vrmanrtell
asked on
Active Directory Sites and Services / Domain Replication across Branch offices
Ive just started working at a new place and noticed their intersite domain replication is all over the place. So dig dig dig. It's turned into my first project here. NO PRESSURE!! haha :) So pretty much I need to clean everything up and redesign all of it. Its a mixed 2003/2008 R2 environment.
The MS 2008 Branch Office Guide documentation is lacking...
http://www.microsoft.com/en-us/download/details.aspx?id=22199
The 2003 Branch Office Guide is awesome but outdated.
http://www.microsoft.com/en-us/download/details.aspx?id=5838
Here is a Visio I created trying to figure out how to detangle how things are setup. All sites are connected via a 10mbps MPLS VPN) line. As you can see DNS is all over the place too. I'm hoping for some advice on how to set that up also.
After running AD best practices analyzer i found that KCC was turned off at one at WESTPALM. Amazed this even works without KCC. For anyone who doesn't know what KCC does
DEFINITION: KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed. The KCC recognizes changes that occur in the environment and ensures that domain controllers are not orphaned in the replication topology.
Here is what my bridgeheads look like. Notice, WESTPALM is not listed!
Here is what Intersite Transports IP looks like
Here is what my NTDS settings look like
OK!
1) Whats going to happen when i turn KCC back on? Think it will cause any issues?
2) Suggestions on how to set up this network. WestPalm and Atlanta are equally important. I believe I'm looking to setup a HYBRID setup. I'm looking for a LOT of redundancy between the sites (but not going overboard)
3) How should I handle DNS? suggestions? I'm looking for a LOT of redundancy between the sites. (but not going overboard)
The MS 2008 Branch Office Guide documentation is lacking...
http://www.microsoft.com/en-us/download/details.aspx?id=22199
The 2003 Branch Office Guide is awesome but outdated.
http://www.microsoft.com/en-us/download/details.aspx?id=5838
Here is a Visio I created trying to figure out how to detangle how things are setup. All sites are connected via a 10mbps MPLS VPN) line. As you can see DNS is all over the place too. I'm hoping for some advice on how to set that up also.
After running AD best practices analyzer i found that KCC was turned off at one at WESTPALM. Amazed this even works without KCC. For anyone who doesn't know what KCC does
DEFINITION: KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed. The KCC recognizes changes that occur in the environment and ensures that domain controllers are not orphaned in the replication topology.
Here is what my bridgeheads look like. Notice, WESTPALM is not listed!
Here is what Intersite Transports IP looks like
Here is what my NTDS settings look like
OK!
1) Whats going to happen when i turn KCC back on? Think it will cause any issues?
2) Suggestions on how to set up this network. WestPalm and Atlanta are equally important. I believe I'm looking to setup a HYBRID setup. I'm looking for a LOT of redundancy between the sites (but not going overboard)
3) How should I handle DNS? suggestions? I'm looking for a LOT of redundancy between the sites. (but not going overboard)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey there Mike!
Thanks for the kind words. I'm being as careful as possible. I do NOT want to make any mistakes....
OK!
1) "If you turn on the KCC then it will create the connection objects for you."
This is what I was planning on. Once those connection objects are created, can i safely delete the hand created ones? I was planning on doing the deletions for the sites one at a time and see if things stay stable.
Question: I know that KCC creates objects under NTDS as <automatically-generated> but what about the objects under Inter-Site Transports -> IP. Are those manually created (im guessing those entries are what kcc uses to make its decisions)? Do they always have to be manually created every time a new site comes online? Will anything break if I just change the name of the site link (from CLT-SD to ATL-SD)?
2) "Would you consider WestPalm or Atlanta a "hub" or HQ?"
I would consider WestPalm a HQ and atlanta the hub in this case. Does this change anything?
3) "Why do some of the DCs have two IP addresses?"
I know right?! MS considers those servers multi homed when they're configured like that. DC's and multihomed = no good! That was another portion of the clean up i was planning on doing. Is there anything you think I should be aware of when removing those 2nd IP addresses? Only thing i can think of is making sure DNS only shows the primary IP address are removing the 2nd one if they are still in DNS.
4) "For DNS point them to another DC/DNS in their own site for primary and itself for secondary. More on that with this question I helped with"
I have to wonder if they are talking about DNS servers with one site. Wouldnt it be better to set them up this way for a multisite environment? P.S. That link was a great read!
Primary - Another dns server inside the specific site
2nddary - Another dns server outside (maybe inside?) the site
tertiary - 127.0.0.1
5) "Do you currently have any replication issues (test with repadmin or the AD replication status tool)"
Nope! No replication issues at all!! Its just messy as hell. I ran that MS Active Directory Topology Diagrammer and there are lines everywhere :) http://www.microsoft.com/en-us/download/details.aspx?id=13380
Thanks!!!
-G
Thanks for the kind words. I'm being as careful as possible. I do NOT want to make any mistakes....
OK!
1) "If you turn on the KCC then it will create the connection objects for you."
This is what I was planning on. Once those connection objects are created, can i safely delete the hand created ones? I was planning on doing the deletions for the sites one at a time and see if things stay stable.
Question: I know that KCC creates objects under NTDS as <automatically-generated> but what about the objects under Inter-Site Transports -> IP. Are those manually created (im guessing those entries are what kcc uses to make its decisions)? Do they always have to be manually created every time a new site comes online? Will anything break if I just change the name of the site link (from CLT-SD to ATL-SD)?
2) "Would you consider WestPalm or Atlanta a "hub" or HQ?"
I would consider WestPalm a HQ and atlanta the hub in this case. Does this change anything?
3) "Why do some of the DCs have two IP addresses?"
I know right?! MS considers those servers multi homed when they're configured like that. DC's and multihomed = no good! That was another portion of the clean up i was planning on doing. Is there anything you think I should be aware of when removing those 2nd IP addresses? Only thing i can think of is making sure DNS only shows the primary IP address are removing the 2nd one if they are still in DNS.
4) "For DNS point them to another DC/DNS in their own site for primary and itself for secondary. More on that with this question I helped with"
I have to wonder if they are talking about DNS servers with one site. Wouldnt it be better to set them up this way for a multisite environment? P.S. That link was a great read!
Primary - Another dns server inside the specific site
2nddary - Another dns server outside (maybe inside?) the site
tertiary - 127.0.0.1
5) "Do you currently have any replication issues (test with repadmin or the AD replication status tool)"
Nope! No replication issues at all!! Its just messy as hell. I ran that MS Active Directory Topology Diagrammer and there are lines everywhere :) http://www.microsoft.com/en-us/download/details.aspx?id=13380
Thanks!!!
-G
ASKER
Hi Spec01! (Will),
thanks for chiming in!
1) Totally agreed about KCC. I'm definitely going to set them up that way.
2) "Typically it is a good practice to have all of your sites to the same site link"
Wait. Do you mean under Sites and Services -> Inter-site Transports-> IP -> Create ONE site and add all the servers into that site link? I read about that somewhere in a MS article. (losing track of what i read where at this point). What do you think Mike?
3) For DNS, what i would recommend is having each site use a local DC/DNS for resolution and use a the seconadry DNS entry from a DC/DNS server in the primary site. With that said, it would be recommended to disable round robin DNS at your branch offices as it will send queries to the secondary DNS IP for every second DNS request. This way your users will only use the DNS Primary IP and if this DC goes down it will use the DNS Secondary IP whcih points to the DC your primary site.
Hmmm. So you're suggesting:
Primary DNS - Another dns server inside the specific site
2nddary DNS - Another dns server from the primary site
tertiary DNS - 127.0.0.1 (i add this part because MS suggests making 127.0.0.1 the 2ndardy or tertiary DNS server)
4) Preferred Bridgehead server - wow, good point. I will definitely make sure that is NOT configured when I start cleaning up.
Thanks again for chiming in!
thanks for chiming in!
1) Totally agreed about KCC. I'm definitely going to set them up that way.
2) "Typically it is a good practice to have all of your sites to the same site link"
Wait. Do you mean under Sites and Services -> Inter-site Transports-> IP -> Create ONE site and add all the servers into that site link? I read about that somewhere in a MS article. (losing track of what i read where at this point). What do you think Mike?
3) For DNS, what i would recommend is having each site use a local DC/DNS for resolution and use a the seconadry DNS entry from a DC/DNS server in the primary site. With that said, it would be recommended to disable round robin DNS at your branch offices as it will send queries to the secondary DNS IP for every second DNS request. This way your users will only use the DNS Primary IP and if this DC goes down it will use the DNS Secondary IP whcih points to the DC your primary site.
Hmmm. So you're suggesting:
Primary DNS - Another dns server inside the specific site
2nddary DNS - Another dns server from the primary site
tertiary DNS - 127.0.0.1 (i add this part because MS suggests making 127.0.0.1 the 2ndardy or tertiary DNS server)
4) Preferred Bridgehead server - wow, good point. I will definitely make sure that is NOT configured when I start cleaning up.
