Best practices for AD over multiple sites

At the moment, the network I work on is divided between the head office and several remote sites. All of these sites connect to the head office via VPN over ADSL. Most of these sites have their own 2000 servers on site as well.

Windows Networking 2246 This topic was started by ,


data/avatar/default/avatar01.webp

23 Posts
Location -
Joined 2002-10-17
At the moment, the network I work on is divided between the head office and several remote sites. All of these sites connect to the head office via VPN over ADSL. Most of these sites have their own 2000 servers on site as well. At the moment, the entire organisation is allocated inside the one site if I go into AD Sites and Services under admin tools. In addition to this, there is just a general "Staff" organisational unit with some sub units in the AD Users and Computers. The only thing in the way of actual group policies is one I've made for IT staff to test out automatic up[censored] of Windows 2000 off a Software Update Services (SUS) server I've setup.
 
What I'd like is any suggestions about the best way to make use of Active Directory on this setup. In another topic, DS3Circuit has kindly provided feedback on using AD group policies for Office and SP3 installations. Under the current setup "odd" things happen, like head office PCs will run the login script off a remote server. Would it be better to create Sites under AD Sites and Services for each physical site? Any benefits/suggestions? Any other suggestions or comments on how to make the most of AD in this setup?
 
Thanks.

Participate on our website and join the conversation

You have already an account on our website? Use the link below to login.
Login
Create a new user account. Registration is free and takes only a few seconds.
Register
This topic is archived. New comments cannot be posted and votes cannot be cast.

Responses to this topic


data/avatar/default/avatar01.webp

738 Posts
Location -
Joined 2002-12-11
Well best practices
 
1. A site is defined as a high bandwidth location - it is entirely physical and may encompass logical administration - depending on centralization or decentralized administrative environments (office politics ) DSL lines dont encompass this (mostly)
 
2. Break it down by subnets in ADSS
 
3. Windows 2000 Pro machines locate DCs through DNS queries first (SRV records), then WINS, then Netbios and so on down the line.
 
4. You need some books, and some more particular questions as well.
 
Suggestions
 
A DC in each remote site, with timed replication to the main site, will ease bandwidth, GPO deployment, and logon times. Remote DCs should also be Global Catalogs as well. And if a site has more then one DC, one should be made a bridgehead for replication. Your situation is a perfect model for Hub n Spoke topology and replication.

data/avatar/default/avatar01.webp

23 Posts
Location -
Joined 2002-10-17
OP
Since I have the actual ADSS screen in front of me now, I can fill in some details.
 
There are two sites - "Default-First-Site-Name" and "Conferencing". The Conferencing site is empty and is probably a result of the IT Manager playing around with some video conferencing stuff he's been looking at. In the Default-First-Site-Name, there is all the DCs in the entire organisation, including those in the head office and remote offices. Under NTDS Site settings, one of the head office DCs is set as the server for Inter-Site Topology Generator (whatever that means....). Licensing Site Settings is also set to the same DC. Under Servers, all the DCs are listed. All are set to use IP and SMTP as inter-site data transfer transports.
 
If I expand each server out and view their NTDS settings, they list between 3 and 8 items that just say "automatically generated". In Properties for NTDS settings, only one server has the Global Catalog checked on, and it's a different one from that specified as the Inter-Site Topology Generator. Viewing properties for each automatically generated connection shows that it seems to be a randomly assigned group of other servers to replicate off. In all instances, the transport is set to RPC. Replication schedules are set to once an hour.
 
Under Subnets, there are 5 items. The first, 1.1.1.1/32, has its site set to Conferencing. The others are private LAN address ranges that are set for Default-First-Site-Name. Nothing comes up in the right window pane when I click on them.
 
In AD Users and Computers, there's an organisational unit called "Staff" and then sub-units under that for each division in the company. There is a Domain Controllers OU (can't remember if this is a default or not) with most of the DCs in it. Only the Default Domain Controllers Policy is applied to this OU. The Computers Folder has all the other workstations allocated in it. Can't seem to see any Policy tab for properties here. The Printers OU is empty. I don't know if there's any benefit or not in having them in there.
 
