4

Our AD is a basic hub/spoke design. We have a headquarters in London, and remote offices. The remote offices are connected via VPN to HQ.

We have 3 domain controllers at HQ, and one in each remote office. We have had Windows 2000, Windows 2003 and Windows 2008 R2 domain controllers in place.

Over the years, any automatic configuration put in place by AD itself has been eroded, and we now have a situation where the NTDS settings for each server has been manually set. I see that some remote servers are connected to all 3 of our HQ Domain Controllers, some are connected to 2 and some to only 1. Looking at the connections back from the HQ Domain Controllers, these are similarly variable.

Here is a picture of how some offices are setup:

enter image description here

Should I be setting up connections from each Remote DC to all 3 of our HQ DCs, from each Remote DC to only one of the HQ DCs, or manually spreading the load?

Is there a way I can "reset" the configuration so that AD automatically generates the most appropriate connections?

dunxd
  • 9,632
  • 22
  • 81
  • 118

2 Answers2

5

This assumes that you don't want your remote sites authenticating/replicating to each other and that all spoke AD traffic must go through the hub.

Create one site link for each remote site to the hub site. Only put one remote site plus the hub in each site link. Force replication across your domain. Undefine/delete manual bridgehead selections in each site. Run repadmin /kcc on each DC to automatically regenerate a new topology that doesn't involve manual bridgehead selection.

Should I be setting up connections from each Remote DC to all 3 of our HQ DCs, from each Remote DC to only one of the HQ DCs, or manually spreading the load?

Not unless you have a compelling reason to. If you have sites and site links configured correctly, the KCC, which runs every 15 minutes, will rebuild your replication topology if a bridgehead becomes unavailable. There's no reason to manually override the KCC's bridgehead selection in most cases.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Can you explain how to do "Undefine/delete manual bridgehead selections in each site."? – dunxd Apr 11 '13 at 11:56
  • 1
    Just delete any manually created replication partners in Sites and Services. If you just let them be created automatically, then there's nothing to do. – MDMarra Apr 11 '13 at 11:56
  • Thanks - now all my DCs have entries under NTDS so now AD can manage this automatically. – dunxd Apr 11 '13 at 16:08
  • 1
    Welcome! In most cases, you want to manually define your site links and then just let the KCC do its thing. Glad that helped. – MDMarra Apr 11 '13 at 16:24
1

In dssite.msc, under a server's NTDS Settings object, you can delete the connections. AD will re-create them.

Reading this would probably be a good start:

How Active Directory Replication Topology Works
http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Where am I doing the deletion (dssite.msc on the HQ DCs or remote ones?) Where does the auto-create happen? I don't want to do this without understanding how I am potentially breaking things and how long AD will take to "heal" itself. – dunxd Apr 11 '13 at 11:54
  • This would be done on any DC with the manually created connections. The connections are created when the KCC runs on the ISTG. By default, the KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed. – Greg Askew Apr 11 '13 at 11:59