Here's an answer from a European guy struggling with AD infrastructures containing more than 1.000 sites (and DCs) connected by ISDN connections ... Consider yourself to be a lucky guy ;-). We've been through this discussion numerous times over here...
The best way to minimize the amount of replication traffic is by centralizing your Domain Controllers. Have you considered the possibility of not placing any DCs in location 3? Whether or not this scenario is feasible depends on the number of clients on the 3rd location, the reliability of the connection and the available bandwidth. It could possibly be the solution that results in least amount of costs ...On the other hand, the best way to minimize the amount of authentication traffic is by placing a Domain Controller at each location. Looking at the information you gave us, this will be a solution that will most certainly do for you.
Looking at the "requirements" in your question (minimum amount of replication AND authentication traffic from and to site3 I presume) the following solution could be A way to go. However, an important parameter that missing is the requirement for the convergence time of data within your AD infrastructure:
- Implement 3 sites (s1, s2, s3).
- Connect s1 and s2 by the default sitelink.
- Connect s1 and s3 by sitelink-1-3. Configure the schedule such that replication occurs on even hours. (the frequency depends on the requirement for the convergence time).
- Connect s2 and s3 by sitelink-2-3. Configure the replication such that replication occurs on odd hours.
- Let the KCC create Connection objects between servers. In a relative simple environment like this you should not try and configure these yourself. The schedule on the sitelinks will be "inherited" by the replication over the Connection Objects.
This topology has the following benefits:
- Changes are replicated only once (most of the time) from and to s3 because s1 and s2 replicate more frequently and will keep each other up to date. So changes send from s3 to s1 will not be replicated again from s3 to s2 because s1 has already send the info to s2.
- The replication topology is fault tolerant. Whenever 1 of the physical connections breaks down, the entire infrastructure is able to replicate.
- Authentication traffic is minimized because clients will always authenticate to the nearest DC (within the same site).
HOWEVER ... I would strongly recommend to seriously consider the most simple alternative. Implement s3 and "connect" this one to the default sitelink. The idea behind this is to keep things simple. This is one of the important design guidelines I try to adhere to. It will not meet your requirements but I'm positive that it will actually work in your infrastructure!
Cheers!
John
-----Original Message-----
From: David Adner [mailto:[EMAIL PROTECTED]]
Sent: woensdag 29 oktober 2003 2:07
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Setting up Sites
We're going from 2 sites to 3 sites. So far, we've used the DEFAULTSITELINK for simplicity's sake and have the KCC creating replication links. The only thing we changed was the replication interval to every 15 minutes. With the creation of a 3rd site, plus to allow for future expansion, we're going to begin creating site links and such.
Site 1 and 2 are connected via a very high speed network.
Site 3 is connected to Sites 1 and 2 via a T3.
Connectivity to Site 3 is fast, but we still want to avoid unnecessary WAN authentication and optimize replication as much as possible.
I'm interested in people's opinions on setting up the metric's for the site links or any other suggestions you have for a relatively new AD implementation. I'm pretty familiar with how things work and have read through various whitepapers, but I'd like to hear people's real world experiences. TTIA.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
