Solved

Advice on fixing AD replication

Posted on 2016-09-20
9
67 Views
Last Modified: 2016-09-23
We've been having replication issues in our Active Directory, and I think I know why. Our main site has two domain controllers, and we have a "VPN" site that is part of the private corporate network, but on a different subnet and only accessible across a WAN link. I have the DC's defined correctly for each site and subnet.

What I don't have correct is the replication. I discovered today that my DEFAULTIPSITELINK has all the sites listed in that site link.

So I assume I need to remove the VPN site from DEFAULTIPSITELINK and create a new VPN-Home sitelink with a higher cost and different replication schedule, correct? Can you define a site link with one site in it?

My DEFAULTIPSITELINK also is set to replicate every 180 minutes. Once I remove the VPN site, shouldn't I tweak this to say 30 minutes since both DC's in this site are on the same local network, and same subnet?

And when looking at the "NTDS Settings" for each site, the replication schedule for the two DC's local to each other is once an hour, every hour.

The replication schedule for my bridgehead server in my main site to the DC in the VPN site is to replicate once every three hours - which is could be why the DEFAULTIPSITELINK is set to replicate every 3 hours.  

My thought was to set the two local servers to replicate at least 2x/hour, or maybe 4x/hour every hour, and set the VPN site to repliacate once an hour, every hour.

Please let me know if I'm on the right track, and especially how to properly define the site link for my "VPN" site.
0
Comment
Question by:RhoSysAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41807714
as a general rule, site links should exist on a 1 to 1 basis, meaning one link between two sites.  You shouldn't have more that the two target sites listed in a link.

So, if you have a site configured for your remote office and a site for your primary office, the link you create for replication between them should only contain those two sites.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41807814
Make sure you have the subnets for both sites defined in AD Sites and Services as well. You'll also need to make sure that the VPN connection is allowing all the ports required by AD Replication to pass through. Ports  49152 through 65535 are required for AD replication as are the ones listed here: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
0
 

Author Comment

by:RhoSysAdmin
ID: 41809402
Well, maybe I'm alright then. I have just the DEFAULTSITELINK defined with sites "Home", "VPN", and "Default-First-Site-Name" in it. The "Default" site has no assigned subnets or DC's in it, so I should probably remove this one. I don't know if it does any harm being there.

The issue is that we're seeing very slow replication b/t the DC's on the two sites, even when objects are deleted. I thought that kind of event would replicate immediately.

Is it better to change the replication schedule b/t my bridgehead servers (flexibility in times I can make it more frequent) or should I change the schedule in the site-link?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41809463
I'm not sure what you're referring to when you make a distinction between changing the schedule for the Bridgehead servers vs. the Site link. Are you referring to the Properties screen of the NTDS site settings object when you click on the Site link vs. the properties screen of the site link itself?

Those two schedules refer to totally different things. The NTDS Site Settings schedule defines the number of times DCs in the Same AD site are required to replicate at a minimum. All changes to any DC in a site are immediately replicated to DCs in the same site, but the NTDS Site Settings schedule ensures that the DCs complete a replication even if no changes are made over a set period of time to ensure no changes are missed due to various circumstances.

The schedule on the Properties screen of the Site-Link is the schedule used for Inter-site transport (Between different AD sites). This is the schedule that Bridgehead servers will use to replicate with one another. If there is no bridgehead defined, the Replication system will pick a server at random to replicate to the other site with when the scheduled time occurs.

That said, in a two site AD topology, Bridgehead servers don't really make much of a difference, and you don't have to have them for any reason.
0
 

Author Comment

by:RhoSysAdmin
ID: 41809572
Sorry for using the wrong terms. Forget that I mentioned "Bridgehead". I am looking at

1. The "Replicate Every" value on the general tab of the DEFAULTSITELINK properties, which is set to the default for inter-site  replication (180 minutes)

2. The properties of the connection b/t my "Home" DC and my "VPN" DC in the NTDS Settings for the DC in my "Home" site. If I click on the "View Schedule" button, What I see is that replication is only possible once every three hours. I see a similar schedule for replication b/t the DC in the "Home" site and the DC in the "VPN" site.

If I look at the NTDS settings for VPN DC, and view the properties for the VPN-Home connection, I see the same schedule obviously.

My question is, given that replication (of deleted objects for example) is taking so long b/t the sites, should I change the NTDS properties of the connections b/t the sites to at least be possible once every hour, or should I change the schedule in the DEFAULTSITELINK properties?
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41809597
Generally, the longer of those two schedules wins out, so make sure they are both below an hour.
0
 

Author Comment

by:RhoSysAdmin
ID: 41811763
I changed the site-link schedule tonight. When I went to change the NTDS properties (schedule), I saw a pop-up that it would no longer be "automatically generated" if I changed it. I clicked on "No". When I closed the properties and re-opened it, the schedule had been changed to match the site-link schedule.

Is that possible or did I click "yes" and not realize it?  It still show the connection as "automatically generated" so I don't think I accidentally clicked "Yes" to force the schedule change.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41811843
By default, the NTDS settings should match the site-link settings. It may not have shown the first time you opened the properties, but updated itself when you edited it. I'd just leave it as is.
0
 

Author Closing Comment

by:RhoSysAdmin
ID: 41812433
Adam provided the details I needed to understand how replication works and even responded to my follow up question, which I really appreciated.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question