Site Replication

Question: Have DC's in 4 locations, all in their own sites in AD. The root
DC is in Location A it has an automatic
replication partner with site B. Sites C and D only have a replication
partner with Site B. When we brought up site D the network link between D
and B was not available but the link between D and A was. However when we
brought up this site it created a replication partner with site B.
Replication would not work until we
corrected the link between B and D.

I am concerned if the link goes down at B that I will have issues
replicating from the other sites

DP133091
Wed Jun 18 09:41:01 PDT 2008

If you are worried about B going down and breaking replication. My suggestion
is to create a new site link from A to D. Then let the KCC generate the site
connection object. Also if site C has a network connection (T1, T3, MPLS
cloud, or some other form) Then create a site link from A to C as well. I
would also recommend that you change the site link cost of the A-C and A-D to
be higher than the B-C and the B-D. By default the cost is set to 100.

"barrycuda72" wrote:

> Question: Have DC's in 4 locations, all in their own sites in AD. The root
> DC is in Location A it has an automatic
> replication partner with site B. Sites C and D only have a replication
> partner with Site B. When we brought up site D the network link between D
> and B was not available but the link between D and A was. However when we
> brought up this site it created a replication partner with site B.
> Replication would not work until we
> corrected the link between B and D.
>
> I am concerned if the link goes down at B that I will have issues
> replicating from the other sites
>
>
>

Herb
Wed Jun 18 09:54:10 PDT 2008


"barrycuda72" <barrycuda72@newgroup.nospam> wrote in message
news:%23Q5PBiU0IHA.1628@TK2MSFTNGP03.phx.gbl...
> Question: Have DC's in 4 locations, all in their own sites in AD. The
> root DC is in Location A it has an automatic

Root applies to the FIRST DOMAIN, not to DCs unless you mean
the DC in the Root/First domain of the forest.

> replication partner with site B. Sites C and D only have a replication
> partner with Site B.

Unless you are explicitly creating connections the way this works
is to create SiteLinks.

Contrary to what they sound like, SiteLinks only tell the KCC/DCs
where the (best) paths to replicate are and do not guarantee how
they will do that.

> When we brought up site D the network link between D and B was not
> available but the link between D and A was.

If there is network from D<->A<->B then (unless there is a firewall
or filters) that is a network D<->B too (although indirect.)

> However when we brought up this site it created a replication partner with
> site B.

It did that because it COULD and because you had the SiteLinks
from B<->D.

> Replication would not work until we
> corrected the link between B and D.

Ok, that implies that there were some filters going through A,
but it REALLY should have done A<->D DC connections
if it couldn't make them between D<->B DCs.

> I am concerned if the link goes down at B that I will have issues
> replicating from the other sites

If A-D network reallyt works (and isn't filtered) OR if
D<->B<->A network does, and there is no B DC or
it isn't reachable then A<->D DCs will replicated UNLESS
you have disabled "Site Link Bridging" (generally a bad
idea to disable this.)

Jorge
Wed Jun 18 13:18:38 PDT 2008

create the correct site
create the correct subnets and link those to sites

create site links and add the HUB site and a branch office to it. repeat
until you have create site links for all branch offices

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"barrycuda72" <barrycuda72@newgroup.nospam> wrote in message
news:%23Q5PBiU0IHA.1628@TK2MSFTNGP03.phx.gbl...
> Question: Have DC's in 4 locations, all in their own sites in AD. The
> root DC is in Location A it has an automatic
> replication partner with site B. Sites C and D only have a replication
> partner with Site B. When we brought up site D the network link between D
> and B was not available but the link between D and A was. However when we
> brought up this site it created a replication partner with site B.
> Replication would not work until we
> corrected the link between B and D.
>
> I am concerned if the link goes down at B that I will have issues
> replicating from the other sites
>

Herb
Wed Jun 18 13:43:10 PDT 2008


"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:OjBvPCY0IHA.2312@TK2MSFTNGP05.phx.gbl...
> create the correct site
> create the correct subnets and link those to sites
>
> create site links and add the HUB site and a branch office to it. repeat
> until you have create site links for all branch offices


It is also WRONG at least on Win2003 Domain with SP2.