Lastly, do you recommend any particular books on this subject matter? Thanks.

data/avatar/default/avatar01.webp

738 Posts
Location -
Joined 2002-12-11
In ADSS
 
*** At this point I wouldnt recommend playing with replication times and just leave them at the defaults ***
 
*** What I am recommending here, will optimize AD replication, software deployment, remote management, WAN traffic, and use of resources AND requires a DC in each site running DDNS ***
 
1. Create 3 different sites ... 1 for your main site and 2 more for your satellites.
 
2. Create those subnets that are in your entire organization and link them each to their own individual site.
 
3. For Inter-Site Transports, I would just stick with RPC replication since your DSL lines have a better "uptime" then say a Dialout with a modem. (Also if you used SMTP for replication, you would need to create a certificate authority to verify the data ... no need)
 
***RPC runs over port 135 .... LDAP queries run over 389 by default***
 
4. NTDS settings only appear for DCs and each site should have its own Global Catalog (AD queries then wont have to go over WAN links). This obviously requires a DC in EACH site.
 
5. There is no need for the Conferencing Site (from what I have been told)
 
6. IMHO, It is far easier to have a bridgehead DC in each site, sitting in the DMZ of each site, so you wont have to turn your firewall into swisscheese by opening numerous ports
 
7. Did you know you could apply Group Policies by SITE as well as OU. (Domain as well) ?
 
IN ADUC
 
1. Builtin, Computers, ForeginSecurityPrincipals, Users are NOT OUs, but actual just CONTAINERS .... in otherwords you cannot apply GPOs to them. So then just move them into a new OU.
 
2. The Printer OU is for you to publish legacy printers into your AD ... mostly for NT servers .... not neccessarily needed.
 
IN BOOKS
 
Well I enjoyed Windows 2000 Server Resource Kits, anything from the Microsoft Press, and the publisher SYBEX.
 
LINKS
 
www.labmice.net
www.microsoft.com/technet
 
Remember Microsoft PSS, is the best 250 bucks you will ever spend
 
Well thats enough for now, if anyone else wants to chime in, please feel free by all means

data/avatar/default/avatar01.webp

23 Posts
Location -
Joined 2002-10-17
OP
The IT manager has made a big deal about having servers at any site with 3/4 or more PCs, so there should be a DC at most of the sites. The Global Catalog thing I can see being very useful as sometimes the DSL links for some of the sites do actually go down. And what's Microsoft PSS? Thanks for the help so far too, DS3Circuit.

data/avatar/default/avatar01.webp

738 Posts
Location -
Joined 2002-12-11
Microsoft Product Support Services ... PSS
 
800-936-4900
 
If you have any questions, feel free, and if anyone else has something to add, the same m8

data/avatar/default/avatar01.webp

23 Posts
Location -
Joined 2002-10-17
OP
One thing that just sprung to mind - would creating extra sites break and/or effect any software functionality, such as Exchange 2000 Server (which they run), etc.

data/avatar/default/avatar01.webp

738 Posts
Location -
Joined 2002-12-11
As long as there is a GC in every site that has an Exchange Server, you should be alright.
 
Being that you brought it up .... depending on your DSL speed and what not ... you MAY have to place your NATIVE (?) mode exchange servers in there respective routing groups, but under the same administrative group.

data/avatar/default/avatar01.webp

23 Posts
Location -
Joined 2002-10-17
OP
At the moment, there's only one Exchange server, which is at head office. As for the mode, if I go into Exchange System Manager and check the properties for the top most item in the tree, it lists the mode as "Mixed Mode"

data/avatar/default/avatar01.webp

738 Posts
Location -
Joined 2002-12-11
http://support.microsoft.com/default.aspx?scid=kb;en-us;q272314
 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;270143
 
Adding sites will affect replication, authentication speeds, but not neccessarily hinder anything that exchange needs, considering there is only one server.
 
