Configuring Active Directory Sites and Services
After you created your Active Directory sites, you still have some work to do, even tough some may just leave the default configurations. Well…yeahh, they work in small environments, but is recommended you polish them a little. You need to do this so replication traffic is reduced as much as possible especially if the bandwidth between sites is limited. By creating and configuring site you are defining the geographical location of your company offices; group policies can be applied to sites, so you don’t have to go and create/link that policy to every domain in that site. You can also define the so-called bridgehead servers, which I’m going to discuss later in this guide, to reduce network traffic even more.
In this guide I have three sites connected trough VPN, and in every site I have two Domain Controllers. It doesn’t matter on which Domain Controller you are doing this, because all changes will replicate trough all the forest.
For starters, let’s name the sites. Open Active Directories Sites and Service console from Administrative Tools. As you can see I have my three sites, but the names are awful, they don’t mean anything. If someone new will be hired, he/she will not understand where is Branch-Office1.
Right-click the site name and choose Rename. You should name your sites based on the geographical location, or come up with a naming convention that is easy to read and understand. You can also type a description and a location of the site, and this is recommended to. Is done by right clicking the site and choosing Properties. After this your sites will look much better.
Now the replication part. This is just copy data from one server to another, I mean from one domain controller to another. If you create or delete a user account, that change needs to be seen by all domain controllers in the forest. There are two types of replication:
Intra site-replication – occurs between domain controllers on the same site
Inter site-replication – occurs between domain controllers on different sites
Inter-site replication is configured on a site link, and to do that expand Inter-Sites Transports, click IP then right-click the DEFAULTIPSITELINK and choose Properties.
By default all sites are replicating trough the DEFAULTIPSITELINK using the default schedule, at every 180 minutes. If you want the replication to occur more often just change the number of minutes in the box. As you can see there is a cost box present on this page. This determines how replication occurs over a particular route between two sites. The preferred routes are those with the lowest cumulative costs.
If you hit the Change Schedule button you can modify on what days and between what hours the replication can occur. Usually this is left alone but there might be some cases when you need to deny replication on certain intervals. This is done by selecting the days and hours in the calendar then click the Replication Not Available button. The portion you just selected will become white, meaning replication will not occur on those days/hours. Click OK when done.
Now is time to configure the intra-site replication. As I’ve told you before this is the type of replication that occurs between domain controllers on the same site. Drill down on your site until you reach the NTDS Settings object. On the right you will have the connection(s) between domain controllers in different sites. Right click the one you want to configure (change the replication schedule) and choose Properties.
Press the Change Schedule button. By default the intra-site replication occurs once per hour. To change that drag with your mouse on the calendar (as before) then from the right choose the replication interval button. Click OK when done.
We are not done with the sites configuration yet. We still need to configure a so-called bridgehead server. A bridgehead server is the domain controller that controls the inter-site replication. It receives information from other sites and replicates this information to the rest of the domain controllers in the same site. To specify a preferred bridgehead server expand you site name then Servers. Right-click the server name you wish to designate as a bridgehead server and choose Properties.
From the bottom list, where it says Transports available for inter-sites data transfer select the IP protocol and hit the Add button. I said IP, because most of the sites configurations are based on the IP protocol, but if you are using SMTP, choose that and click OK. Repeat this operation for the rest of your sites and configure a bridgehead server on every one of them. You can designate more that one bridgehead server in a site, but that’s usually not the case. As any other communication to be successful, ports need to be opened on your firewalls so replication can succeed. For a list of those ports please read this Microsoft Technet page.
If you right-click the NTDS Settings from a domain controller and go to Properties, you can designate this domain controller as a Global Catalog. Global Catalog servers are recommended in every site to reduce the inter-site replication traffic caused by logons, since group membership check is done by the domain controller that holds this role.
There are times when you want to force a replication and not wait for the schedule to occurs; adding, changing, removing users in AD. For that just right-click a connection and choose Replicate Now. The change should be replicated to the other site almost immediately.
Want content like this delivered right to your
email inbox?
More similar articles
Creating and configuring Windows Domain Service Accounts- Blocking Remote Access for Local Accounts by Group Policy
- Migrating from FRS to DFSR
- Building a three-tier Windows Certification Authority Hierarchy
- How to reset forgotten Active Directory Domain Administrator password
- How to enable WinRM (HTTP) via Group Policy
thanks sir
Great articule. Very well explained. Thanks.
I’m glad that you like it. Thank you.