Active Directory Replication Topology

In "Active Directory Replication In Depth," I discussed the specifics of Active Directory (AD) replication technology with regard to how objects and attributes are actually kept in sync andhow changes to them are tracked. A layer above this is the discussion of how AD decides which domain controllers (DCs) should replicate with oneanother.AD includes a very efficient background process known as the Knowledge Consistency Checker. The KCC is responsible for consuming information thatadministrators provide to AD in the form of subnets, sites, site links, and site link bridges to determine the best overall topology of connectionsbetween DCs. These connections are represented by connection objects, which the KCC automatically adds and removes as necessary. Your sites, sitelinks, and site link bridges typically map closely to your network topology to form what's called a site topology. Figure 1 shows a sample sitetopology.
Figure 1: Sample site topology

Site Topology Components

A site topology consists of sites, site links, and site link bridges.

Sites.Sites are a key part of your AD configuration, used not only for replication but also by clients and applications. Clients and applications use siteinformation to find the DC or another resource that's logically closest to them on the network. To associate themselves with the correct site, clientsdepend on accurate subnet information in AD. Subnet information is defined in terms of IP subnet (IPv4 and/or IPv6) objects stored in the directory,which are in turn associated with sites.

In small environments with only a few sites, it's typically easy for administrators to keep subnet information up-to-date. But this task can be achallenge in large environments if there are frequent network changes and processes aren't in place to communicate these changes to AD administrators.When subnet information isn't up-to-date in AD, clients might be redirected to DCs that are across distant or slow WAN links, which leads to suboptimalperformance at best. If your AD needs only one site, there's no need to define any subnets in AD.

Sites typically represent a group of well-connected subnets that contain one or more DCs. The definition for well-connected is very loose, although Ilike to use a minimum of a 10Mbps connection as a baseline. Sites typically (but not always) map directly to physical locations within your network;these locations contain DCs, as Figure 2 shows. A notable urban legend concerns the initial site that comes with a new AD forest: theDefault-First-Site-Name site. Contrary to popular opinion, it's perfectly safe to delete or rename this site object depending on your requirements.There's no need to retain it as an empty site if you're not using it, or to not rename it if another name makes more sense.
Figure 2: Sample site topology with auto site coverage
In Figure 1, a company has offices in St. Louis and Detroit, but its DCs are located in Chicago. In this scenario, a single site is created forChicago, but the subnets used in St. Louis and Detroit are associated with the Chicago site (in addition to the subnet for Chicago).

Although it's common to only create sites when there's a DC at that location, some applications, such as Distributed File System (DFS) and MicrosoftSystem Center Configuration Manager (SCCM), take advantage of site information. For example, if you have an SCCM server at a location that doesn't havea DC, you'll probably need to create a site. When a site doesn't contain a DC, AD uses a process called automatic site coverage to determine which DCsclients in that site should use.

In Figure 2, the organization has offices in Seattle, Los Angeles, and San Diego. DCs are located in Seattle; however, an SCCM server also exists inSan Diego. To ensure that San Diego clients connect to their local SCCM server, a site for San Diego is created and the San Diego subnet is associatedwith it. A second site for Seattle is created that contains the Seattle DCs, as well as the subnets for Seattle and Los Angeles.

Site links. We've discussed sites and the subnet objects that describe which clients should associate with that site—but we haven't discussed how sites areconnected in AD. AD connects sites using site links. Site links frequently model your WAN topology. Site links contain two or more sites, and theymodel the paths replication can take, as well as influence client decisions around logically closest DCs and other servers. Although it's possible toconnect more than two sites with a site link, site links are typically easier to manage if you stick with defining point-to-point site links (i.e.,site links with only two sites in them).

Site links have several properties that you can tweak in addition to the sites contained within the site link. These properties include cost,replication frequency (how often replication occurs over the site link), and replication schedule (when replication can begin). Cost is probably themost misunderstood property of site links.

AD factors cost into decisions only when there are multiple paths between any two sites. If there's only one path, then cost doesn't matter becauseit's mandatory to use that site link. The value for cost also isn't particularly important as long as the preferred path is a lower cost than otherpaths. If you do need to set site link costs, there are a few strategies for doing so. The first strategy is to use values that are proportional to WANlink speed. This table makes a good cheat sheet if you opt for thisapproach. Another common strategy is to use static values for different types of connections. For example, connections between data centers have cost100, connections between data centers and spokes have cost 200, and connections between spokes have cost 300.

Figure 3 shows a simple scenario in which site link cost doesn't matter. In this example, we have three AD sites: New York, Boston, and Atlanta. WANlinks exist between New York and Boston, as well as between New York and Atlanta. Using this information, site links were created to model the WANtopology. Because there's only one path between each site, the costs on the site links are irrelevant.

