Announcement

Collapse
No announcement yet.

Site replication / Site Links and Bridges ...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Site replication / Site Links and Bridges ...

    OK ... I'm totally confused ...

    so I'm gonna ask here ...

    We have 9 sites ... all connected via IPSec tunnels... Basically, there areasically three primary sites (A,B,C), 5 small sites (D,E,F,G,H), and an offsite Datacenter Authentication server (Z)
    • Site A connects to B,C,D,E,F,G,H,Z
    • Site B connects to A,C,D,E,F,G,H
    • Site C connects to A,B,D,E,F,G,H
    • Site D connects to A,B,C
    • Site E connects to A,B,C
    • Site F connects to A,B,C
    • Site G connects to A,B,C
    • Site H connects to A,B,C
    • Site Z connects to A


    All sites have access to site A (which contains the PDC/FSMO) ... and ONLY site A can communicate with site Z.

    Currently, 90% of AD updates occur at site A ... but that is going to change as we increase the importance of site B ...

    I'm a little confused by what Site Links and/or Site-Link Bridges we *should* be using.

    How *should* my site-links and bridges be configured?

    @

  • #2
    Re: Site replication / Site Links and Bridges ...

    IMHO you are best leaving it to the KCC to determine the most effective replication strategy and let it get on with it. I have always found that manually creating links is likely to cause more problems than it solves and have only used it when there are e.g. traffic limitations at some sites.

    So I suggest you leave the KCC to do its stuff, note how it is routing and check again a couple of weeks later to see if it has changed anything.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Site replication / Site Links and Bridges ...

      @Albranwood
      ADSS is where you define your physical topology. By default all site links are bridged. But in your case, since not all sites can route to each other, disabling this and setting up specific site link bridges would be ideal.

      Site Links = Create these between two sites that have direct connectivity. Be sure to configure the cost based on the bandwidth between the locations. You should split up the cost by taking into account all the highest and lowest bandwidth available and then assigning it a logical value. The cost is a ratio used by the KCC to calculate the replication partners.

      Site Link Bridges = Use these to define transitive links among sites. Site Link Bridges are made up of Site Links.

      More info: http://technet.microsoft.com/en-us/l...(v=ws.10).aspx

      @Tom
      I believe the OP is referring to site links and bridges which the KCC needs to setup replication partners and calculate costs etc. Links and bridges are not something that the KCC can setup.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Site replication / Site Links and Bridges ...

        @JeremyW ...

        I tried reading that ... but ended up confusing myself ...

        But I think you are saying create a link for each pair of sites ...

        AB, AC, AD, AE, AF, AG, AH, BC, BD, BE, BF, BG, BH, CD, CE, CF, CG, CH, AZ

        and then sitebridges for BZ, CZ, DZ, EZ, FZ, GZ, HZ ?

        Thanks

        Comment


        • #5
          Re: Site replication / Site Links and Bridges ...

          That would in effect create a full mesh topology which may not be what you want. You should sit down and diagram your physical network, paying attention yo bandwith between sites. Lay your ad
          Topology over that with costing/weights dictating primaty links and alternates of you desire them.It may make sense to create a hub/spoke topology with primary links. Whatever you do, avoid creating manual connection objects. Ossian is right, just let kcc manage those. Also avoild manually selecting bridgehead servvers. Kcc will take care of thaht as well
          Rules of life:
          1. Never do anything that requires thinking after 2:30 PM
          2. Simplicity is godliness
          3. Scale with extreme prejudice


          I occasionally post using a savantphone, so please don't laugh too hard at the typos...

          Comment


          • #6
            Re: Site replication / Site Links and Bridges ...

            Originally posted by albrandwood View Post
            But I think you are saying create a link for each pair of sites ...

            AB, AC, AD, AE, AF, AG, AH, BC, BD, BE, BF, BG, BH, CD, CE, CF, CG, CH, AZ
            Yes, this might be correct. One thing to note is if there is common and equal connectivity to multiple sites (full mesh) then they can all be part of the same site link.
            e.g. If this is your config:
            A connected via 10MB link to B
            B connected via 10MB link to C
            C connected via 10MB link to A
            Then this could be in a single site link. If you have different connection speeds then you need separate site links with relevant costs configured for each.

            Originally posted by albrandwood View Post
            and then sitebridges for BZ, CZ, DZ, EZ, FZ, GZ, HZ ?
            Not quite on the bridge (kinda confusing I know).

            So the question is really about routing and access.
            Can D access F, G, or H via A, B, or C?
            Can F access G or H via A, B, or C?
            etc.

            If so then we would setup a bridge for that.

            Here's two scenarios for bridges.

            EG 1
            A, B, and C all have common connectivity and so they all are in a single site link:
            link-ABC

            The rest of the sites are connected back to the 3 main sites (ABC):
            link-DA
            link-DB
            link-DC
            link-EA
            link-EB
            link-EC
            link-FA
            link-FB
            link-FC
            link-GA
            link-GB
            link-GC
            link-HA
            link-HB
            link-HC


            Now all the branch sites can access the other branch sites by routing through site A, B, or C. So we would setup bridges for that:
            Bridge-ABCDEFGH
            In this bridge you would add all the sites setup so far.

            Now here's the crucial part (and why we disabled "Bridge All Sitelinks"), site Z is only accessible by site A. So we just setup another site link for A and Z and we do not add it to the bridge:
            link-AZ


            e.g. 2
            This time A, B, and C still all have common connectivity and the rest of the sites are connected back to the 3 main sites:
            link-ABC
            link-DA
            link-DB
            link-DC
            link-EA
            link-EB
            link-EC
            link-FA
            link-FB
            link-FC
            link-GA
            link-GB
            link-GC
            link-HA
            link-HB
            link-HC


            But this time D and E can route to each other only and F, G, and H can route to each other only. All done through site A, B, or C. So we would setup the following bridges:
            Bridge-ABCDE
            Which contains links:
            link-ABC
            link-DA
            link-DB
            link-DC
            link-EA
            link-EB
            link-EC


            Bridge-ABCFGH
            Which contains links:
            link-ABC
            link-FA
            link-FB
            link-FC
            link-GA
            link-GB
            link-GC
            link-HA
            link-HB
            link-HC


            And again setup another site link for A and Z and do not add it to any bridge:
            link-AZ


            Here's a link to more information that also contains a link to download a few worksheets. I would suggest going through the worksheets so that you have a good understanding of what links you have:
            http://technet.microsoft.com/en-us/l...(v=ws.10).aspx
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Site replication / Site Links and Bridges ...

              @userPrincipalName it is kind of a mesh ... (and kind of a mess) ...

              A,B,C are all 200Mb pipes, and provide geographically diverse site redundancy (east coast and west coast) ... and yes, A,B,C are fully interconnected ...

              D,E,F,G,H are all on 10/100 pipes and have no IP route capability to any sites other than A,B,C (it is impossible for D to connected to E for example).

              Z is at an offsite location that provides SaaS authentication (primarily LDAP) hosted.

              @Jeremy ...

              I think I want example 1 ...

              But, I want to make sure I'm not confusing "AD routing" with "IP routing" ... there is no ability for IP traffic to traverse any site to get to a third site ...
              ie ... A DC at site D can only replicate with a DC at sites A, B & C via direct IPSec tunnels. It cannot (for example) connect to a DC at site C via ANY other link than the IPSec tunnel to C, nor can it directly communicate with the DC at E,F,G,H or Z.

              Does that make sense? Not the network topology itself, (I don't have control over that) but on the AD intra-site requirements

              @

              Comment


              • #8
                Re: Site replication / Site Links and Bridges ...

                If that's the case then you need only setup site links and have no need for site link bridges.

                AD Sites and Services is to map out the physical layout of your network so that the KCC can setup replication in the most efficient manner. So in a sense we are talking about IP routing.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: Site replication / Site Links and Bridges ...

                  Originally posted by JeremyW View Post
                  Yes, this might be correct. One thing to note is if there is common and equal connectivity to multiple sites (full mesh) then they can all be part of the same site link.
                  e.g. If this is your config:
                  A connected via 10MB link to B
                  B connected via 10MB link to C
                  C connected via 10MB link to A
                  Then this could be in a single site link. If you have different connection speeds then you need separate site links with relevant costs configured for each.
                  I humbly disagree with this advice.
                  Rules of life:
                  1. Never do anything that requires thinking after 2:30 PM
                  2. Simplicity is godliness
                  3. Scale with extreme prejudice


                  I occasionally post using a savantphone, so please don't laugh too hard at the typos...

                  Comment


                  • #10
                    Re: Site replication / Site Links and Bridges ...

                    Originally posted by userPrincipalName View Post
                    I humbly disagree with this advice.
                    No problem, it's an open discussion.
                    Care to explain why you disagree?
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: Site replication / Site Links and Bridges ...

                      Its a personal preference more than anything, though there are technical reasons for it as well. It will work and probably suits small static environments just fine. In keeping with simplicity, creating 1:1 site links is a better practice, is easier to manage and removes technical debt.

                      From a technical standpoint, when you add multiple sites to a single link, you are marking them all equal, when in almost every case, they aren't or wont remain equal through their lifecycle. As your company's network changes/matures/expands, these "equal" sites will create inadvertent full-mesh topology where it shouldn't be - this I guarantee. Its technical debt that has to be accounted for 3 years down the road when everyone has completely forgotten about it. When 3 years later, things are behaving odd, you will be scratching your head to figure out why ISTG/KCC did what it did. If you have tight SLAs around replication, you will have problems meeting them. Especially if you are using change notification. Keeping links 1:1 will keep this from happening. Its a good habit to get into

                      Dont get me wrong, it will work for the most part, it just doesn't scale well.



                      Also, on another note, its not necessary to manage bridges by hand. AD is bridged by default.
                      Last edited by userPrincipalName; 12th August 2013, 16:37.
                      Rules of life:
                      1. Never do anything that requires thinking after 2:30 PM
                      2. Simplicity is godliness
                      3. Scale with extreme prejudice


                      I occasionally post using a savantphone, so please don't laugh too hard at the typos...

                      Comment


                      • #12
                        Re: Site replication / Site Links and Bridges ...

                        Originally posted by userPrincipalName View Post
                        Its a personal preference more than anything, though there are technical reasons for it as well. It will work and probably suits small static environments just fine. In keeping with simplicity, creating 1:1 site links is a better practice, is easier to manage and removes technical debt.

                        From a technical standpoint, when you add multiple sites to a single link, you are marking them all equal, when in almost every case, they aren't or wont remain equal through their lifecycle. As your company's network changes/matures/expands, these "equal" sites will create inadvertent full-mesh topology where it shouldn't be - this I guarantee. Its technical debt that has to be accounted for 3 years down the road when everyone has completely forgotten about it. When 3 years later, things are behaving odd, you will be scratching your head to figure out why ISTG/KCC did what it did. If you have tight SLAs around replication, you will have problems meeting them. Especially if you are using change notification. Keeping links 1:1 will keep this from happening. Its a good habit to get into

                        Dont get me wrong, it will work for the most part, it just doesn't scale well.
                        Makes sense and sounds like a good method.


                        Originally posted by userPrincipalName View Post
                        Also, on another note, its not necessary to manage bridges by hand. AD is bridged by default.
                        Yes but the OP has a topology that isn't fully routed so bridging all site links should be disabled. Also in the OP's case no bridges are necessary since every routable site path is one hop away.
                        Regards,
                        Jeremy

                        Network Consultant/Engineer
                        Baltimore - Washington area and beyond
                        www.gma-cpa.com

                        Comment

                        Working...
                        X