Domain site configuration

Posted on 2014-04-29
Medium Priority
Last Modified: 2014-05-28
Hi all,

Ive never been quite sure whether my domain has the correct or optimal site configuration. My infrastructure consists of the following:

2003 domain with 2008 DC's

Site1: contain 70% servers has 2 domain controller. Contains all FSMO roles
Site2: Datacenter - no users. Termination of VPN users and main connection for or MPLS networks for WAN

Site3: Germany. 2008DC and Users
Site4: France. 2008 DC and users

Basically when I setup a domain controlelr on another site it will automatically create the site connection to Site2 as that is the closet DC it will find on the MPLS network.

The problem with this it seem to create an extra step as most of our servers are Site1. So it a user changes a password on a remote site (site3) it has to replicate to site 2 before it then replicates to site1. For example this causes lots of problems when logging onto citrix servers in site1.

I have left the default setting within sites and services for replicating once every hour and all connections are automatically generated. Is it best practice to change these?
Question by:Matt
1 Comment
LVL 25

Accepted Solution

Coralon earned 1500 total points
ID: 40031154
A lot depends on your connectivity between the sites.  With only 4, you could reasonably do a fully meshed network.  The KCC will generally create a pretty good layout for most people.

Now, that being said, you do need to assign appropriate costs to your site links, and you should absolutely have a DC in every site.   (Remember, by MS terminology, a site is a group of well connected networks).  IF you don't have a DC at a location, then it should belong to another site. So, with your description, you should have 3 sites currently.  

If your connections are best to the datacenter (despite the MPLS), then I'd put a couple of DC's in your data center, and move your FSMO roles there (with the normal 3/2 split for the roles).  Then, I would go with a hub & spoke architecture.  You will want to 'elect' one of your DataCenter DC's as the 'primary' DNS (the one with the PDC emulator on it).  You will point that DC at itself only for DNS.  All of the other DC's will point to that 'primary' DC for their own DNS, and then themselves as a secondary.  

Your password changes should replicate immediately to the PDC emulator (which is why you want to move that to the DataCenter (assuming that is where your Citrix servers are),  that way they all happen immediately).  If your links would allow it, I'd drop your replication cycle time as much as you *reasonably* can..  If you have the bandwidth, you could go to the minimum of 15 minutes.. but that may be too aggressive.  

Now, your KCC should figure it out if you cost it out correctly, but if not, you could override it.
Let's call it like this:
SiteA - Datacenter
SiteB - HQ
SiteC - France
SiteD - Germany

Then, I'd put your link costs something like this:
A-B - 20
A-C - 20
A-D - 20
B-C - 50
B-D - 50
C-D - 40
(All based on your HQ & Datacenter being in the same country and having the best (lowest) latency).

That should really do it for you.. Now - making all these changes will be disruptive obviously, and you'll have to give it time to settle down.  So, given that, I'd start on a Friday night of a 3 day weekend (for all of your sites) if you can.  Get the settings out there, and wait :-)


Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question