West-Palm.
meaning the connection objects are there. Turning on KCC would IMHO not change anything since the connection objects are there allready. Not sure what the reason could be to turn KCC down and handle configuration by hand. (maybe KCC was off judging)
Note: i have heard of and seen Hybrid configurations for exchange, not sure how you see it implemented with DNS)

2) The setup looks very robust. You might consider to:
(Since i do not have a map in front of me displaying the USA) i would say replicate to major site(s) from S051 and have them replicate to nearest sites to them. This also depends the quality of interconnectivity (cost). Nice puzzle!!

Example: 50% primairly replicates to/from S051(and sec. to S061) and 50% primairly to/from S061 (and sec. to S051) Third DNS server can be configured for extra failover.
This devides the DNS load for S051 in half. (ok i am generalising, it depends inter-office size and DNS activity/chances)

3) Keep the main streams as they are, they look robust and redundant.

Hope this helps (just) a little.
0
 

Author Comment

by:vrmanrtell
ID: 39592356
Hey there Mike!  

Thanks for the kind words.  I'm being as careful as possible.  I do NOT want to make any mistakes....

OK!

1) "If you turn on the KCC then it will create the connection objects for you."

This is what I was planning on.  Once those connection objects are created, can i safely delete the hand created ones?  I was planning on doing the deletions for the sites one at a time and see if things stay stable.  

Question: I know that KCC creates objects under NTDS as <automatically-generated> but what about the objects under Inter-Site Transports -> IP.  Are those manually created (im guessing those entries are what kcc uses to make its decisions)?  Do they always have to be manually created every time a new site comes online?  Will anything break if I just change the name of the site link (from CLT-SD to ATL-SD)?

2) "Would you consider WestPalm or Atlanta a "hub" or HQ?"

I would consider WestPalm a HQ and atlanta the hub in this case.  Does this change anything?

3) "Why do some of the DCs have two IP addresses?"

I know right?! MS considers those servers multi homed when they're configured like that. DC's and multihomed = no good!  That was another portion of the clean up i was planning on doing.  Is there anything you think I should be aware of when removing those 2nd IP addresses?  Only thing i can think of is making sure DNS only shows the primary IP address are removing the 2nd one if they are still in DNS.

4) "For DNS point them to another DC/DNS in their own site for primary and itself for secondary.  More on that with this question I helped with"

I have to wonder if they are talking about DNS servers with one site.  Wouldnt it be better to set them up this way for a multisite environment?  P.S.  That link was a great read!

Primary - Another dns server inside the specific site
2nddary - Another dns server outside (maybe inside?) the site
tertiary - 127.0.0.1

5) "Do you currently have any replication issues (test with repadmin or the AD replication status tool)"

Nope! No replication issues at all!!  Its just messy as hell.  I ran that MS Active Directory Topology Diagrammer and there are lines everywhere :)  http://www.microsoft.com/en-us/download/details.aspx?id=13380

Thanks!!!
-G
0
 

Author Comment

by:vrmanrtell
ID: 39592402
Hi Spec01! (Will),

thanks for chiming in!

1) Totally agreed about KCC.  I'm definitely going to set them up that way.

2) "Typically it is a good practice to have all of your sites to the same site link"

Wait.  Do you mean under Sites and Services -> Inter-site Transports-> IP -> Create ONE site and add all the servers into that site link?  I read about that somewhere in a MS article.  (losing track of what i read where at this point).  What do you think Mike?

3) For DNS, what i would recommend is having each site use a local DC/DNS for resolution and use a the seconadry DNS entry from a DC/DNS server in the primary site. With that said, it would be recommended to disable round robin DNS at your branch offices as it will send queries to the secondary DNS IP for every second DNS request. This way your users will only use the DNS Primary IP and if this DC goes down it will use the DNS Secondary IP whcih points to the DC your primary site.

Hmmm.  So you're suggesting:

Primary DNS - Another dns server inside the specific site
2nddary DNS - Another dns server from the primary site
tertiary DNS - 127.0.0.1 (i add this part because MS suggests making 127.0.0.1 the 2ndardy or tertiary DNS server)

4) Preferred Bridgehead server - wow, good point.  I will definitely make sure that is NOT configured when I start cleaning up.

Thanks again for chiming in!
0
 

Author Comment

by:vrmanrtell
ID: 39592424
Hi Patricksr1972!

1) Definitely will be going purely KCC.  no more manual NTDS entries anymore!

