Solved

Domain site configuration

Posted on 2014-04-29
1
179 Views
Last Modified: 2014-05-28
Hi all,

Ive never been quite sure whether my domain has the correct or optimal site configuration. My infrastructure consists of the following:

2003 domain with 2008 DC's

Site1: contain 70% servers has 2 domain controller. Contains all FSMO roles
Site2: Datacenter - no users. Termination of VPN users and main connection for or MPLS networks for WAN

Site3: Germany. 2008DC and Users
Site4: France. 2008 DC and users

Basically when I setup a domain controlelr on another site it will automatically create the site connection to Site2 as that is the closet DC it will find on the MPLS network.

The problem with this it seem to create an extra step as most of our servers are Site1. So it a user changes a password on a remote site (site3) it has to replicate to site 2 before it then replicates to site1. For example this causes lots of problems when logging onto citrix servers in site1.

I have left the default setting within sites and services for replicating once every hour and all connections are automatically generated. Is it best practice to change these?
0
Comment
Question by:Matt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 25

Accepted Solution

by:
Coralon earned 500 total points
ID: 40031154
A lot depends on your connectivity between the sites.  With only 4, you could reasonably do a fully meshed network.  The KCC will generally create a pretty good layout for most people.

Now, that being said, you do need to assign appropriate costs to your site links, and you should absolutely have a DC in every site.   (Remember, by MS terminology, a site is a group of well connected networks).  IF you don't have a DC at a location, then it should belong to another site. So, with your description, you should have 3 sites currently.  

If your connections are best to the datacenter (despite the MPLS), then I'd put a couple of DC's in your data center, and move your FSMO roles there (with the normal 3/2 split for the roles).  Then, I would go with a hub & spoke architecture.  You will want to 'elect' one of your DataCenter DC's as the 'primary' DNS (the one with the PDC emulator on it).  You will point that DC at itself only for DNS.  All of the other DC's will point to that 'primary' DC for their own DNS, and then themselves as a secondary.  

Your password changes should replicate immediately to the PDC emulator (which is why you want to move that to the DataCenter (assuming that is where your Citrix servers are),  that way they all happen immediately).  If your links would allow it, I'd drop your replication cycle time as much as you *reasonably* can..  If you have the bandwidth, you could go to the minimum of 15 minutes.. but that may be too aggressive.  

Now, your KCC should figure it out if you cost it out correctly, but if not, you could override it.
Let's call it like this:
SiteA - Datacenter
SiteB - HQ
SiteC - France
SiteD - Germany

Then, I'd put your link costs something like this:
A-B - 20
A-C - 20
A-D - 20
B-C - 50
B-D - 50
C-D - 40
(All based on your HQ & Datacenter being in the same country and having the best (lowest) latency).

That should really do it for you.. Now - making all these changes will be disruptive obviously, and you'll have to give it time to settle down.  So, given that, I'd start on a Friday night of a 3 day weekend (for all of your sites) if you can.  Get the settings out there, and wait :-)

Coralon
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question