Active Directory Site Replication – Changing connections

The answer to this question (or the resulting inquiries) may be way over my head, but here goes.

Existing configuration:

We currently have a main office and two remote offices.  We have a Windows Server 2008 R2 (standard, not read only) in each of the three offices.  Each one of the servers is a DC.  I am not sure this matters to the question at hand but the main office contains a Citrix farm that all users in the remote offices address.  Max, 10 users in each remote office.  (Yes, I know a DC in each remote office was probably not needed but I tend to overbuild a little).

Each office has its own pretty good (40 mbs) broadband connection.  In addition, each remote office has been connected to the main office by a dedicated point-to-point T1 connection for over 10 years.
The use of the point-to-point connections is gradually being phased out.  We currently have a phone system that uses it but our new system will not need dedicated point-to-point connections (or so I am told, we shall see).  As soon as we have eliminated the network need for the point-to-point then the new phone system can be installed and tested.  We will cancel the point-to-point connections as soon as we have a history of no longer needing them.

There is a SonicWall NSA 3500 in the main office and SonicWall 215s in the two remote offices.

Workstations in the remote offices connect to their local domain controllers which handle printing for that office and all Citrix connections use the broadband Internet connections.

Goal:  Phase out point-to-point connections

These point-to-point connections are quite expensive each month and our goal is to eliminate them.  But, Active directory replication between the sites takes place over the old point-to-point T-1 connections.    

Our plan:

Our thinking is to use the SonicWalls to create site to site VPNs between the main office and each of the remote offices and then do the active directory site replication using these VPN connections.

Our questions:

1.      As stated, Active directory replication between the main office and the two remote sites takes place over the old point-to-point T-1 connections.   We think we can set up the VPNs to replace those connections but what is unclear is how we then force active directory site replication to use these new connections and to stop using the old point-to-points?  Is it even possible to do this while the point to point connections are still in place handling the old phone system?

2.      Are there any settings or rules we need to consider on the SonicWall that will allow the site to site replication but not put extra burden on the VPNs with unneeded overhead traffic?  We recognize this is somewhat open-ended so are we are just looking for some major do's and don'ts.

Thank you.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Couple of things...

AD Sites and Services is Only a logical representation of your Network Design. Meaning as long as each of the sites have connections between them (does not matter what you use for your connections i.e mpls/site2site VPN etc). As long as there is communication AD sites and services does not care.

The question I have for you is does your remote sites have connections between each other as well. Meaning if you have Site A (head office) Site B and Site C (remote sites) is there communication between sites B and C? Or do you only have connections from Site A to B and Site A to C?

If the above is true then you cannot add all of your sites to the same Default Site Link. You will need to create 2 site links one for Site A to Site B and one for Site A to Site C.

However, if you do have connections to all of the sites where site b and c can talk directly to each other, then configuration is easy, adding them all to the same default site link.

I have also create a 2 part HowTo about understanding how sites and services work - suggest you take a look at it as I provide examples of how to configure them in different network configurations.

Other than that you should not have to change anything in Sites and services specifically if the network design will be the same.

SSBCCAuthor Commented:
Thank you for the prompt response.  To answer you question we do not have connection between Offices B and C.  We have two site links (A to B and A to C) that currently use the two separate point to point circuits.

I will review the other information you provided and respond again soon.  

Again, thanks.
Will SzymkowskiSenior Solution ArchitectCommented:
Review the Second part of the HowTo as i explain exactly how to configure AD Sites and Services when there are no physical connections between remote sites.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SSBCCAuthor Commented:
I have reviewed the information and it really is an excellent overview of ADSS.  Thank you, I needed that.

Well, when we look at our ADSS we wonder how or why our system has worked at all for these years.  While we do use three distinct Subnets for each of the three offices, our ADSS has no entries at all for Subnets.

What is really surprising is that even though we have three geographic locations, there is only one site under ADSS called "Default-First-Site-Name."   The DCs in all three locations are listed under the Servers section of that one site.  All those servers are set to replicate to each other even between the servers in the two remote offices that do not have a direct connection.

We hate to start recreating everything so what we are going to try to do is (1) finish setting up the VPN (with backup help from SonicWall) and then (2) unplug the point to point circuits and see if we can get replication across the VPNs.   Again, thank you.
Blue Street TechLast KnightCommented:
With that topology, I recommend setting up IP Helper DHCP Relay in your SonicWall in each remote location to point your primary AD server so that if your AD server should go down the clients it supports would still function. If you have multiple AS servers in your main location you can make a grippy and point the DHCP relay to that group for further redundancy.

For the VPN topology, you'll want to setup a inter site VPN.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.