Best practices on Active Directory site design
Dear everyone,
I hope you all have a great festive season and great new year.
We are looking at determining what others do in terms of best practices for their AD sites.
Do you guys let the KCC handle your replication topology?
Do you guys configure site costs for each site link?
Any help greatly appreciated.
I hope you all have a great festive season and great new year.
We are looking at determining what others do in terms of best practices for their AD sites.
Do you guys let the KCC handle your replication topology?
Do you guys configure site costs for each site link?
Any help greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi guys.'thanks so much for you insight here.
Can I just verify - do you configure a site cost for each of your links?
We have a complex network topology - 3 main Datacenters globally (hubs) with around 80 branch sites that radiate out from the hubs. We have a variety if link types and speeds. I thought that if you just left the site costs at the default, then the KCC is left to figure out the best path. My understanding was that you are better off mapping the physical topology to your site (logical) topology and in so doing, differentiate between sites that are slower (eg.slow link speeds) as opposed to faster.
You then assign a lower cost to the faster links so that they become the preferred path in case of failover for example. Is this flawed logic?
Can I just verify - do you configure a site cost for each of your links?
We have a complex network topology - 3 main Datacenters globally (hubs) with around 80 branch sites that radiate out from the hubs. We have a variety if link types and speeds. I thought that if you just left the site costs at the default, then the KCC is left to figure out the best path. My understanding was that you are better off mapping the physical topology to your site (logical) topology and in so doing, differentiate between sites that are slower (eg.slow link speeds) as opposed to faster.
You then assign a lower cost to the faster links so that they become the preferred path in case of failover for example. Is this flawed logic?
What you have stated above is correct. If you have slower links you can create new Site Links and provide a cost to them. The KCC takes those costs into consideration and creates the connections automatically. Atleast when you are using the KCC it will re-calculate if a DC is not reachable.
When designing AD structures I typically like to keep it as simplistic as possible. So that when you do run into replicaiton issues or delays etc, it is much easier to find and resolve the issue.
As for the physical to logical mapping, I would not recommend this model because the management of DC's can get out of hand if you have several physical sites. Example we have about 200 remote facilities and we have 10 logical AD sites. We have Site resiliancy in each site with multiple domain contorllers and have carved out subnets (physical sites)that are assocaited to AD Sites (logical).
Another reason why you would not want to have DC's at every site is a DC for a small office would be over kill. You can use a RO-DC but then you still have hardware and OS costs to take into account. This is where you can utilize Hub sites to authenticate etc.
Will.
When designing AD structures I typically like to keep it as simplistic as possible. So that when you do run into replicaiton issues or delays etc, it is much easier to find and resolve the issue.
As for the physical to logical mapping, I would not recommend this model because the management of DC's can get out of hand if you have several physical sites. Example we have about 200 remote facilities and we have 10 logical AD sites. We have Site resiliancy in each site with multiple domain contorllers and have carved out subnets (physical sites)that are assocaited to AD Sites (logical).
Another reason why you would not want to have DC's at every site is a DC for a small office would be over kill. You can use a RO-DC but then you still have hardware and OS costs to take into account. This is where you can utilize Hub sites to authenticate etc.
Will.
ASKER
Hi will.
Thanks so much for this.
We too do not put a DC at every physical location. We have most sites that are geographically located closest to one of 3 Datacenters (one in Europe, asiapac, Americas) added as a subnet to that Datacenters AD site, instead of creating an AD site for every physical branch location.
What I would love clarity on now is the following: this is what I'm recommending to our company.
1) Do not manually configure connection objects - let the KCC work this out
2) DO configure site costs for each site link.
Tier site links into 3 categories:
1/ fastest - Datacenter to datacenter site links - assign a site cost of 25
2/ medium - datacenter to mini hub site links - site cost of 50
3/ slowest - Datacenter to branch site links - site cost of 75
This will ensure that replication and AD traffic follows the optimum route.
Question. Will, does this look ok?
Will the KCC look at the configured site costs we assign, and abide by this, and can it reroute if this path is not reachable?
Do you see what we are trying to do, and is this worth the initial effort as opposed to not doing anything with sute cost (in this case, if all sute links have the same default site cost, then how can we be sure that the path the KCC has chosen is thr best route, and always that best route? wouldnt it be unpredictable?) and what ongoing effort is involved?
Thanks so much for this.
We too do not put a DC at every physical location. We have most sites that are geographically located closest to one of 3 Datacenters (one in Europe, asiapac, Americas) added as a subnet to that Datacenters AD site, instead of creating an AD site for every physical branch location.
What I would love clarity on now is the following: this is what I'm recommending to our company.
1) Do not manually configure connection objects - let the KCC work this out
2) DO configure site costs for each site link.
Tier site links into 3 categories:
1/ fastest - Datacenter to datacenter site links - assign a site cost of 25
2/ medium - datacenter to mini hub site links - site cost of 50
3/ slowest - Datacenter to branch site links - site cost of 75
This will ensure that replication and AD traffic follows the optimum route.
Question. Will, does this look ok?
Will the KCC look at the configured site costs we assign, and abide by this, and can it reroute if this path is not reachable?
Do you see what we are trying to do, and is this worth the initial effort as opposed to not doing anything with sute cost (in this case, if all sute links have the same default site cost, then how can we be sure that the path the KCC has chosen is thr best route, and always that best route? wouldnt it be unpredictable?) and what ongoing effort is involved?
ASKER
Thanks everyone and sorry for the delay.
http://technet.microsoft.com/en-us/library/bridgehead_server_selection(v=ws.10).aspx
Many smaller shops won't even notice it but this is a good improvement for larger ADs.
Thanks
Mike