RE: [ActiveDir] recommendation for bridgehead server?
If you have firewalls protecting networks, I recommend isolating them as sites, and setting up preferred bridgehead servers and site link bridges. Todd -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, March 06, 2004 4:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] recommendation for bridgehead server? In our environment (60+ sites, 130 DCs, 25k+ users) I've not yet chosen a bridegehead, and am successful at controlling where my replication takes place by carefully choosing through AD Sites and Services the site that a specific set of servers can talk to - or, a server to server by defining the server site to site train. Consider that I have a series of remote sites that communicate via 256kb PVC's on Frame Relay, but the parent remote communicates via a 2MB PVC to the main site. If is set site to site links that take the 5 remotes to the remote hub, then create a link from the remote hub to the main site, I've effectively mitigated the remotes from all attempting to communicate directly with the main site. It allows for a more proper replication structure, reduced b/w from the main to the remotes, and reduces the number of KCC generated links that make no real sense - given that the topology should strive to follow the physicallity of the WAN/LAN infrastructure - not the logical of what AD might want. If this isn't clear, I can send you screen shots of what I do, a Visio, etc. I think, though, that even if you have to create sites WITHIN a site (setting up the change notification, reducing the wait time, etc.) you can certainly manage the connection issues without killing off the KCC's ability to do its job. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, March 05, 2004 7:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] recommendation for bridgehead server? Hi Rick, Thanks for the reply! Unless the KCC is a lot smarter than I think it is, I need to pick a bridgehead server so I don't have numerous conduits in my firewall for all the DCs the new site DC will want to talk to. While I don't need to control the replication frequency, I do have to make sure that traffic is only going between a very limited set of targets. Am I on the right track here or am I not seeing something important? Thanks. Mike Thommes -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Fri 3/5/2004 12:22 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] recommendation for bridgehead server? My take on it has always been unless the Knowledge Consistency Checker can't figure it out, don't set a Bridgehead - this is going to prevent the KCC from doing some good things for you. Along the lines of creating new links and reassigning the Bridgehead in the event of the preferred failing. Let the KCC do its job - it does it well. Unless, however, it's not. Then, ignore everything I just said and set one. In my case it would be to my busiest child domain - because that's where all of the physical connectivity is. And, when considering all of the sites and services stuff, it is VERY important to remember that you are modelling for AD what your physical (WAN and Router infrastructure) really looks like so that AD can make intelligent decisions about how to route, replicate, etc. Inter-site messaging is really a spanning tree algorithm - and any structure of that nature needs to know what it's running on to be effective. Hope this helps Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, March 04, 2004 7:07 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] recommendation for bridgehead server? Hi, Because of firewall issues, I am creating a new site that is well connected to the rest of my AD topology. This new site will contain workstations and a domain controller for an already existing child domain. This child domain DC will also be the bridgehead server in this new site. User accounts are in the root domain. These users use an Exchange server that is located in the child domain and that is located in the main site. The question is what DC in the main site should I pick to be a bridgehead partner? Is it more sensible to choose a root domain DC or a DC in the child domain? Does it matter? As always
RE: [ActiveDir] recommendation for bridgehead server?
In our environment (60+ sites, 130 DCs, 25k+ users) I've not yet chosen a bridegehead, and am successful at controlling where my replication takes place by carefully choosing through AD Sites and Services the site that a specific set of servers can talk to - or, a server to server by defining the server site to site train. Consider that I have a series of remote sites that communicate via 256kb PVC's on Frame Relay, but the parent remote communicates via a 2MB PVC to the main site. If is set site to site links that take the 5 remotes to the remote hub, then create a link from the remote hub to the main site, I've effectively mitigated the remotes from all attempting to communicate directly with the main site. It allows for a more proper replication structure, reduced b/w from the main to the remotes, and reduces the number of KCC generated links that make no real sense - given that the topology should strive to follow the physicallity of the WAN/LAN infrastructure - not the logical of what AD might want. If this isn't clear, I can send you screen shots of what I do, a Visio, etc. I think, though, that even if you have to create sites WITHIN a site (setting up the change notification, reducing the wait time, etc.) you can certainly manage the connection issues without killing off the KCC's ability to do its job. