Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Active Directory Site and Replication Design Principles

with 7 comments

This blog entry was written on Aug 2006. Since much of it is still relevant in today’s Windows Server 2008 R2 Active Directory, I took the liberty of reviewing and reposting it in my new techblog. – Jay Paloma

When I first saw what Active Directory was before the launch of Windows 2000, I got hooked on the fact that Active Directory can now locate resources and conduct replication based on IP addresses. This has been a different case in the Windows NT directory services which does not put into consideration the physical aspects of the directory (i.e., networking). Because of this there are times that there has been a need to create new domains in Windows NT to facilitate proper replication. With AD  site topology there’s now a clear delineation between the physical and logical aspects of the directory.

To properly design your Active Directory physical structure, we need to put into consideration the following factors: location of AD services like domain controllers and DNS servers, IP addressing, WAN links between geographical sites, etc.

It is important to note that Active Directory site topology is dependent on the company’s IP addressing scheme. Each site can contain one or more IP subnets, but each subnet can only be declared on a single site.

Some rules of thumb in Site and Replication Topology Design

  • Active Directory site topology maps to the WAN topology of the organization in most cases
  • Create one site per WAN location, if possible.
  • Ensure that each site has a Domain Controller, a Global Catalog Server and a DNS Server. These three roles can coexist in a single domain controller. In short, ensure that client traffic is contained as much as possible to servers within the same site as the clients.
  • Create site links reflecting your WAN links
  • Schedule replication at off-peak hours

The caveat of having more sites is that domain controller replication is slower between sites than for DC’s that belong to a single site. This is because site replication only happens every 15 mins and is governed by the site topology that you design. In comparison, intrasite domain controller replication happens 5 minutes after an attribute change, and this happens on all other domain controllers within the site.

  • Less sites, more replication bandwidth consumption, less time to replicate
  • More sites, less replication bandwidth consumption, more time to replicate

Significance of the Default-First-Site-Name Site

There is a site created by default when you install Active Directory. It’s the Default-First-Site-Name Site. You may be tempted to delete this site object after creating your sites and moving all your domain controller objects to their respective site containers. Don’t! In fact, ensure that you create a connection agreement between this site and your hub site. If, during your IP subnet encoding phase you overlooked a specific subnet that exists, any additional domain controller you install that belongs to that subnet gets added into the Default-First-Site-Name site, and is ensured of directory replication.

AD Sites and VLANs

I cannot go into site topology without discussing the effect of virtual LANs or VLANs in our design. With VLANs, administrators can join computers that interact often with one another in an IP segment regardless of geophysical location. VLANs exist on a higher level than the physical network and has no dependency on it. Although this may sound good from a technology standpoint, a poorly planned VLAN infrastructure means poor Active Directory logon and replication performance. Worse, this will also affect the performance of Microsoft Exchange.

This is an example of how a poorly implemented VLAN network can have detrimental effects not just on Active Directory, but in Exchange Server as well. Company X is an organization with offices in Manila, Cebu, Davao and Subic. The company designed its VLAN so that all servers are in the same IP segment, while client computers are segmented according to geographical location.

VLANs and AD Site Design

In this case, we can create a site for the servers, and one site each for each geographical location for the clients. Unfortunately, this design would have the following results:

  • Replication between domain controllers are intrasite and not bound by schedules or data compression as compared with intersite replication. In addition, domain controller replication partners will assume the replication partnerships automatically as in a single site topology, and will not be governed by the WAN link topology.
  • The Exchange Servers in MANILA and DAVAO may not necessarily use the Domain Controllers and Global Catalog Servers in their respective areas. Given that all servers are in the same AD Site, then all DC/GC’s may service the requirements of all Exchange Servers without preference to any one.
  • Since all Client Active Directory Sites connect to the Server Active Directory Site, then all clients can be serviced by all domain controllers of the organization. This is true for both Windows authentication and Outlook Directory Services Access to a Global Catalog.

Plan your site structure properly. With it comes maximization of bandwidth and minimized latency of AD object updates.


Written by jpaloma

January 19, 2011 at 11:41 AM

7 Responses

Subscribe to comments with RSS.

  1. […] Active Directory Site and Replication Design Principles […]

  2. Just for clarity..When you say vlan (virtual “local” area network. operates at layer 2 in the network stack) do you mean vpn?(virtual private network operates as an encapsulated frame routed at layer 3 in the stack) as i have never come across a vlan that can operate in the way you describe however it sounds exactly like a vpn.

    Mike Harding

    August 13, 2011 at 7:43 PM

    • Hello Mike, yes I’m referring to L2. It’s a case where segments are divided according to machine role rather than geographical location. My point in the section “AD Sites and VLANs” is that the clients should be closest (in terms of # of hops through IP subnets as well as geophysical and physical network location) to the Domain Controllers that are expected to authenticate them.


      August 17, 2011 at 12:12 AM

  3. Hi, I just need a reality check. my current setup is as follows. domain a (nothing in it, its just a place holder with a domain. (a.com) with global catalog
    I created a second domain controller, b. choosing to join it to the forest, the namespace is b.a.com.
    This also is a GC.

    the other day, we had an outage which wouldnt allow login. since i created a new domain in a forest, this shouldnt have happened correct? I just wanted to get this right, since that initial domain goes up and down all the time and my site is operational 24/7



    January 26, 2012 at 8:51 PM

    • Hello Gary,

      Ensure that both a.com and b.a.com domains have DC’s that are capable of running 24/7.


      January 26, 2012 at 10:23 PM

  4. […] Active Directory Site and Replication Design Principles […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: