The secret to an efficient and error-free Active Directory infrastructure is a well-designed replication topology. While this can be easy to design in a simple network, a large, complex network presents a challenge.
Multiple network hubs make topologies complicated
Networks are typically some type of hub-and-spoke formation, with a central hub and links radiating out to remote sites. In fact, it's not uncommon to see networks with two or more hubs and the remote sites split between the two, with a link between them. Diagram 1 shows the basic concept of a multiple hub and spoke topology. Here there are three main hubs in Atlanta, Singapore and London, with two secondary hubs in Caracas and Calgary.
Active Directory Topology Diagram 1
Making the Active Directory topology design efficient
Designing the Active Directory topology efficiently is to construct it so that it takes advantage of the strengths and minimizes the weaknesses of the network. In a complex network, you are likely to have a number of different link speeds connecting remote sites, especially for European and Asian sites.
This type of network can be quantified in a tier-type Active Directory topology as shown in Diagram 1. In this example we have quantified the network link speeds connecting sites into three main groupings. At the top we have a "Core" site link containing the prime hub sites connected with the fastest links. I have seen anywhere from two to 10 sites in this link. The second tier would be the next fastest links and the third tier, the slowest links. Note how we have identified a hub site for each tier, and created individual site links from each remote site in the tier to the hub. To make this all work, we have to connect the hub sites together, so we create site links between the Tier 2 and Tier 3 hubs and between the Tier 1 and Tier 2 sites.
Active Directory Topology Diagram 2
In our example, this would force replication from Birmingham to Atlanta to go first to Denver, then to Richmond, then Atlanta. This would tell us that the network routing and link speeds would be such that it is the most efficient way to replicate the AD data. Of course, you could expand this configuration so that Singapore connected to Tier 2 sites in Asia and those sites connected to Tier 3 sites in Asia, and similarly for Europe and the London hub.
AD Replication Design best practices
The best practices for Replication Design include:
- Design the AD topology to take advantage of the network topology and link speeds.
- Define lower speed links with higher cost site links. The cost of the links reduces as you get to faster areas in the topology.
- Avoid "dead spots" -- all sites must connect to each other eventually. I have seen some topologies that left certain sites isolated because they didn't design the site links to connect them.
- Site links should only have two sites per link. The exception to this is the Core site link which can have more. Defining more than two sites per link can result in unpredictable results when a DC failure occurs.
- Diagram the overall flow of replication (like the figures here). You can use sophisticated features available in tools like HP OpenView (see the example in Figure 3) or Microsoft MOM, or you can simply draw it in a PowerPoint slide as I did in Diagram 2. You'd be surprised at how many errors you will find by making a drawing of the topology.
- Don't define scheduling unless you really have a good reason, and then you should test it thoroughly. Since you can schedule replication over the site link as well as the connection object itself, and since the resultant replication schedule is a merge of the two, you can end up with a schedule that prohibits replication. You also define replication frequency, which further complicates it. For instance, if you schedule the site links to replicate Monday through Friday from 8 a.m. to 6 p.m., and then have some connection objects that only replicate Tuesday and Thursday from 6 p.m. to 10 p.m., those connection objects will never replicate. Unless you have a very slow or limited network (such as VPN links), you should avoid this level of manual intervention.
- Run the AD in Windows 2003 Forest mode. This means all DCs are at Windows Server 2003, and all domains are running in Windows 2003 mode. This takes advantage of the new spanning tree and compression algorithms available in Windows Server 2003, as well as other features that make replication much more efficient than were available in Windows 2000.
- Monitor the AD. Once you get it in place, monitor it. One of the easiest ways to monitor it, outside of using Microsoft or third-party tools, is using the Repadmin tool and its "Replsum" option: Repadmin /replsum /bydest /bysrc /sort:delta. This will provide a nice, neat table of all DCs in all domains in the forest, telling you how long it has been for outbound and inbound replication (i.e. where each DC appears as a source and destination). Watching this over several days will give you a chance to find any holes in the topology.
Of course there are lots of good examples of poorly designed topologies that had to be fixed by changing the design. We'll examine a couple of them in the next article.
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers.