Active Directory Site Link Bridges in multi-site organizations


I have an Active Directory with multiple sites.  The links between the sites are VPNs, and all sites connect to a central hub site.  In the default site topology, Active Directory bridges ALL site links, and sites have automatically configured links between them that don't make sense when the NETWORK topology is hub/spoke with a central site as the hub.

I want to setup an Active Directory site topology that matches our network topology so that we do not have Active Directory domain controllers trying to connect to servers that they are unable to connect to because the site does not have a route that particular domain controller (i.e. there is no mesh network connectivity).  

I have gone to Active Directory Site and Services --> Inter-Site Transports --> IP --> Properties and UNCHECKED "Bridge all Site Links".  

I'm not sure of the next step...should I:

1.  Create a new site link that has ALL sites in it


2.  Create a new site link for each site, and include only the HUB SITE and the REMOTE SITE in it.

My goal is to end up with each remote site replicating with the (2) domain controllers that are at the hub site, and for the (2) domain controllers at the hub site to have replicas of EVERY SITE.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
I recommend you leave the bridge all site links (BASL) enabled.

Instead you can build you site links as desired.  For example, for a structure with a central hub site and 3 remote sites...

Site Names:  CH, R1, R2, R3

Site link definitions...
Name, Cost, Rep Interval
CH-R1, 100, 15m
CH-R2, 100, 15m
CH-R3, 100, 15m

The links between the remotes sites are transitive, meaning no need to have a link defined as R1-R2.  You can, if so desired, specifically configure whether DCs are the bridgeheads or not.  Meaning Bridgehead servers communication over the defined link to DCs in the defined site.  Non-bridgehead servers communicate only inside the site they are in.  Allows you to control who talks to whom.

Unless there is a significant reason (security or network routing issues, typical of much larger networks) Microsoft recommends leaving the BASL on.

reference link:

I manage a hub-spoke structure, 7 sites in all, and use this design.

jkeegan123Author Commented:
The reason why I do not want to leave BASL enabled is ... there are some sites that can ONLY talk to the hub site (network connectivity wise) , and these sites to not need to be able to speak to the other sites for ANYTHING other than Active Directory site replication traffic.  Since it's an international site, and since the site is connected via VPN, I wanted to prevent the site from getting replication relationships auto-generated from sites that are, for example, in a remote site in the United States that does not have connectivity to this international site.

So ... that means Break the BASL, and setup as hub spoke manually?
Dan McFaddenSystems EngineerCommented:
I have 1 question the... is the traffic between remote sites routable thru the hub site?

What I mean is, if an IP packet originates in remote site 1 and has a destination to remote site 2, is there a routing mechanism in place that allows that IP packet to get traverse from remote site 1 to the hub site and then on to remote site 2?

You mentioned that the International site has an established VPN connection to something... to what, the hub site?  Is your routing infrastructure containing/restricting the International site's network traffic to only the hub network?  Are there no resources beyond the hub site, that the International site needs access to?

If you can answer the above question/scenario, I can better answer your question.

Also, here is an article that discusses the issue without diving deep into the technical aspects of everything.


TechNet resource for AD Topology Design.

link 2:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.