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, March 05, 2004 7:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] recommendation for bridgehead server? Hi Rick, Thanks for the reply! Unless the KCC is a lot smarter than I think it is, I need to pick a bridgehead server so I don't have numerous conduits in my firewall for all the DCs the new site DC will want to talk to. While I don't need to control the replication frequency, I do have to make sure that traffic is only going between a very limited set of targets. Am I on the right track here or am I not seeing something important? Thanks. Mike Thommes -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Fri 3/5/2004 12:22 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] recommendation for bridgehead server? My take on it has always been unless the Knowledge Consistency Checker can't figure it out, don't set a Bridgehead - this is going to prevent the KCC from doing some good things for you. Along the lines of creating new links and reassigning the Bridgehead in the event of the preferred failing. Let the KCC do its job - it does it well. Unless, however, it's not. Then, ignore everything I just said and set one. In my case it would be to my busiest child domain - because that's where all of the physical connectivity is. And, when considering all of the sites and services stuff, it is VERY important to remember that you are modelling for AD what your physical (WAN and Router infrastructure) really looks like so that AD can make intelligent decisions about how to route, replicate, etc. Inter-site messaging is really a spanning tree algorithm - and any structure of that nature needs to know what it's running on to be effective. Hope this helps Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, March 04, 2004 7:07 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] recommendation for bridgehead server? Hi, Because of firewall issues, I am creating a new site that is well connected to the rest of my AD topology. This new site will contain workstations and a domain controller for an already existing child domain. This child domain DC will also be the bridgehead server in this new site. User accounts are in the root domain. These users use an Exchange server that is located in the child domain and that is located in the main site. The question is what DC in the main site should I pick to be a bridgehead partner? Is it more sensible to choose a root domain DC or a DC in the child domain? Does it matter? As always, TIA. Regards, Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive
RE: [ActiveDir] recommendation for bridgehead server?
Hi Rick, Thanks for the reply! Unless the KCC is a lot smarter than I think it is, I need to pick a bridgehead server so I don't have numerous conduits in my firewall for all the DCs the new site DC will want to talk to. While I don't need to control the replication frequency, I do have to make sure that traffic is only going between a very limited set of targets. Am I on the right track here or am I not seeing something important? Thanks. Mike Thommes -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Fri 3/5/2004 12:22 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] recommendation for bridgehead server? My take on it has always been unless the Knowledge Consistency Checker can't figure it out, don't set a Bridgehead - this is going to prevent the KCC from doing some good things for you. Along the lines of creating new links and reassigning the Bridgehead in the event of the preferred failing. Let the KCC do its job - it does it well. Unless, however, it's not. Then, ignore everything I just said and set one. In my case it would be to my busiest child domain - because that's where all of the physical connectivity is. And, when considering all of the sites and services stuff, it is VERY important to remember that you are modelling for AD what your physical (WAN and Router infrastructure) really looks like so that AD can make intelligent decisions about how to route, replicate, etc. Inter-site messaging is really a spanning tree algorithm - and any structure of that nature needs to know what it's running on to be effective. Hope this helps Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, March 04, 2004 7:07 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] recommendation for bridgehead server? Hi, Because of firewall issues, I am creating a new site that is well connected to the rest of my AD topology. This new site will contain workstations and a domain controller for an already existing child domain. This child domain DC will also be the bridgehead server in this new site. User accounts are in the root domain. These users use an Exchange server that is located in the child domain and that is located in the main site. The question is what DC in the main site should I pick to be a bridgehead partner? Is it more sensible to choose a root domain DC or a DC in the child domain? Does it matter? As always, TIA. Regards, Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] recommendation for bridgehead server?
My take on it has always been unless the Knowledge Consistency Checker can't figure it out, don't set a Bridgehead - this is going to prevent the KCC from doing some good things for you. Along the lines of creating new links and reassigning the Bridgehead in the event of the preferred failing. Let the KCC do its job - it does it well. Unless, however, it's not. Then, ignore everything I just said and set one. In my case it would be to my busiest child domain - because that's where all of the physical connectivity is. And, when considering all of the sites and services stuff, it is VERY important to remember that you are modelling for AD what your physical (WAN and Router infrastructure) really looks like so that AD can make intelligent decisions about how to route, replicate, etc. Inter-site messaging is really a spanning tree algorithm - and any structure of that nature needs to know what it's running on to be effective. Hope this helps Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Thursday, March 04, 2004 7:07 AMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] recommendation for bridgehead server? Hi, Because of firewall issues, I am creating a new site that is well connected to the rest of my AD topology. This new site will contain workstations and a domain controller for an already existingchild domain. This child domain DCwill also be the bridgehead serverin this new site. User accounts are in the root domain. These users use an Exchange server that is located in the child domain and that is located in the main site. The question is what DC in the main site should I pick to be a bridgehead partner? Is it more sensible to choose a root domain DC or a DC in the child domain? Does it matter? As always, TIA. Regards, Mike Thommes
