Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Domain site configuration

Posted on 2014-04-29
1
Medium Priority
?
181 Views
Last Modified: 2014-05-28
Hi all,

Ive never been quite sure whether my domain has the correct or optimal site configuration. My infrastructure consists of the following:

2003 domain with 2008 DC's

Site1: contain 70% servers has 2 domain controller. Contains all FSMO roles
Site2: Datacenter - no users. Termination of VPN users and main connection for or MPLS networks for WAN

Site3: Germany. 2008DC and Users
Site4: France. 2008 DC and users

Basically when I setup a domain controlelr on another site it will automatically create the site connection to Site2 as that is the closet DC it will find on the MPLS network.

The problem with this it seem to create an extra step as most of our servers are Site1. So it a user changes a password on a remote site (site3) it has to replicate to site 2 before it then replicates to site1. For example this causes lots of problems when logging onto citrix servers in site1.

I have left the default setting within sites and services for replicating once every hour and all connections are automatically generated. Is it best practice to change these?
0
Comment
Question by:Matt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 25

Accepted Solution

by:
Coralon earned 1500 total points
ID: 40031154
A lot depends on your connectivity between the sites.  With only 4, you could reasonably do a fully meshed network.  The KCC will generally create a pretty good layout for most people.

Now, that being said, you do need to assign appropriate costs to your site links, and you should absolutely have a DC in every site.   (Remember, by MS terminology, a site is a group of well connected networks).  IF you don't have a DC at a location, then it should belong to another site. So, with your description, you should have 3 sites currently.  

If your connections are best to the datacenter (despite the MPLS), then I'd put a couple of DC's in your data center, and move your FSMO roles there (with the normal 3/2 split for the roles).  Then, I would go with a hub & spoke architecture.  You will want to 'elect' one of your DataCenter DC's as the 'primary' DNS (the one with the PDC emulator on it).  You will point that DC at itself only for DNS.  All of the other DC's will point to that 'primary' DC for their own DNS, and then themselves as a secondary.  

Your password changes should replicate immediately to the PDC emulator (which is why you want to move that to the DataCenter (assuming that is where your Citrix servers are),  that way they all happen immediately).  If your links would allow it, I'd drop your replication cycle time as much as you *reasonably* can..  If you have the bandwidth, you could go to the minimum of 15 minutes.. but that may be too aggressive.  

Now, your KCC should figure it out if you cost it out correctly, but if not, you could override it.
Let's call it like this:
SiteA - Datacenter
SiteB - HQ
SiteC - France
SiteD - Germany

Then, I'd put your link costs something like this:
A-B - 20
A-C - 20
A-D - 20
B-C - 50
B-D - 50
C-D - 40
(All based on your HQ & Datacenter being in the same country and having the best (lowest) latency).

That should really do it for you.. Now - making all these changes will be disruptive obviously, and you'll have to give it time to settle down.  So, given that, I'd start on a Friday night of a 3 day weekend (for all of your sites) if you can.  Get the settings out there, and wait :-)

Coralon
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question