Active Directory Site Link Design question

Issue:

I have a customer that has setup their AD Site design based on the domain structure as opposed to the actual physical network structure (although they have subnets defined based on domain as well).  Initially, they were all in one building.  So I have 5 sites that are all added to the defaultsitelink and based on the 5 domains.  They want to maintain this structure if possible.

Now, however, they actually have a new field office for failover that needs to have a DC for each domain in that office.  My initial thought is I create a new site representing the field office (with a new subnet) and create a new site link.  In the Site link, I would add the field office site and all of the other sites that are based on the domain.  In the end I would have the original default site link with all the sites in it other than the field office, as well as the new site link with the field office and the other domain sites in it.  This way I could manipulate the replication costs for the field office if I needed to.

Would this work and are there any issues that could occur?

Thanks
sagdocAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy LidbetterCommented:
Hi Sagdoc,

Your design is fine, except I would only link one site from the main site with the remote one. The site link is only for replication purposes and will have no effect or relevance on whether you have a dc for each domain in the remote site.

Microsoft actually state with best practice you should not have more than two sites in a site link, so having everything in the default site link is not really the way to go either.

In saying all this, what you have designed will work alright, but it's a dirty solution in my opinion.

Is there a specific reason the customer wants to keep something which is technically completely wrong?
Will SzymkowskiSenior Solution ArchitectCommented:
Not sure if i agree with the above comment. If all of your Sites have a Physical Network Connection to each other then those Sites (even if there is more than 2) should be part of the same Site.

You would only break out specific Sites if they do not have a physical network connection to each other (hub spoke topology) or you want to do specific costing with a specific route in mind.

Additional Sites in AD Sites and Services are only required if there are Domain Controllers Present in them. However, if you have PHYSICAL sites that DO NOT have a DC that resides at this site, you would still add that PHYSICAL site IP scheme to the Site where you want it to authenticate against.

I would highly suggest that you check out my two part HowTo i have created providing a detailed understanding of how AD Sites and Services should be setup in different scenarios.

http://www.wsit.ca/how-tos/active-directory/active-directory-sites-and-services-part-1/
note: the link to part two of the serise is at the bottom of part1.

If you have any other questions let me know.

@Guy - "Microsoft actually state with best practice you should not have more than two sites in a site link, so having everything in the default site link is not really the way to go either."

Based on that comment could you please provide a link that states what you have said above?

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Guy LidbetterCommented:
@Will , your comment
Not sure if i agree with the above comment. If all of your Sites have a Physical Network Connection to each other then those Sites (even if there is more than 2) should be part of the same Site.

in that case, as my DC, DR site, Office and remote site are all connected by the dark fiber network they should be in the same site?

A site should be a physical site (irrespective of the number of subnets) - unless you have a specific reason to separate services that are site aware.

Looking at your "how to", have you noticed, that even YOU have only two sites in every site link?
Would you put Hong Kong, New York and London all in the SAME site link? I think not.
It's not logical, and not best practice, even if you are talking on a smaller scale between 3 separate buildings in the same city.

And by the way, saying you do not agree with what I said is a bit weird, considering your own basic How to Agrees with me....
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Will SzymkowskiSenior Solution ArchitectCommented:
Looking at your "how to", have you noticed, that even YOU have only two sites in every site link?

The HowTo is in a limited lab environment where I only used 3 DC for the purpose of the explaination. So that is why you only see 2 DC's per site link. It is the understand i was going for. if your sites have an actual physical connections between each other then they should be in the same Default Site Link.

I say this because the KCC (knowledge Consistency Checker) calculates which DC is the most appropriate to create connections with, (it does NOT create connections with ALL of the DC's in the same site-link).

Creating different Site Links for London, New York, Hong Kong STILL HAVE TO REPLICATE CHANGES TO EACH OTHER lol. So having them in the same Site Link (IF THEY HAVE PHYSICAL CONNECTIONS BETWEEN EACH OTHER) is recommended to allow the KCC to create the connections for you "automatic connections". IF they are in the same site link KCC selects the most appropriate connections to be made based on a number of things, like server resources, network latency etc.

Also another benefit of this is that the KCC checker will automatically re-create connecitons to DC's in the same Site-Link if there is a DC that is no longer reachable. This is called a mesh topology and it highly recommended to go with this approach. When a DC is unreachable for a period of time connections are re-calculated to ensure that DC's that are online get the most recent updates. When the DC that has been offline for a period of time, is again reachable,  the KCC will re-create the connections as needed.

If you have multiple Site Links and if your Bridge Head server goes down that server in that site will NOT be able to replicate its updates to other DC's nor will it be able to receive new updates from other DC's.

If you have any other misconceptions about my HowTo please let me know and I will be happy to explain.

Sorry for the caps!

Will.
Guy LidbetterCommented:
You are very mistaken in what you are saying, and have a very narrow understanding of Sites and replication.

Going on about Physical connections and what not is confusing.

And why are you LOL'ing here?
Creating different Site Links for London, New York, Hong Kong STILL HAVE TO REPLICATE CHANGES TO EACH OTHER lol.
I never said anything about not replicating.

Also you said...
So that is why you only see 2 DC's per site link
I also said nothing about DC's

A couple points you are mistaken on:

1. a mesh topology is having a site connected to more than one site, i.e. more than one site link, so if the link goes down it will continue to replicate to the other site. Example, london connected to Hong Kong with one link, New York With another Link and Japan with a third. Each of those sites have the same number of links, like a mesh. It has nothing to do with multiple sites on one site link.

2. You said.
If you have multiple Site Links and if your Bridge Head server goes down that server in that site will NOT be able to replicate its updates to other DC's nor will it be able to receive new updates from other DC's.
For one, if there are two DC's in the site, the other will automatically become the Bridgehead unless you specifically set the first as the preferred BH.
Second, if it goes down of course it wont replicate, ITS DOWN!

have a thorough read of this and learn something:
https://technet.microsoft.com/en-us/library/cc772013(v=ws.10).aspx

P.S. Please don't LOL at other experts.
Will SzymkowskiSenior Solution ArchitectCommented:
Unless you specifically have a requirement to control how/when replication happens to a specific site for reasons like: latency, higher WAN cost, replication to a DR site, or for Routing Exchange Mail through a different site, you should always use Default Site Link, if there is a physical connection between the sites.

If you are using a Hub spoke topology where remote sites DO NOT have physical network connections (IPSec, mpls etc) between each other they cannot be part of the same site link as the KCC will create warning messages and automatic connections will NOT be created.

At this point, you need to create Site Links for each of the Remote Sites with the Hub Site.

Out side of that if you do not have any specific requirements then KCC will create the appropriate connections within the Default Site Link.

As stated i have also outlined this in the HowTo origianlly posted.

Will.
sagdocAuthor Commented:
That design worked well.
Senior IT System EngineerIT ProfessionalCommented:
Is this the same concept when using Windows Server 2012 R2 or only works for 2008 R2 ?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.