Custom domain police has been changed for every single element
of the password policy a long time (years) and the Default Domain
Policy is "not defined" for all Windows Settings->Security->
Account Policy->Password items.

The recommendation stands: Make changes to a custom policy,
avoid changing the Default Domain (and DC) policy GPOs.

Jorge
Wed Jun 18 13:49:20 PDT 2008

you are missing posts....

yeah, ok, feel free to do whatever you want. my saying is that creating an
additional GPO for just the password stuff is useless. for other stuff it
could be interesting

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Herb Martin" <news@learnquick.com> wrote in message
news:e73xsPY0IHA.4040@TK2MSFTNGP04.phx.gbl...
>
> "Jorge de Almeida Pinto [MVP - DS]"
> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
> news:OjBvPCY0IHA.2312@TK2MSFTNGP05.phx.gbl...
>> create the correct site
>> create the correct subnets and link those to sites
>>
>> create site links and add the HUB site and a branch office to it. repeat
>> until you have create site links for all branch offices
>
>
> It is also WRONG at least on Win2003 Domain with SP2.
>
> Custom domain police has been changed for every single element
> of the password policy a long time (years) and the Default Domain
> Policy is "not defined" for all Windows Settings->Security->
> Account Policy->Password items.
>
> The recommendation stands: Make changes to a custom policy,
> avoid changing the Default Domain (and DC) policy GPOs.
>
>

Herb
Wed Jun 18 19:35:25 PDT 2008


"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:%23qr$ZTY0IHA.2084@TK2MSFTNGP06.phx.gbl...
> you are missing posts....
>
> yeah, ok, feel free to do whatever you want. my saying is that creating an
> additional GPO for just the password stuff is useless. for other stuff it
> could be interesting

It's bad advice to tell people to modify the Default GPOs.

And you original message said that this was a REQUIREMENT.

That is just wrong. It's not correct. Which I told you some
10 posts ago.

There is no such requirement; it's a poor practice.

Jorge
Thu Jun 19 01:34:23 PDT 2008

then show me the post where I said it is a requirement....

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Herb Martin" <news@learnquick.com> wrote in message
news:uPOuiUb0IHA.5728@TK2MSFTNGP06.phx.gbl...
>
> "Jorge de Almeida Pinto [MVP - DS]"
> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
> news:%23qr$ZTY0IHA.2084@TK2MSFTNGP06.phx.gbl...
>> you are missing posts....
>>
>> yeah, ok, feel free to do whatever you want. my saying is that creating
>> an additional GPO for just the password stuff is useless. for other stuff
>> it could be interesting
>
> It's bad advice to tell people to modify the Default GPOs.
>
> And you original message said that this was a REQUIREMENT.
>
> That is just wrong. It's not correct. Which I told you some
> 10 posts ago.
>
> There is no such requirement; it's a poor practice.
>

Jorge
Thu Jun 19 01:33:42 PDT 2008

you are mixing posts.... this one is about site replication....

I never said it is a requirement. those are your words.

I said, it is useless for password settings at domain level beased upon the
link I gave in the other post

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Herb Martin" <news@learnquick.com> wrote in message
news:uPOuiUb0IHA.5728@TK2MSFTNGP06.phx.gbl...
>
> "Jorge de Almeida Pinto [MVP - DS]"
> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
> news:%23qr$ZTY0IHA.2084@TK2MSFTNGP06.phx.gbl...
>> you are missing posts....
>>
>> yeah, ok, feel free to do whatever you want. my saying is that creating
>> an additional GPO for just the password stuff is useless. for other stuff
>> it could be interesting
>
> It's bad advice to tell people to modify the Default GPOs.
>
> And you original message said that this was a REQUIREMENT.
>
> That is just wrong. It's not correct. Which I told you some
> 10 posts ago.
>
> There is no such requirement; it's a poor practice.
>