asked on Active Directory Inter-Site Replication Recommendations Needed
I have attached a generic diagram of what these sites look like now. My intent is to optimize the replication based on cutting down unnecessary traffic and setting up site-links/costs based on WAN links. As you will see some of these settings were customized, and without much (or any) documentation I am trying to analyze "why" and make changes accordingly.
As you can see some servers were set as bridgeheads and that is a concern, esp as the MainSite. From what I know this puts all the "replication eggs" in one basket for this site and that probably isn't good. I am thinking of setting at least 1 or two more DCs here to be bridgeheads. I'm not sure any of the other sites need their servers set to bridgeheads as they all have single DCs.
There are site links for: Site4 to MainSite (includes all sites but Site2), Site4 to Site3 (includes all but Site2), Site5 to Site4 (all but Site2), Mainsite to Site4 (all but Site2), MainSite to Site6 (all sites), MainSite to Site5 (all but Site2), Mainsite to Site3 (all but Site2). All these links use the default 100/15 cost/repl interval with the exception of "MainSite to Site6" which uses 120/180. This does have the slowest WAN link and is geographically the furthest. "Bridge all site links" is enabled but I would like to disable this and potentially set this up manually.
Based on this info, how would you go about optimizing these site links/bridging as well well as bridgehead placement? Should we go with making 2 more DCs bridgeheads at "Mainsite", maybe bring up another DC at DRsite and have Site2-6 replicate with only that and MainSite only with DRsite? Thoughts?
AD-Sites-Repl-Generic.pdf
As you can see some servers were set as bridgeheads and that is a concern, esp as the MainSite. From what I know this puts all the "replication eggs" in one basket for this site and that probably isn't good. I am thinking of setting at least 1 or two more DCs here to be bridgeheads. I'm not sure any of the other sites need their servers set to bridgeheads as they all have single DCs.
There are site links for: Site4 to MainSite (includes all sites but Site2), Site4 to Site3 (includes all but Site2), Site5 to Site4 (all but Site2), Mainsite to Site4 (all but Site2), MainSite to Site6 (all sites), MainSite to Site5 (all but Site2), Mainsite to Site3 (all but Site2). All these links use the default 100/15 cost/repl interval with the exception of "MainSite to Site6" which uses 120/180. This does have the slowest WAN link and is geographically the furthest. "Bridge all site links" is enabled but I would like to disable this and potentially set this up manually.
Based on this info, how would you go about optimizing these site links/bridging as well well as bridgehead placement? Should we go with making 2 more DCs bridgeheads at "Mainsite", maybe bring up another DC at DRsite and have Site2-6 replicate with only that and MainSite only with DRsite? Thoughts?
AD-Sites-Repl-Generic.pdf
Active DirectoryInternet ProtocolsWindows Server 2008
Last Comment
Mahesh
ASKER
The DCs are at least 2008, and we will be trying to go to a 2008 R2 forest functional level soon (currently the domain level is 2008 but forest 2003). Each site can talk to MainSite. I've been told of some lag between MainSite and DRsite; repadmin testing shows everything is ok but I want to do more close monitoring. The ntds.dit is 245MB on MainSiteDC1
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for the responses. Do you have any documentation that gives guidance on "users per DC"? 10k users per DC seems like ALOT. I have heard anywhere from 100 per DC and up...also will be looking into possibly putting 2nd DCs at branch offices but supposedly the way the WAN is setup (MPLS) user would just authenticate against another branch's DC if the single-DC is unavailable.
I def will be taking the manual bridgehead settings off and going to get the DCs all up to 2008 R2- from what Microsoft says R2 has a new-improved optimization for load balancing of replication. After that the plan will be to redesign the site links so each link contains a branch office , MainSite and DRSite. MAY consider doing only branch-Mainsite and possible a lower cost repl from MainSite to DR. In addition I think we at least initially want to set one of our lower WAN speed-geographically further set to replicate LATE as a "lag site" which gives redundancy in case of some kind of catastrophic AD event. At least until we get the AD Recycle Bin with 2008 R2 forest functional.
Now I am testing the PowerShell scripting of removing/adding SiteLinks so that I can do it quickly without having to clunk through the Sites& Services GUI. Also gives me the option to quickly fail back to the previous configuration.
I def will be taking the manual bridgehead settings off and going to get the DCs all up to 2008 R2- from what Microsoft says R2 has a new-improved optimization for load balancing of replication. After that the plan will be to redesign the site links so each link contains a branch office , MainSite and DRSite. MAY consider doing only branch-Mainsite and possible a lower cost repl from MainSite to DR. In addition I think we at least initially want to set one of our lower WAN speed-geographically further set to replicate LATE as a "lag site" which gives redundancy in case of some kind of catastrophic AD event. At least until we get the AD Recycle Bin with 2008 R2 forest functional.
Now I am testing the PowerShell scripting of removing/adding SiteLinks so that I can do it quickly without having to clunk through the Sites& Services GUI. Also gives me the option to quickly fail back to the previous configuration.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for that. My team also needs to consider that in addition to users there are a plethora of devices and web apps that authenticate against AD all day which I need to get a handle on how to measure. Going to run some perf mons on AD on one of the DCs to get a better look.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Here is my latest design (attached) , it only has the proposed site links and and site link bridges. I'd set the cost lower on the 100MB link and higher on the slower links; each site link bridge includes the site link plus the link to the DR site. I'm still toying with the idea of keeping the transitivity between all the sites but perhaps this will reduce the repl traffic by only having it go from the satellite to the hub and then bridging that link with the DR site link for redundancy. thoughts?
Generic-Hub-Spoke-Link-Bridges.pdf
Generic-Hub-Spoke-Link-Bridges.pdf
That does look cleaner than the original one you had posted. I would still also include additional DC's in each respective site as well for redundancy.
Will.
Will.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
All very good recommendations. I still would feel more comfortable having at least once DC in each of these branch offices as they have up to couple of hundred users each (local and satellite VPN'd ) and don't want to rely solely on the WAN link across the country.
Does anyone know what repadmin command or powershell script I can run that will force synchronization between sites? the /syncall will only replicates DCs in the site itself apparently...
Does anyone know what repadmin command or powershell script I can run that will force synchronization between sites? the /syncall will only replicates DCs in the site itself apparently...
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Are you currently having any replication problems?
How big is your AD?
Thanks
Mike