Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 185
  • Last Modified:

Domain site configuration

Hi all,

Ive never been quite sure whether my domain has the correct or optimal site configuration. My infrastructure consists of the following:

2003 domain with 2008 DC's

Site1: contain 70% servers has 2 domain controller. Contains all FSMO roles
Site2: Datacenter - no users. Termination of VPN users and main connection for or MPLS networks for WAN

Site3: Germany. 2008DC and Users
Site4: France. 2008 DC and users

Basically when I setup a domain controlelr on another site it will automatically create the site connection to Site2 as that is the closet DC it will find on the MPLS network.

The problem with this it seem to create an extra step as most of our servers are Site1. So it a user changes a password on a remote site (site3) it has to replicate to site 2 before it then replicates to site1. For example this causes lots of problems when logging onto citrix servers in site1.

I have left the default setting within sites and services for replicating once every hour and all connections are automatically generated. Is it best practice to change these?
0
Matt
Asked:
Matt
1 Solution
 
CoralonCommented:
A lot depends on your connectivity between the sites.  With only 4, you could reasonably do a fully meshed network.  The KCC will generally create a pretty good layout for most people.

Now, that being said, you do need to assign appropriate costs to your site links, and you should absolutely have a DC in every site.   (Remember, by MS terminology, a site is a group of well connected networks).  IF you don't have a DC at a location, then it should belong to another site. So, with your description, you should have 3 sites currently.  

If your connections are best to the datacenter (despite the MPLS), then I'd put a couple of DC's in your data center, and move your FSMO roles there (with the normal 3/2 split for the roles).  Then, I would go with a hub & spoke architecture.  You will want to 'elect' one of your DataCenter DC's as the 'primary' DNS (the one with the PDC emulator on it).  You will point that DC at itself only for DNS.  All of the other DC's will point to that 'primary' DC for their own DNS, and then themselves as a secondary.  

Your password changes should replicate immediately to the PDC emulator (which is why you want to move that to the DataCenter (assuming that is where your Citrix servers are),  that way they all happen immediately).  If your links would allow it, I'd drop your replication cycle time as much as you *reasonably* can..  If you have the bandwidth, you could go to the minimum of 15 minutes.. but that may be too aggressive.  

Now, your KCC should figure it out if you cost it out correctly, but if not, you could override it.
Let's call it like this:
SiteA - Datacenter
SiteB - HQ
SiteC - France
SiteD - Germany

Then, I'd put your link costs something like this:
A-B - 20
A-C - 20
A-D - 20
B-C - 50
B-D - 50
C-D - 40
(All based on your HQ & Datacenter being in the same country and having the best (lowest) latency).

That should really do it for you.. Now - making all these changes will be disruptive obviously, and you'll have to give it time to settle down.  So, given that, I'd start on a Friday night of a 3 day weekend (for all of your sites) if you can.  Get the settings out there, and wait :-)

Coralon
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now