What is the correct way to configure AD replication in a hub-spoke design

active-directory replication

Our AD is a basic hub/spoke design. We have a headquarters in London, and remote offices. The remote offices are connected via VPN to HQ.

We have 3 domain controllers at HQ, and one in each remote office. We have had Windows 2000, Windows 2003 and Windows 2008 R2 domain controllers in place.

Over the years, any automatic configuration put in place by AD itself has been eroded, and we now have a situation where the NTDS settings for each server has been manually set. I see that some remote servers are connected to all 3 of our HQ Domain Controllers, some are connected to 2 and some to only 1. Looking at the connections back from the HQ Domain Controllers, these are similarly variable.

Here is a picture of how some offices are setup:

enter image description here

Should I be setting up connections from each Remote DC to all 3 of our HQ DCs, from each Remote DC to only one of the HQ DCs, or manually spreading the load?

Is there a way I can "reset" the configuration so that AD automatically generates the most appropriate connections?


Solution 1:

This assumes that you don't want your remote sites authenticating/replicating to each other and that all spoke AD traffic must go through the hub.

Create one site link for each remote site to the hub site. Only put one remote site plus the hub in each site link. Force replication across your domain. Undefine/delete manual bridgehead selections in each site. Run repadmin /kcc on each DC to automatically regenerate a new topology that doesn't involve manual bridgehead selection.

Should I be setting up connections from each Remote DC to all 3 of our HQ DCs, from each Remote DC to only one of the HQ DCs, or manually spreading the load?

Not unless you have a compelling reason to. If you have sites and site links configured correctly, the KCC, which runs every 15 minutes, will rebuild your replication topology if a bridgehead becomes unavailable. There's no reason to manually override the KCC's bridgehead selection in most cases.

Solution 2:

In dssite.msc, under a server's NTDS Settings object, you can delete the connections. AD will re-create them.

Reading this would probably be a good start:

How Active Directory Replication Topology Works
http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx

Related

Why do I not have "Shared printer" within group policy preferences in Win 2008 R2 gpmc?
How can sleeping processes in "top" be using a percentage of CPU?
Per-packet round-robin load balancing for UDP
Virtmanager connection via custom SSH command?
Windows PKI with offline root (maybe with OpenSSL) - Possible?
Puppet error on already installed package on centos
How to make Nginx forward the original host name
How do fiber Ethernet transmitters set their power output?
Python, "you don't have permission to access that port" [closed]
SSH: prevent from asking for passphrase when ssh-agent auth fails
Server crashes Sundays at 6 a.m. - out of memory
Troubleshooting network latency