Thanks again for chiming in!
ASKER
Hi Patricksr1972!
1) Definitely will be going purely KCC. no more manual NTDS entries anymore!
2) I'm going to fix the current setup before trying anything more fancier. I'm going to stick to the MS best practices.
3) Robust for sure! I've never worked somewhere that had such nice connections.
thanks!
1) Definitely will be going purely KCC. no more manual NTDS entries anymore!
2) I'm going to fix the current setup before trying anything more fancier. I'm going to stick to the MS best practices.
3) Robust for sure! I've never worked somewhere that had such nice connections.
thanks!
It doesn't change anything for now but for instance you have a westpalm to ATL and vice versa. You shouldn't need two.
You could also think about a hub and spoke where there are site links between hub and spoke sites.
Have you looked for old users and computers in your network...not related but another good project when you are starting.
Thanks
Mike
You could also think about a hub and spoke where there are site links between hub and spoke sites.
Have you looked for old users and computers in your network...not related but another good project when you are starting.
Thanks
Mike
ASKER
PREFERRED BRIDGEHEAD SERVER SETTINGS.
Spec01 (Will),
I have found that one server at each site is configured to be a preferred bridgehead server via IP. Since KCC will follow that manual entry instead of choosing for itself, that means i should remove it once I get KCC up and running, right?
Example:
Good catch Will!!!!
Spec01 (Will),
I have found that one server at each site is configured to be a preferred bridgehead server via IP. Since KCC will follow that manual entry instead of choosing for itself, that means i should remove it once I get KCC up and running, right?
Example:
Good catch Will!!!!
ASKER
OH! Almost forgot. Since its a mixed 2008/2003 environment, will that cause any issues with KCC?
-ginel
-ginel
No it won't cause any issues, by the way 2008 R2 has a lot of improvements for Bridgehead Server Selection.
http://technet.microsoft.com/en-us/library/bridgehead_server_selection(v=ws.10).aspx
Thanks
Mike
http://technet.microsoft.com/en-us/library/bridgehead_server_selection(v=ws.10).aspx
Thanks
Mike
To answer the questions above se below...
- Yes your default site link it is a good idea to have these all in the same site link, which reduces complexity and the Management is much easier as well.
- For DNS yes having each site use its local DC/DNS as the Primary IP and your Secondary IP can be used from your HQ or primary site. So in the event that your DC goes down you machines will be able to talk to the other DNS server over the WAN. You can have multiple DC's in each site to accomodate this but in a situation where DC's at the site fail you users will still be able to query DNS access shares, internet etc. If you are going to use this method i would recommend disabling Round Robin at the branch sites so that second requests do not go over the WAN.
What I have done in my environment which simplifies DNS even more is using an F5 load balancer and have 1 (vip) IP per-site that groups the DC/DNS servers into groups based on their geo location/site. I have outlined an example below. I have used 2 sites for simplicity...
Site 1 - 2 DC/DNS (roles are on same server)
- DC1 - 192.168.100.1
- DC2 - 192.168.100.2
- VIP - 192.168.100.3
Site 2 - 2 DC/DNS (roles are on same server)
- DC3 - 192.168.101.1
- DC4 - 192.168.101.2
- VIP - 192.168.101.3
So that being said clients in Site 1 would have the following IP addresses assigned to them
Primary DNS 192.168.100.3
Secondary DNS - 192.168.101.3
Clients in Site 2
Primary DNS 192.168.101.3
Secondary DNS 192.168.100.3
Basically what i have done is grouped the DC's in each site using F5 Load Balancer using a VIP which limits the amount of IP's you need to work with when using DNS. So 1 IP has now been set to load balance all of my DNS servers in 1 site with only 1 IP.
Same goes for site 2.
I then disable round robin with in DNS console as it is not needed anymore as F5 is doing the load balancing. In the event the VIP can not contact any of the DNS servers in the Site it will use the secondary IP (VIP) address (site 2) to get its DNS queries. This make a DR scenario very flexable and easy from a management point of view.
Will.
- Yes your default site link it is a good idea to have these all in the same site link, which reduces complexity and the Management is much easier as well.
- For DNS yes having each site use its local DC/DNS as the Primary IP and your Secondary IP can be used from your HQ or primary site. So in the event that your DC goes down you machines will be able to talk to the other DNS server over the WAN. You can have multiple DC's in each site to accomodate this but in a situation where DC's at the site fail you users will still be able to query DNS access shares, internet etc. If you are going to use this method i would recommend disabling Round Robin at the branch sites so that second requests do not go over the WAN.
