Creating sites

[John II]

Hello:

My company has Chicago as the central hub site with
the Win2k PDC emulator and there are 5 other offices that
connect to Chicago via Frame Relay and each of the 5
offices have a Windows 2000 server. By default, all
servers were created in the DEFAULT SITE all connected
with the DEFAULT SITE LINK.
Right now, all client PC's at each branch office get
their logon scripts from any of the 6 servers. I want
each office instead to authenticate to its local server
and get its logon script from their local server instead
of always going to any server for its authentication. I
understand that if you properly create the sites, each
client will be able to authenticate to its server
specified in AD sites and services.
Can someone please help me with a site layout? All
offices are connected to CHI at 512kbps. Thanks.

John

 

[Mike Aubert]

Hi John,

You will want to create an Active Directory site for each of the locations.
This means Chicago will have its own site (it would probably be best to use
the default site for Chicago and just rename the existing default site) as
will each of the five other offices. So, you will end up with six sites in
all.

You will also need to create subnet objects for each of the subnets used on
your network. Subnet objects are linked to a site and define what subnet(s)
makeup the site.

Each of the five remote sites should be connected to the Chicago office
using their own IP site link (again, renaming the default IP site link and
using it as the connection between the Chicago site and one of the other
remote sites). You can leave the default site link cost of 100. So, you will
end up with five site links. Configuring the site links this way will make
it so that the remote sites attempt to replicate with a domain controller in
the Chicago site (as long as a domain controller is available in the Chicago
site). If your network topology is not a hub and spoke design, (i.e. you
have more connections than just one from each of the remote offices to the
Chicago office) then let me know - the site link design may need
modification.

Here is a step-by-step guide to creating sites, site links, and subnets:

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/adsites.asp

Be aware that after you create sites you will manually need to move the
domain controllers to the correct sites (don't worry about clients - they
will figure it out on their own the next time they start up). You can find
the step-by-step in the above link or here:

Automatic Detection of Site Membership for Domain Controllers
http://support.microsoft.com/?id=214677

Also be aware that once you create sites the replication topology/frequency
will change. You may need to modify the replication schedule/interval
depending on your environment. By default, links are available 24/7 and the
replication interval is every 3 hours. The following KB article contains
steps to change these default values:

HOW TO: Configure Site Link Replication in Windows 2000
http://support.microsoft.com/?id=321253

For more info on Active Directory replication have a look at this:

http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsbh/dsbh_rep_yphn.asp

By the way, I'm assuming that each of the Windows 2000 Servers at the remote
sites are already configured as domain controllers.

Oh, one last thing, if you only have a single domain in your forest you
should check to see that all your domain controllers are configured as
global catalog servers. That way global catalog traffic will not have to
cross the WAN. If you have multiple domains in your forest there are other
issues you have to consider (like not making the infrastructure master a
global catalog server) so let me know if that is the case. Here is a KB
article on how to configure global catalog servers:

How to promote a domain controller to a global catalog server
http://support.microsoft.com/?id=296882


I think that about covers it. Just let me know if you would like anything
explained further!

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[John II]

Hi Mike,

Thank you very much for your prompt response to my
problem. Just to let you know that we are in a star
configuration and eveyrone comes in to Chicago. Now you
did mention to make the Default Site Llink (Chicago) at
100, but what cost do I make the other 5 links?
This whole problem arose mainly because I did previously
create 6 sites and I did not use the DEFAULT SITE AND SITE
LINK. I then made a site linke for each office and moved
each server into each site. A day later, all hell broke
loose and everything in our sysvol folder under our domain
name was gone (Poilices and Scripts folder). Did I do
something wrong? It looks like replication messed up
somewhere because I moved everything back to the DEFAULT
SITE all the scrpts and policies starting appearing again.
Did this happen because I did not use the DEFAULT SITE and
SITE LINK?
Thanks very much for your help.

John II

 

[Mike Aubert]

John,

Make them all 100 -- and, by the way, the cost is on the site link, not the
site.

I'm not sure why the folders in SYSVOL disappeared. Just make sure when you
setup the sites/site links that all sites are connected (including the
default site - this is why I recommend you rename the default site and use
it for Chicago). For example, say you had 4 sites, A, B, C, and D with a A-B
site link and a C-D site link. In this scenario, if there was a domain
controller in sites A and D no replication could occur -- there is no path
from A to D. You would want to have an additional site link between B and C
(or A-C, or A-D, or B-D) to ensure all sites are connected.

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[John II]

Hi Mike,

So instead of me creating 5 site links, I am going to
have to created a few more to make paths for the other
offices to reach eachother? Right now this is what I have
as follows and F being Chicago:

A - F
B - F
C - F
D - F
E - F

Should I then make A - C, B - D, and C - E? Should they
all be cost of 100 as well?
Also, I have a office that has no server but acceses the
CHI site for server access and AD authentication with a
1.5mbps connection. Do I make a seperate site for them or
just simply add the subnet to the CHI site? With this
topology in mind, I would like though to make sure that
when a change is added to AD, everything replicates right
away. I understand the concept of creating sites is to
control replication, but I would like everything to
replicate once a user is added, changed, deleted, etc...
Will it still be like this or do I have to make
replication schedules?

Thanks as always,

John II

 

[Mike Aubert]

Hey John,

Nope - you don't need to create any more site links - the first 5 you have
listed is enough. What I meant was make sure you don't have any sites that
aren't connected in some way to the other sites. For example, say you added
two additional sites and configure the site links this way:

A - F
B - F
C - F
D - F
E - F

G - H

You see in the above how the G site and H site have no path to the other
sites? A, B, C, D, E, and F are connected with each other (not all directly,
but indirectly) and G and H are also connected with each other. If there was
a domain controller in site G or H it would be unable to replicate with any
domain controllers in sites A, B, C, D, E, or F. This is what you want to
avoid - having sites that there is no replication path to/from.

As far as client access goes you can create a site for that one small office
or just add their subnet to the CHI site - it will accomplish the same
thing. However, I would typically create a site for that office even if
there is no domain controller - that way you can still do things like apply
Group Policy at the site level.

If you would like change notification to occur between sites you have to
enable it using ADSIedit on the site link. Have a look at the "Change
Notification Between Sites" section of this link (it's almost all the way at
the bottom):

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distsys/part1/dsgch06.asp

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[John II]

Hi Mike,

Thanks again for your help. As for the subnet that has no
server, if I create its own site for that subnet, how will
it know to authenticate to the CHI server? Also, I have to
make sure I have all the local servers for each office in
each site server folder, correct? Thanks Miks,

John II

 

[Mike Aubert]

Hey John,

Don't worry about the clients in the site without a domain controller - the
domain controller at CHI will register all the necessary DNS records that
the clients need. (By the way, I am assuming that the subnet without a
domain controller is physically at its own site. If you actually mean you
have two subnets physically at CHI then just go ahead and add both subnets
to CHI.)

Yes, you will need to manually move the domain controllers to the correct
sites in Active Directory Sites and Services.

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.