Enterprise Server Strategies for the CIOThere are a few types of replication that can occur within Active Directory, with each one important in its own way. Whether an organization is managing AD only within one location or if it has a domain controller halfway across the country, some sort of replication will be occurring. The question among many IT engineers is this: What can I do to make my AD replication process work better?
Working with the default delay
Although engineering interaction isn't always required, what if an admin needs to change or
control the AD intrasite replication interval? For the most part, Active Directory intrasite
replication for naming context data doesn't occur until 5 minutes after a change.
When a change is made to the naming context domain data, the DC's local copy records the change. By default, the DC then waits 5 minutes before notifying its replication partners of the change. Normal operation allows one to continue making changes during this time period. The delay exists so that all changes transmit at the same time. If no changes occur during a particular time period (which can be configured in the intrasite connection object schedule), a replication sequence initiates to ensure no changes were missed.
This 5 minute delay allows all changes to be transmitted at the same time. However, one can modify the delay
Requires Free Membership to View
time period by using the registry editor and drilling down to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Now find and double-click Replicator pause. Enter the number of seconds needed for the delay, click OK, close the registry editor and reboot.
(Note: Always make sure to have a current registry backup of any system and be very careful when modifying a server's registry. If an error is made, this could potentially cause Windows to fail or be unable to boot.)
Choosing the right Active Directory Replication Topology
There are four ways to look at topological design for AD replication:
1. Ring Topology: With intra-site replication, the KCC creates a ring topology that defines the replication paths within a site. In a ring topology, each DC in a site has two inbound and outbound replication partners. The KCC creates the ring so there is no more than three hops between DCs in a site.
2. Full Mesh Topology: This topology is typically utilized in small organizations where redundancy is extremely important, and the number of sites is quite small. A full mesh topology is quite expensive to manage and is not scalable.
3. Hub and Spoke Topology: This topology is typically implemented in large organizations where scalability is important and redundancy is less important. In this topology, one or multiple hub sites exist that have slower WAN connections to multiple spoke sites. The hub sites are usually connected to each another through high speed WAN connections.
4. Hybrid Topology: The hybrid topology is a combination of any of the above topologies.
A great tool from Microsoft called the Microsoft Active Directory Topology Diagrammer helps read an organization's AD configuration and understand it. The tool, using Lightweight Directory Access Protocol (LDAP), analyzes the environment and then generates a Visio diagram of the AD model and/or the Exchange Server topology.
Many IT administrators will go on to say that configuring a full mesh topology in Active Directory is not always recommended. Mesh topology can often lead to an organizational mess in Active Directory. It is sometimes better to go with a simple Hub and Spoke topology. However, since each environment is unique in its requirements, it's important to fully understand the organization's network architecture before going with a certain topology design.
Replication Best Practices and Tips
Working with replication and its complexities will always be directly proportional to the expanse
of a given environment. The larger the system, the more AD must do to replicate the data across a
LAN or WAN.
When working with forest, OU, or AD integration it's always good to follow these best practices and tips:
- Plan out topology and understand how replication occurs on the network.
- Use AD as a single point of interaction because it is a distributed database that uses a multi-master replication process. Users can modify data in any regional office and it will automatically be updated through the directory.
- Integrate NOS-related and other applications to AD only if it is absolutely required. Schema modifications can be retired and reused, but only through a complex process that will involve replication throughout the distributed NOS directory. Maintain the Active Directory as a NOS directory first and foremost. This will limit the amount of replication in the forest and will make it easier to upgrade to future versions of Windows server operating systems.
- Install the Domain Naming Service on every domain controller and use application partitions to designate DNS replication scopes. Use the default configuration for inter-site replication. Many times engineers do not need to interact with this setting at all.
- Do not disable the Knowledge Consistency Checker. Also, calculate replication latency between sites. This can be done by understanding wire speeds as well as the complexity of the replication that is occurring.
- Do not use SMTP for domain-centric replication. Do not use SMTP replication if at all possible.
- Create Site Link Bridges wherever there are two hops between sites to reduce replication latency. Furthermore, if available network bandwidth can afford it, ignore replication schedules in all sites. Replication will be performed when required with this option, but it will be more demanding on WAN bandwidth. Also, use Preferred Bridgehead Servers only if replication must cross a firewall.
- Monitor replication once the forest is in place to determine the impact on WAN links. Again, depending on the environment, one may or may not need to tweak some network settings to set replication priorities.
As IT environments continue to grow, their dependence on Active Directory will expand proportionately. The need to replicate entire directories will always be present and there will be times where engineer interaction is required. AD replication is a process that helps keep an infrastructure healthy by transmitting vital data either within the LAN or across the cloud. Always take the time to plan a deployment and be ready for any replication variables that may arise.
ABOUT THE AUTHOR
Bill Kleyman is the director of technology at World Wide Fittings, a manufacturer and
distributor of steel hydraulic tube and fittings headquartered in Niles, Ill. He can be reached at
BKleyman@WorldWideFittings.com
This was first published in July 2011
Join the conversationComment
Share
Comments
Results
Contribute to the conversation