locked
Best practice for Sites replications RRS feed

  • Question

  • Hi,

    We have all our sites connected to Main office with good bandwidth. We have 2 Win2K8-R2, GC, DC with primary roles in our Head Office. All DC at branches are Win2K3-R2, GC, DCs.

    I want to change the replication to be done at branch server only with 2 of our DCs at the Head Office. Is this ok and good practice ? Is there anything that i should take care of while doing this change ?

    Also i want to know about the amount of bandwidth AD replication is taking ? What traffic shall i monitor in the router - can anyone guide with ports ?

    Thanks in advance.


    abc

    Sunday, April 8, 2012 6:14 AM

Answers

  • Hello,

    best practice is to let the KCC handle the replication, especially if you have good bandwitdh available between the sites:

    http://blogs.technet.com/b/markmoro/archive/2011/08/05/you-are-not-smarter-than-the-kcc.aspx

    See also: http://technet.microsoft.com/en-us/library/cc730868.aspx and http://technet.microsoft.com/en-us/library/cc755768.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Edited by Meinolf Weber Sunday, April 8, 2012 1:19 PM
    • Proposed as answer by Abhijit Waikar Monday, April 9, 2012 1:18 AM
    • Marked as answer by 朱鸿文 Thursday, April 12, 2012 1:58 AM
    Sunday, April 8, 2012 1:17 PM
  • Hello,

    I would recommend leaving the KCC generating your replication topology and I would not recommend that you manually make changes. More in Mark's article which Meinolf pointed to.

    I would also recommend that:

    • Each physical site will have its own AD site
    • Each used subnets will be created and linked to the correct AD sites
    • Your DC are moved to the correct AD sites

    If all is okay with that then you will be sure that you optimized AD traffic for authentication and you minimize the amount of AD replication.

    Note that the amount of replicated traffic depends of your AD changes and updates. For that, I would recommend monitoring replication traffic.

    You can use SCOM for monitoring.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Proposed as answer by Abhijit Waikar Monday, April 9, 2012 1:18 AM
    • Marked as answer by 朱鸿文 Thursday, April 12, 2012 1:58 AM
    Sunday, April 8, 2012 7:43 PM
  • In addition to Mr X and Meinolf's responses, I would like to add that if there are multiple remote locations that do not have connectivity to each other, such as if you have a hub and spoke, the KCC will still try to create partnerships to Bridgheads in those sites, due to SiteLinkBridging being enabled by default. That is something you may want to look at disabling if it applies in your case. Then as Meinolf said, the KCC will automatically do the rest, taking into account SiteLinkBridging feature has been disabled.

    How to optimize Active Directory replication in a large network
    Mar 2, 2007 – "Automatic site-link bridging is enabled for both the IP and Simple Mail Transport Protocol (SMTP) inter-site transports by default."
    http://support.microsoft.com/kb/244368 

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, April 9, 2012 2:41 AM
  • Hi,

    Here are some links regarding ports which are used in Active Directory Replication and replication monitor tool.

    Active Directory Replication Over Firewalls

    http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx

    Ports used in Active Directory Replication

    http://blogs.technet.com/b/janelewis/archive/2006/11/13/ports-used-in-active-directory-replication.aspx

    HOW TO: Use the Replication Monitor to Determine the Operations Master and Global Catalog Roles

    http://support.microsoft.com/kb/297230

    I hope the information can be useful to you. Please feel free to let us know if you have any question or concern.

    Regards

    Kevin


    TechNet Community Support

    • Marked as answer by 朱鸿文 Thursday, April 12, 2012 1:59 AM
    Monday, April 9, 2012 6:56 AM

All replies

  • Hello,

    best practice is to let the KCC handle the replication, especially if you have good bandwitdh available between the sites:

    http://blogs.technet.com/b/markmoro/archive/2011/08/05/you-are-not-smarter-than-the-kcc.aspx

    See also: http://technet.microsoft.com/en-us/library/cc730868.aspx and http://technet.microsoft.com/en-us/library/cc755768.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Edited by Meinolf Weber Sunday, April 8, 2012 1:19 PM
    • Proposed as answer by Abhijit Waikar Monday, April 9, 2012 1:18 AM
    • Marked as answer by 朱鸿文 Thursday, April 12, 2012 1:58 AM
    Sunday, April 8, 2012 1:17 PM
  • Hello,

    I would recommend leaving the KCC generating your replication topology and I would not recommend that you manually make changes. More in Mark's article which Meinolf pointed to.

    I would also recommend that:

    • Each physical site will have its own AD site
    • Each used subnets will be created and linked to the correct AD sites
    • Your DC are moved to the correct AD sites

    If all is okay with that then you will be sure that you optimized AD traffic for authentication and you minimize the amount of AD replication.

    Note that the amount of replicated traffic depends of your AD changes and updates. For that, I would recommend monitoring replication traffic.

    You can use SCOM for monitoring.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Proposed as answer by Abhijit Waikar Monday, April 9, 2012 1:18 AM
    • Marked as answer by 朱鸿文 Thursday, April 12, 2012 1:58 AM
    Sunday, April 8, 2012 7:43 PM
  • In addition to Mr X and Meinolf's responses, I would like to add that if there are multiple remote locations that do not have connectivity to each other, such as if you have a hub and spoke, the KCC will still try to create partnerships to Bridgheads in those sites, due to SiteLinkBridging being enabled by default. That is something you may want to look at disabling if it applies in your case. Then as Meinolf said, the KCC will automatically do the rest, taking into account SiteLinkBridging feature has been disabled.

    How to optimize Active Directory replication in a large network
    Mar 2, 2007 – "Automatic site-link bridging is enabled for both the IP and Simple Mail Transport Protocol (SMTP) inter-site transports by default."
    http://support.microsoft.com/kb/244368 

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, April 9, 2012 2:41 AM
  • Hi,

    Here are some links regarding ports which are used in Active Directory Replication and replication monitor tool.

    Active Directory Replication Over Firewalls

    http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx

    Ports used in Active Directory Replication

    http://blogs.technet.com/b/janelewis/archive/2006/11/13/ports-used-in-active-directory-replication.aspx

    HOW TO: Use the Replication Monitor to Determine the Operations Master and Global Catalog Roles

    http://support.microsoft.com/kb/297230

    I hope the information can be useful to you. Please feel free to let us know if you have any question or concern.

    Regards

    Kevin


    TechNet Community Support

    • Marked as answer by 朱鸿文 Thursday, April 12, 2012 1:59 AM
    Monday, April 9, 2012 6:56 AM
  • Why you want to restrict the replication with 2 DC's only in HO, my suggestion would be not to implement such because the issue can't be two DC can be heavily loaded and on failure of the 2 dc's at a time there can be more issues. Don't restrict the replication with specific of two DC's.

    http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx

    There is no documents mentioned accurate bandwidth requirement and also it can't be specified in the digits. The reason is bandwidth depends on the lot of the variables like sysvol/no of GPO/roaming profile size/no of apps/users/computers at the site etc. Anything less than 500 kbps referred as slow link for processing GPO.

    http://technet.microsoft.com/en-us/library/cc978243.aspx

    You can also use tool link Netmon/wireshark to monitor the real time traffic which might give you some idea but it may not be exact.You can monitor the packet request from source and destination.

    Active Directory and Active Directory Domain Services Port Requirements  http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

     

    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, April 9, 2012 9:48 AM

  • Hi,

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
     
    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
     
    Best Regards
     
    Kevin


    TechNet Community Support

    Thursday, April 12, 2012 1:58 AM