RE: [ActiveDir] Site Replication Topology

[Creamer, Mark]

On a related note, I think someone on this list made mention of an excellent LDAP programming book recently, but I must not have kept it. Can someone make a good recommendation?   <mc> -----Original Message----- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 9:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Site Replication Topology   You're welcome ... replication is (one of) my favourites :-). It's a good thing you're trying to be ahead of the game! GC caching is a nice feature, but I think it will not contribute to the discussion whether or not to collapse sites or go for a 1-on-1 scenario. It will play an important role when deciding whether or not to place GCs on certain locations. Given the fact that you might be faced with more AD aware/dependable apps there are some other important factor that come into play: ·         The fact whether or not you centralize the placement of DCs and if you do so you need to trust your WAN for failover. Having only centralized DCs/GCs combined with a WAN that fails now and then will not make you very popular ;-). However, the costs for having localized DCs/GCs have to be measured against the benefits. ·         The amount of bandwith that your apps will consume when they start querying non-centralized DCs. I've been through this exercise for environments with very limited bandwith too and we've decided to provide the spoke sites with DCs/GCs to ensure that the AD aware apps (Exchange and inhouse build apps) have the information they need. We knew that we had more control over AD replication then we had over the behaviour of AD aware app (developpers). Even with over 1000 sites connected by very limited bandwith (<20K) we could handle the amount of replication traffic in this 40K user environment. Given the replication improvements in W2003 (LVR) it only gets better :-) ... An important thing to consider when developping guidance for your devellopers is to do efficient queries. REALLY educate/teach/learn them (beat them up if you have) how ldap works and how ldap queries should be formulated in order to get efficient queries. This is important from a DC load AND from a network load point of view.   Cheers! John   From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: woensdag 19 november 2003 15:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Site Replication Topology <LOL> Good question John…looking for something to do I guess. No, seriously I’m thinking more in terms of what is best as we grow. There have been rumblings of putting servers (members, not DCs) in a lot of our field locations. Currently only a couple of them have a server. But as we go to 2003, we can use GC caching and maybe some other interesting features that weren’t available before.   Mostly I am interested in maintaining a best practice AD infrastructure. Our development teams are learning and adopting LDAP into their apps and it’s my responsibility to give them guidance as well as provide a stable structure for everyone to use.   Thanks for taking the time for such a detailed and informative response! The catch-all subnet is an especially interesting tip I hadn’t thought of before.   <mc> -----Original Message----- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 3:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Site Replication Topology   Two important "tasks" that sites have to deal with is optimizing replication traffic on one hand and authentication traffic on the other. At the moment you have a couple hundred physical sites in terms of individual subnets. By default you start designing your site topology by doing a one-to-one mapping of the "subnets connected at LAN speed"-to-sites. Once you've got this structure in place you should look at the locations that really need a DC/GC to be present on-site. After having taken this step, the next decision to take is whether or not to "collapse" sites that do not contain a DC into a nearby site with a DC or to keep the one-on-one mapping.   Having a one-to-one mapping means that your infrastructure will contain a lot of sites that do not contain DCs, thereby causing DCs to register site coverage records in DNS. These records are published in DNS to make sure that clients that live inside "DC less" sites are able to locate a DC nearby. This could potentially lead to a a large number of site coverage records. You'll have to make sure your DNS infra can handle this. I've seen non-MS DNS infrastructures having trouble with handling huge amounts of service records. Just a little point of attention. In most cases this shouldn't be something you should worry about a lot.   Next aspect is the famous design guideline "keep IT simple". Now this is interesting food for thought, because ... what is simple? Is a consistent 1-to-1 mapping between sites and subnets simple or is a minimum number of sites simple? It's all a matter of taste. Both options can/will work! The best fit depends on your network topology. I've seen a lot of organizations preferring the "minimum number of sites" option. The main reason is for keeping the sites and sitelink structure as simple as possible. And it also forces the organization to think about the linking of subnets to the right sites. Especially in a spaghetti like network topology this could be an important aspect. However, I've also seen organizations with a "clean" hub and spoke topology to choose for the "homogeneous" solution. Meaning, that the would create a site for every hub and every spoke, even if no DC was placed in the hubs.   Another thing that is wise to do is to define a "catch-all" subnet that contains the complete IP space you have and couple it to a central - well connected site. This will help you direct "badly-defined" subnet/site structures within AD to get redirected to this site. It will not prevent clients to go to the nearest DC that is in it's own site in the case the subnet/site definition is well defined. The reason that the catch-all subnet will not interfer with a well defined subnet-site mapping is that the most nearest/specific match will be tried. So a "narrow" subnet coupled to a site will get preference over a "not so narrow" subnet that also contains the IP address of the client.   In your case, I'm curious why you're looking at redesigning your site structure? Are your faced with problems/challenges/whatever that force you to make a move from one model to another ... or is your infrastructure too stable and are you looking for a new challenge ;-)?   Cheers! John   From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: dinsdag 18 november 2003 20:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] Site Replication Topology I’d like to revisit our site design, and am looking for some advice if possible. Right now we have a couple hundred physical sites in terms of individual IP subnets, but only a few sites defined in AD. The ones defined are the sites that actually have a domain controller located there. The greatest volume of traffic over our WAN is AS/400 emulation, so we have mostly slow links, 56-256K.   Reviewing Robbie’s book #1, I see he suggests a one-to-one site topology between sites defined in AD and physical sites where a subnet is located. Can I get an explanation why I would or might not want to set things up this way? My limited understanding of the sites was to associate the various subnets with a specific site, but I suspect there’s a lot more to it than that. Thanks!   Mark Creamer