EDIT
 
For people in satellite sites, they should use IMAP or OWA to connect to exchange has they have a lower overhead then the actual exchange client or POP3 for example

data/avatar/default/avatar01.webp

23 Posts
Location -
Joined 2002-10-17
OP
So, just checking if I have this right....The mixed mode/native mode situation depends *only* on the versions of Exchange Server and as such, I could quite easily move to native mode for Exchange. (Note: the client OS and Outlook versions vary. OSes are 95, 98 and 2000, while Office versions are 97 and 2000)
 
As for using OWA and all that, yeah that's an option I'd like so people could check their email from home and offsite without going through the Terminal Server (ick). I think it's been half setup and is currently not working.

data/avatar/default/avatar01.webp

738 Posts
Location -
Joined 2002-12-11
Quote:So, just checking if I have this right....The mixed mode/native mode situation depends *only* on the versions of Exchange Server and as such, I could quite easily move to native mode for Exchange. (Note: the client OS and Outlook versions vary. OSes are 95, 98 and 2000, while Office versions are 97 and 2000)

Correct ... client operating systems and Outlook versions have nothing to do with it

Quote:As for using OWA and all that, yeah that's an option I'd like so people could check their email from home and offsite without going through the Terminal Server (ick). I think it's been half setup and is currently not working.

Never worked at a business that used Outlook in terminal services, congrats for being daring

And if you move to Exchange 2003, then OWA will just look like Outlook 11 provided the users use IE5 or better

data/avatar/default/avatar01.webp

23 Posts
Location -
Joined 2002-10-17
OP
Quote:Quote:As for using OWA and all that, yeah that's an option I'd like so people could check their email from home and offsite without going through the Terminal Server (ick). I think it's been half setup and is currently not working.

Never worked at a business that used Outlook in terminal services, congrats for being daring

Well at the moment, only the IT staff use Outlook through Terminal Services, because this gives us roaming capabilities for email and other bits and pieces throughout the organisation, as a lot of the PCs here are...not good. Also, the current setup means that if you don't use TS, your email is tied to the PCs where it's configured (I don't know if this is the "natural" way things are done). Having OWA working fully would be great for allowing full roaming Outlook functionality for all staff.

As for Exchange 2003, I've ordered the beta and will be having a lot of playing around with it to see what's there, although I doubt they'd shell out for it unless there was a very compelling case for it.

data/avatar/default/avatar35.webp

2172 Posts
Location -
Joined 2002-08-26
Quote:As for Exchange 2003, I've ordered the beta and will be having a lot of playing around with it to see what's there, although I doubt they'd shell out for it unless there was a very compelling case for it.
The new OWA is very nice! Can't wait to install Office 11 when the CD gets here! Hoping it will mirror the OWA interface.

data/avatar/default/avatar01.webp

738 Posts
Location -
Joined 2002-12-11
Quote:Quote:As for Exchange 2003, I've ordered the beta and will be having a lot of playing around with it to see what's there, although I doubt they'd shell out for it unless there was a very compelling case for it.
The new OWA is very nice! Can't wait to install Office 11 when the CD gets here! Hoping it will mirror the OWA interface.

I know what you mean ... I myself look forward to playing with exchange 6.5 ... and knowing the bleeding edge mentally of our company, we will be running it before SP1

data/avatar/default/avatar01.webp

23 Posts
Location -
Joined 2002-10-17
OP
Okay, so I guess a summary is in order here. Based upon what the organisation has, I'd be best off doing the following:
 
1. Creating AD Sites for each office that has a Domain Controller, along with a Global Catalog
2. Create organisational units for the storage of all the Windows 2000 systems and apply group policies to them to allow easy rollout of things such as Office 2000, Service packs, etc.
3. To facilitate #2, each office DC would have a local mirror of the required files.
4. The only site with more than one DC is the head office. (Not too sure what you mean by bridgehead though, DS, you might have to explain that term for me)
5. Set Exchange 2000 to native mode and fix OWA
 
Anything missing?

data/avatar/default/avatar01.webp

738 Posts
Location -
Joined 2002-12-11
1. A DC and GC for each remote site ... Correct
2. GPOs for each OU ... Correct
3. Correct, WAN deployment of GPOs can be time consuming as well as bandwidth consuming ... possible way to avoid this is making GPOs running asynchronously.
4.Bridgehead means one server that allows AD replication to remote sites.
5. Exchange 2000 should be in native mode for your environment .... if users wish to use OWA instead of Outlook then by all means.