2) I'm going to fix the current setup before trying anything more fancier.  I'm going to stick to the MS best practices.  

3) Robust for sure!  I've never worked somewhere that had such nice connections.

thanks!
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39592478
It doesn't change anything for now but for instance you have a westpalm to ATL  and vice versa.  You shouldn't need two.  

You could also think about a hub and spoke  where there are site links between hub and spoke sites.

Have you looked for old users and computers in your network...not related but another good project when you are starting.

Thanks

Mike
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:vrmanrtell
ID: 39592482
PREFERRED BRIDGEHEAD SERVER SETTINGS.

Spec01 (Will),

I have found that one server at each site is configured to be a preferred bridgehead server via IP.  Since KCC will follow that manual entry instead of choosing for itself, that means i should remove it once I get KCC up and running, right?

Example:

OPPS! Preferred bridgehead server is indeed set for some servers!!!
Good catch Will!!!!
0
 

Author Comment

by:vrmanrtell
ID: 39592486
OH! Almost forgot.  Since its a mixed 2008/2003 environment, will that cause any issues with KCC?

-ginel
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39592498
No it won't cause any issues, by the way 2008 R2 has a lot of improvements for Bridgehead Server Selection.

http://technet.microsoft.com/en-us/library/bridgehead_server_selection(v=ws.10).aspx

Thanks

Mike
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39592835
To answer the questions above se below...
- Yes your default site link it is a good idea to have these all in the same site link, which reduces complexity and the Management is much easier as well.

- For DNS yes having each site use its local DC/DNS as the Primary IP and your Secondary IP can be used from your HQ or primary site. So in the event that your DC goes down you machines will be able to talk to the other DNS server over the WAN. You can have multiple DC's in each site to accomodate this but in a situation where DC's at the site fail you users will still be able to query DNS access shares, internet etc. If you are going to use this method i would recommend disabling Round Robin at the branch sites so that second requests do not go over the WAN.

What I have done in my environment which simplifies DNS even more is using an F5 load balancer and have 1 (vip) IP per-site that groups the DC/DNS servers into groups based on their geo location/site. I have outlined an example below. I have used 2 sites for simplicity...

Site 1 - 2 DC/DNS (roles are on same server)
- DC1 - 192.168.100.1
- DC2  - 192.168.100.2
- VIP - 192.168.100.3

Site 2 - 2 DC/DNS (roles are on same server)
- DC3 - 192.168.101.1
- DC4 - 192.168.101.2
- VIP - 192.168.101.3

So that being said clients in Site 1 would have the following IP addresses assigned to them
Primary DNS 192.168.100.3
Secondary DNS - 192.168.101.3

Clients in Site 2
Primary DNS 192.168.101.3
Secondary DNS 192.168.100.3

Basically what i have done is grouped the DC's in each site using F5 Load Balancer using a VIP which limits the amount of IP's you need to work with when using DNS. So 1 IP has now been set to load balance all of my DNS servers in 1 site with only 1 IP.

Same goes for site 2.

I then disable round robin with in DNS console as it is not needed anymore as F5 is doing the load balancing. In the event the VIP can not contact any of the DNS servers in the Site it will use the secondary IP (VIP) address (site 2) to get its DNS queries. This make a DR scenario very flexable and easy from a management point of view.

Will.
0
 

Author Closing Comment

by:vrmanrtell
ID: 39633999
Thanks for the great advice guys!
0
 

Author Comment

by:vrmanrtell
ID: 39692497
I would like to update this question with more information that I found as I continued doing research.

I think that putting all the sites into one site and just letting it run as if all the sites were in fact one site is not such a good design decision.  When users login, the subnet they are on are matched to the AD server at the site so authentication is done locally.

There is no way to lower the 15 minute replication time, however, there is a way to enable something called  “Inter-site Change Notification”

This way, you can still group your servers using sites to keep authentication local, AND allow replication to occur over your domain immediately.  Here is the documentation:

http://blogs.msdn.com/b/canberrapfe/archive/2012/03/26/active-directory-replication-change-notification-amp-you.aspx
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39692627
I think you missunderstood what i had said originally.

If you have 2 sites (for simplicity) Site A 192.168.100.x and Site B 192.168.1.x These are individual sites themselves which are assocaited with Subnet's that will authenticate machines from the respective sites.

Creating 1 "Site Link" for Inter-Site replication is what I am talking about. You would then add both Site A and Site B to the Site Link. This is used so that AD changes can be synced/replicated to both Sites when changes are made.

Will.
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now