What is the correct way to configure AD replication in a hub-spoke design
Our AD is a basic hub/spoke design. We have a headquarters in London, and remote offices. The remote offices are connected via VPN to HQ.
We have 3 domain controllers at HQ, and one in each remote office. We have had Windows 2000, Windows 2003 and Windows 2008 R2 domain controllers in place.
Over the years, any automatic configuration put in place by AD itself has been eroded, and we now have a situation where the NTDS settings for each server has been manually set. I see that some remote servers are connected to all 3 of our HQ Domain Controllers, some are connected to 2 and some to only 1. Looking at the connections back from the HQ Domain Controllers, these are similarly variable.
Here is a picture of how some offices are setup:
Should I be setting up connections from each Remote DC to all 3 of our HQ DCs, from each Remote DC to only one of the HQ DCs, or manually spreading the load?
Is there a way I can "reset" the configuration so that AD automatically generates the most appropriate connections?
Solution 1:
This assumes that you don't want your remote sites authenticating/replicating to each other and that all spoke AD traffic must go through the hub.
Create one site link for each remote site to the hub site. Only put one remote site plus the hub in each site link. Force replication across your domain. Undefine/delete manual bridgehead selections in each site. Run repadmin /kcc
on each DC to automatically regenerate a new topology that doesn't involve manual bridgehead selection.
Should I be setting up connections from each Remote DC to all 3 of our HQ DCs, from each Remote DC to only one of the HQ DCs, or manually spreading the load?
Not unless you have a compelling reason to. If you have sites and site links configured correctly, the KCC, which runs every 15 minutes, will rebuild your replication topology if a bridgehead becomes unavailable. There's no reason to manually override the KCC's bridgehead selection in most cases.
Solution 2:
In dssite.msc, under a server's NTDS Settings object, you can delete the connections. AD will re-create them.
Reading this would probably be a good start:
How Active Directory Replication Topology Works
http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx