none
Best practice on Active Directory Sites and Services?

    Question

  • Hello,

    I am trying to evaluate our AD Sites and Services configuration that has not been touched in a long time to make sure it is configured correctly. The reason is I want to leverage AD Sites in SCCM Boundaries; so before I build on top of AD Sites I want to make sure it is valid and sane.

    We have a main location which is our data center and 10 remote offices (some larger with 50-100 clients and others as small as 10 clients), connected with MPLS or IPSEC; so remote locations can reach the DCs for authentication over the WAN link just fine except if there is a connectivity issue; which we are OK with.

    Main location has two Domain Controllers, one is our FSMO role owner, remote offices have a Windows server but no DC except one location; we do this to keep things simple and when it comes time to upgrade our DCs we don't have to update the OS on 10 servers to raise our schema level and the WAN traffic is acceptable.

    So we have:

    - Primary Site with 2 DCs, one has our FSMO role ownership

    - Remote Office 1 has a DC

    - Remote Office 2 (slow link) has a RODC

    - Remote Offices 3 - 10 have no DCs, just a file server locally for shares, etc.

    Currently in our AD Sites and Services we have 8 sites defined and we also have many Subnets defined and assigned to the corresponding sites. Not all of our remote offices have a site defined. 

    1. What is the best practice around this in our scenario?
    2. Should each remote office location be defined as a "Site" in AD Site and Services?
    3. Should we create all the valid subnets for each remote location and assign them to the corresponding Site defined in #1?
    4. What about Inter-Site Transports > IP? We have Site Link type definitions for each site it seems; is this correct even if those sites don't have DCs?

    At some point long time ago we had DCs in all these sites, but have since de-complicated stuff and we only run a few DCs now. So I just want to make sure our configuration is valid.

    Any AD experts out there?



    • Edited by techy86_ Saturday, January 7, 2017 4:45 AM edit for easy reading
    Saturday, January 7, 2017 4:40 AM

Answers

  • What is the best practice around this in our scenario?

    The best practice is to create differrent subnet for each office, then create a active directory site for each office which has domain controller , finnaly you should assign each subnet to site closest site to force users  closest to contact the closest active directory

    Should each remote office location be defined as a "Site" in AD Site and Services?

    You should define a site for each office which has domain controller . you don't have create a site for a office without domain controller already installed.

    Should we create all the valid subnets for each remote location and assign them to the corresponding Site defined in #1?

    You should create a subnet for each remote office , then assign them to closest site (it can be another remote site if there is no active directory in local office) to let users contact the closest active directory.

    What about Inter-Site Transports > IP? We have Site Link type definitions for each site it seems; is this correct even if those sites don't have DCs?

    If you have two site linked by VPN connection , and you would like to ensure active diretory replication betwween them , you have to create a site link on Ad site and services , to let KCC generate the connection objects automatically. 

    • Marked as answer by techy86_ Tuesday, January 10, 2017 3:02 AM
    Sunday, January 8, 2017 3:01 PM

All replies

  • What is the best practice around this in our scenario?

    The best practice is to create differrent subnet for each office, then create a active directory site for each office which has domain controller , finnaly you should assign each subnet to site closest site to force users  closest to contact the closest active directory

    Should each remote office location be defined as a "Site" in AD Site and Services?

    You should define a site for each office which has domain controller . you don't have create a site for a office without domain controller already installed.

    Should we create all the valid subnets for each remote location and assign them to the corresponding Site defined in #1?

    You should create a subnet for each remote office , then assign them to closest site (it can be another remote site if there is no active directory in local office) to let users contact the closest active directory.

    What about Inter-Site Transports > IP? We have Site Link type definitions for each site it seems; is this correct even if those sites don't have DCs?

    If you have two site linked by VPN connection , and you would like to ensure active diretory replication betwween them , you have to create a site link on Ad site and services , to let KCC generate the connection objects automatically. 

    • Marked as answer by techy86_ Tuesday, January 10, 2017 3:02 AM
    Sunday, January 8, 2017 3:01 PM
  • Thanks for the reply, based on your response then it is accurate understanding that having Sites defined in AD Sites and Services for locations where there are no domain controllers is wrong.

    • We should create Sites in locations only where there are domain controllers.
    • We should create subnets for all of our existing subnets and assign them to Sites that have domain controllers, even if that site is not in the same location as the subnet being assigned.

    What is the effect of having Sites defined for locations that do NOT have a domain controller and having subnets assigned to those sites? Which is what we have right now. Is this just viewed as not a best practice?

    • Edited by techy86_ Sunday, January 8, 2017 5:31 PM
    Sunday, January 8, 2017 5:31 PM

  • What is the effect of having Sites defined for locations that do NOT have a domain controller and having subnets assigned to those sites? Which is what we have right now. Is this just viewed as not a best practice?

    Hi,

    If a site contains no DCs, the DCs in the sites closest to that site based on site link costs will help clients find a DC as close as possible. This is known as automatic site coverage.

    If there is no Site link , user will contact a random DC R/W

    you can refer to the followings link for more details:

    Ask the Directory Services Team 

    Learning About Automatic Site Coverage



    Sunday, January 8, 2017 6:44 PM