none
Why does my Sites and Services have two manually created sitelinks per RODC?

    Question

  • Hello,

    I am trying to understand the methodology behind how a domain I manage was configured by a previous employee, but my google-fu (or should I say Bing-fu?) is not revealing any information. I'm hoping someone here with experience may be able to offer insight.

    Some general background:  Our domain has 30+ sites and is growing.  The majority if those sites run a single RODC, and no other domain controllers. We create these links manually instead of using KCC.

    Our build instructions for deploying a DC at a new site has us create TWO Active Directory Domain Services connections under its NTDS settings in Sites and Services. Both are pointed at the same (fully writable) domain controller. We modify the options value within the Attribute Editor of the first connection. We set its value to 65, resulting in 0x41 = (IS_GENERATED | RODC_TOPLOGY). We leave the second connection as is--except we change its name.

    Then we repeat the process using a different (fully writable) domain controller--so the RODC has 4 connections, and can get info from two DCs.

    It is my understanding that we set the options of the first connection to 65 so the SYSVOL cannot be edited from the local RODC. (At least that is what I was told.)

    My question is though, why do I generate a second connection to the same domain controller specifically WITHOUT the options changed?  I don't understand what having two of them gains us, but I was hopping someone with extensive AD experience may provide some insight--or a good source I can read. (As I said, I have not been able to find much through web searching.)

    Monday, May 1, 2017 6:51 PM

All replies

  • Hi,
    If you are asking why an RODC has two inbound connection, 
    “This is because File Replication Service (FRS) requires its own pair of connection objects in order to function correctly.
    In previous versions of Windows Server, FRS was able to utilize the existing connection objects between two domain controllers to support its replication of SYSVOL content. However, because an RODC only performs inbound replication of Active Directory data, a reciprocal connection object on the writable replication partner is not needed.
    Consequently, the Active Directory Domain Services Installation Wizard generates a special pair of connection objects to support FRS replication of SYSVOL when you install an RODC. You should not delete “RODC Connection (FRS)” connection object, even if you are using DFSR to replicate SYSVOL. The connection object is required to replicate SYSVOL regardless of whether you use FRS or DFSR.”
    You could see more details from: https://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 2, 2017 6:51 AM
    Moderator