I posted my solution to this type of problem before because we also deal
with the dreaded firewall problem as well.
Here is a synthesis.
1. You should identify each site as a group of networks that are behind the
same firewall.
2. Most firewalls support NTDS or AD replication now so use that feature.
A. Otherwise, you can use limited/FIX RPC for NTDS and FRS.
B. There are several ports you need open to support AD.
3. Ports you need to support for all AD clients.
88 TCP/UDP Kerberos
123 UDP NTP
389 TCP/UDP LDAP
* 445 TCP/UDP SMB (MMC and File Print Access)
3268 TCP/UDP GC
* 138 TCP/UDP NetBIOS Browsing 9x NT
* 139 TCP/UDP NetBIOS SMB 9x NT
4. Ports you need to allow open between all Bridgehead servers
135 TCP/UDP RPC Sessions
445 TCP/UDP SMB for MMC's
* TCP/UDP NTDS fixed port if you chose Static
* TCP/UDO FRS fixed port if you chose Static
5. Create Site links only to the deterministic paths you want replication
traffic to take.
6. Create a Site Link Bridge that encompasses all the sites.
7. Establish the preferred Bridgehead servers in each site on a GC.
8. Configure replication schedule if necessary.
9. Make sure all subnets are associated to the correct site or GPO in XP
will break.
10. I highly recommend that you fill out location tab on Subnets so you can
enable Location Tracking feature of 2K and 2K3 for better printer tracking.
11. Disable site link transitivity.
12. Refresh all the NETLOGON Services so SRV records are published
correctly.
13. Verify that the Preferred BHS have connection objects to the remote
sites. If any DC's are selected as replication partners outside the site
over the BHS, investigate.
Hope this helps.
Todd Myrick
-----Original Message-----
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 29, 2003 10:17 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] sites, site links, site link bridges
Hi All,
I have been struggling with a problem concerning sites. Hopefully
someone out there will point out where I am going wrong. I have 3 sites:
West, Central and East. West/Central are connected via T1; Central/East are
also connected via T1. One DC (A) in West, one DC (Z) in East, lots of DCs
(B-Y) in Central. I have identified a preferred bridgehead server for each
of the sites. We use IP protocol. I have disabled automatic site bridging
because of interdivisional firewall issues that exist. I would like: 1) A
to only talk to K and 2) Z to only talk to N. For some reason with my
current configuration, A wants to talk to Z (and vice versa) and they
generate lots of errors because of poor connectivity or maybe no
connectivity since conduits don't exists for these connections. How do I
get A and Z to only replicate with their preferred bridgehead partners in
Central? Thanks much!
Mike Thommes
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