What I have done in my environment which simplifies DNS even more is using an F5 load balancer and have 1 (vip) IP per-site that groups the DC/DNS servers into groups based on their geo location/site. I have outlined an example below. I have used 2 sites for simplicity...
Site 1 - 2 DC/DNS (roles are on same server)
- DC1 - 192.168.100.1
- DC2 - 192.168.100.2
- VIP - 192.168.100.3
Site 2 - 2 DC/DNS (roles are on same server)
- DC3 - 192.168.101.1
- DC4 - 192.168.101.2
- VIP - 192.168.101.3
So that being said clients in Site 1 would have the following IP addresses assigned to them
Primary DNS 192.168.100.3
Secondary DNS - 192.168.101.3
Clients in Site 2
Primary DNS 192.168.101.3
Secondary DNS 192.168.100.3
Basically what i have done is grouped the DC's in each site using F5 Load Balancer using a VIP which limits the amount of IP's you need to work with when using DNS. So 1 IP has now been set to load balance all of my DNS servers in 1 site with only 1 IP.
Same goes for site 2.
I then disable round robin with in DNS console as it is not needed anymore as F5 is doing the load balancing. In the event the VIP can not contact any of the DNS servers in the Site it will use the secondary IP (VIP) address (site 2) to get its DNS queries. This make a DR scenario very flexable and easy from a management point of view.
Will.
ASKER
Thanks for the great advice guys!
ASKER
I would like to update this question with more information that I found as I continued doing research.
I think that putting all the sites into one site and just letting it run as if all the sites were in fact one site is not such a good design decision. When users login, the subnet they are on are matched to the AD server at the site so authentication is done locally.
There is no way to lower the 15 minute replication time, however, there is a way to enable something called “Inter-site Change Notification”
This way, you can still group your servers using sites to keep authentication local, AND allow replication to occur over your domain immediately. Here is the documentation:
http://blogs.msdn.com/b/canberrapfe/archive/2012/03/26/active-directory-replication-change-notification-amp-you.aspx
I think that putting all the sites into one site and just letting it run as if all the sites were in fact one site is not such a good design decision. When users login, the subnet they are on are matched to the AD server at the site so authentication is done locally.
There is no way to lower the 15 minute replication time, however, there is a way to enable something called “Inter-site Change Notification”
This way, you can still group your servers using sites to keep authentication local, AND allow replication to occur over your domain immediately. Here is the documentation:
http://blogs.msdn.com/b/canberrapfe/archive/2012/03/26/active-directory-replication-change-notification-amp-you.aspx
I think you missunderstood what i had said originally.
If you have 2 sites (for simplicity) Site A 192.168.100.x and Site B 192.168.1.x These are individual sites themselves which are assocaited with Subnet's that will authenticate machines from the respective sites.
Creating 1 "Site Link" for Inter-Site replication is what I am talking about. You would then add both Site A and Site B to the Site Link. This is used so that AD changes can be synced/replicated to both Sites when changes are made.
Will.
If you have 2 sites (for simplicity) Site A 192.168.100.x and Site B 192.168.1.x These are individual sites themselves which are assocaited with Subnet's that will authenticate machines from the respective sites.
Creating 1 "Site Link" for Inter-Site replication is what I am talking about. You would then add both Site A and Site B to the Site Link. This is used so that AD changes can be synced/replicated to both Sites when changes are made.
Will.
Let me say this is a wet-dream setup, very cool to swim in a pawn like this.
That being said.
1) KCC is a machanism that creates connection objects automatically. If it is not done automatically someone before you has configured it manually, thats no problem.
From the Inter-Site-Transports---NT
meaning the connection objects are there. Turning on KCC would IMHO not change anything since the connection objects are there allready. Not sure what the reason could be to turn KCC down and handle configuration by hand. (maybe KCC was off judging)
Note: i have heard of and seen Hybrid configurations for exchange, not sure how you see it implemented with DNS)
2) The setup looks very robust. You might consider to:
(Since i do not have a map in front of me displaying the USA) i would say replicate to major site(s) from S051 and have them replicate to nearest sites to them. This also depends the quality of interconnectivity (cost). Nice puzzle!!
Example: 50% primairly replicates to/from S051(and sec. to S061) and 50% primairly to/from S061 (and sec. to S051) Third DNS server can be configured for extra failover.
This devides the DNS load for S051 in half. (ok i am generalising, it depends inter-office size and DNS activity/chances)
3) Keep the main streams as they are, they look robust and redundant.
Hope this helps (just) a little.