Figure 3: Site link costs not relevant

Figure 4 shows a scenario in which site link costs do matter. In this scenario, each of the three sites is connected with a WAN link. Using thisinformation, site links were created linking each of the three sites in a full mesh topology. Costs were set such that the links between Houston andDallas and Houston and Austin are preferred over the link between Dallas and Austin.

Figure 4: Site links with cost information

In addition to cost, site links also have frequency and schedule properties. The frequency is fairly straightforward in that it defines how often ADwill initiate normal replication over the site link. This value can be as low as 15 minutes or as high as 1 week. If you need replication to occur morefrequently than every 15 minutes, you can enable change notification for the site link by following these steps:

1. Launch ADSIEdit (Select Start, Run, ADSIEdit.msc).
2. Browse to ConfigurationSitesInter-Site TransportsIP.
3. Right-click the site link you want to edit, and select Properties.
4. Double-click the Options attribute.
5. Add 1 to the value displayed. If the value is null, set it to 1.

Change notification will cause AD to enable intra-site style replication over the site link, which will lead to synchronization occurring almost inreal time. This change is typically made for site links that connect data centers.

Finally, the schedule defines when (i.e., during what time) Windows replication can begin. By default, the schedule allows replication to begin at anytime; however, you might have a scenario in which you don't want to use a WAN link during certain times—possibly because of utilization, or for otherreasons. A key data point around the replication schedule is that the schedule defines when replication can begin. After replication begins during thescheduled window, it won't stop until it's finished.

Now that we've looked at a few examples, let me highlight two final tips about site links that relate to naming and the default site link. One handyway to name site links is to name the link according to the two connected sites (e.g., New York-Boston), and then reverse the order in the Descriptionfield (i.e., Boston-New York). This approach lets you sort on either column in the Microsoft Management Console (MMC) Active Directory Sites andServices snap-in, depending on how you need the data presented. When a new AD forest is created, an initial site link is provisioned called theDEFAULTIPSITELINK. Much like the initial default site, you can rename or delete this site link if doing so makes sense.

Site link bridges.The final component of AD site topology is undoubtedly the least used. This component is known as the site link bridge. Site link bridges are used whenyou have a network that isn't fully routed. When your network is fully routed, a client (or server) on any part of the network can connect to a client(or server) on any other part of the network (with the exception of firewalls blocking this action). A common situation in which you might not have afully routed network is if you have branch offices and it isn't possible for one branch office to communicate with another branch office over thenetwork. Another scenario is when sites in one region can't connect to sites in another region.

By default, a setting called Bridge All Site Links (BASL) is enabled in AD. With BASL enabled, a DC in the Boston site (see Figure 3) can replicatedirectly with a DC in the Atlanta site, bypassing any DCs in New York, even though there's no site link connecting Boston and Atlanta. If this isn'tpossible in your network, you'll need to disable BASL. With BASL disabled, you can use site link bridges to define sets of site links that are fullyrouted.

In Figure 5, the only possible path over the network from North America to Europe is between servers in Denver and London. Within each region, there'sfull mesh connectivity over the WAN. To represent this in AD, it's necessary to create two site link bridges—one for North America and one for Europe.The North America bridge contains the Denver-Phoenix and Denver-Miami site links, whereas the Europe bridge contains the London-Paris and London-Munichsite links.

Figure 5: Site link bridges

Creating Replication Connections

After you define your site link topology in AD, AD still needs to do some work to determine which DCs will replicate with one another. This calculationis performed in the background by the KCC. Two different topologies are calculated, leading to the overall replication topology. The first topology isfor intra-site replication. Intra-site replication is replication between DCs that are in the same AD site. With intra-site replication, the KCCdoesn't need to worry about things like site links and site link bridges because all the DCs are considered to be well connected. With this in mind,the KCC calculates a topology that's centered around ensuring that no DC in a given site is more than three hops away from any other DC in the site.This ensures that DCs within a site can converge and be in sync within about a minute (this time used to be about 15 minutes in Windows 2000 forests).Figure 6 shows a sample topology with four DCs in a site, considering the three-hop rule.

Figure 6: Intra-site replication topology

Inter-site replication topologies are calculated according to the site topology information that's included in AD. The calculation of inter-sitereplication topologies is performed by the Inter-Site Topology Generator. The ISTG is a component of the KCC that runs on one DC in each AD site and isresponsible for creating connection objects for replication across site links.

Efficient Topologies

AD is very adept at calculating replication topologies within an AD site—but to replicate across site boundaries, administrators must provideinformation so that AD can select the best path. This information is provided in the form of sites, site links, and site link bridges that typicallyclosely mirror the organization's WAN topology. With this information, the KCC and the ISTG can create efficient replication topologies for the forest.

Learning Path

Windows IT Pro Resources

"Troubleshooting Active Directory Replication"

"Active Directory Replication In Depth"

Microsoft Resources

"What Is Active Directory Replication Topology?"

"How Active Directory Replication Topology Works"

"Troubleshooting Active Directory Replication Problems"