Intra or Inter site replication

[Guest]

We are beginning a Windows 2003 AD implementation for a school corporation.
The cliff note version of their infrastructure is wireless (802.11b) between
each school (HS, MS, ES, Admin Bldg) with a bonded T1 connection to the
Internet. For the most part, only Internet based traffic will traverse the
wireless network but that is approximately 800 PCs total, not all at one
time. We will be putting a DC at each school but I'm undecided on how to do
the replication. Should I go with the default Intra-site repliaction or
implement sites for each school to do inter-site replicatoin so that I can
control replication traffic. I don't foresee many AD changes throughout a
day and changes that are made could easily be made on the appropriate DC.

Mainly, I'm just looking for some feedback as to if it is worth the
potential headache to put in Inter-site replication or should I just stick
with Intra-site replicaton. Also, isn't there a way (registry hack or
something) to change the default (15 second) replication pull request to the
other DCs? One note, next summer they will be upgrading their wireless to
802.11g.

Thanks in advance for your comments.

 

[Simon Geary]

What is your IP addressing scheme? If each school will be on the same subnet
you really don't have any choice but to have all DCs in the same site, which
means a user in HS could end up authenticating against a DC in ES (which is
bad).

Similarly, if the schools will be on different subnets you should implement
AD sites for each school. An AD site is supposed to be 'well connected' and
I always take this to mean 100Mb connectivity. I think my advice would be to
use separate subnets and AD sites for each school. Inter-site replication is
done on a schedule and so can be controlled easier than Intra-site anyway.

This link explains how to change the 15 second interval. You can do it per
DC in the registry, or per partition on an Active Directory attribute
http://www.microsoft.com/technet/pr...Ref/1465d773-b763-45ec-b971-c23cdc27400e.mspx

 

[Guest]

Each school is setup in a different subnet so I will implement Inter-site
replication. I do have a question regarding inter-site replication. Since
the network is fully routable, I shouldn't have to use any bridgehead servers
correct? Also, I should be able to use the defaultipsitelink for all
replication correct? I plan on scheduling replcation for once every 24 hours
between 4am-6am. Also I was going to schedule NTDS replication 1 per hour
between 2am and 4am. Does all this sound ok? I've only done this in class
so this is my first real implementation.

 

[Simon Geary]

Every site requires a bridgehead server, but the good news is that the ISTG
will choose this for you and unless you have a strong preference for using a
particular DC for inter-site replication (maybe one that has more memory)
you do not need to change the default settings.
For the defaultipsitelink, you can indeed continue to use just this if
that's all you need.

Your replication schedule sounds a little mean, not having any changes
replicate until the following day could cause inconvenience, if not actual
problems. Say, for example, you want to create a new user account for
someone, you are going to have to manually target the DC in the users site
to create the account as if you create it locally it will not be available
until the next day. This sounds like some unnecessary extra work to me,
maybe you could squeeze in a couple of replication windows during the day at
a quite period such as lunch time?

 

[Cary Shultz [A.D. MVP]]

Further to what Simon stated, selecting your own BHS ( Bridgehead Server )
adds a problem to the equation: if the Domain Controller that you have
manually selected to be the BHS is ever taken off-line ( for whatever
reason ) your little friend - the KCC - will N*O*T choose to select another
Domain Controller as BHS. This would be something that you would have to
manually do. And this is often forgotten ( well, I assume that it would
be.....until replication errors occur and then people start looking into the
'why is this not working?' ).

Also, manually changing the default replication schedule might not be such a
good idea. I would suggest that you leave things at the default ( 15
minutes for Intra-Site replication and 180 minutes for Inter-Site
replication ). Changing that to once a day will create some 'problems'.
Simon gave the perfect example.

Also, I would gather that you are relatively new to Active Directory based
on your question. In your shoes I might play with this in a lab so that you
can gain some experience. There is a lot to know about AD and if you are
going to be the person responsible for it you might need a bit more
experience. And, please understand that this is not criticism. You are
doing a good thing by asking the question so that anything that might be
unclear can be cleared up. Remember, there is a ton of stuff to know!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

New to AD...no, New to Inter-site replication...yes

Hopefully I understand this correctly. I have not created any BHS's and
from what I've read, I don't need to as this is done automatically correct?

Thus far, I have not changed the default replication schedule and from the
sounds of it, I will not. To get around the example, I was going to show the
admin how to force replication if necessary which I still may need to do but
only in extreme cases. It's my understanding that password changes replcate
automatically (at least to the PDC emulator) and that's probably the biggest
issue for when someone locks themself out.

I do appreciate everyones comments! BTW - I did test replication last night
by adding a user at one DC, checking the other DCs and the user was not there
but it was this morning. Thanks again.

 

[Cary Shultz [A.D. MVP]]

Troy,

comments in-line....

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

New to AD...no, New to Inter-site replication...yes

Hopefully I understand this correctly. I have not created any BHS's and
from what I've read, I don't need to as this is done automatically
correct?

Yes, our little friend the KCC ( and the ISTG ) 'create' the BHS
Servers.....If you choose to disable this and to do it yourself then the KCC
will not ( as already mentioned in my earlier post ).

Thus far, I have not changed the default replication schedule and from the
sounds of it, I will not. To get around the example, I was going to show
the
admin how to force replication if necessary which I still may need to do
but
only in extreme cases. It's my understanding that password changes
replcate
automatically (at least to the PDC emulator) and that's probably the
biggest
issue for when someone locks themself out.

Correct...that is one of those things that happens pretty quickly....

Also, you need to make sure that the user account object that is being used
to force the replication has the correct rights. Go to
http://www.msresource.net and look at one of the articles that Paul has
written. You need to be using a user account object that has permissions to
the three objects that Paul details in that article.

I do appreciate everyones comments! BTW - I did test replication last
night
by adding a user at one DC, checking the other DCs and the user was not
there
but it was this morning. Thanks again..

Assuming that you created the user account object in 'your' Site and then
looked on a Domain Controller in another Site this is normal. You would
have either needed to wait the 180 minutes ( the default setting, as
previously indicated ) for the Inter-Site replication to happen and forced
the replication ( see above ).

Glad that all is well..