• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Adding 3rd Replicating AD Server?

D

DigitalCancer

Diamond Member
Hey Guys,

First off, this is for my company that I work for...but...I want to learn how to do this myself so it's more for personal knowledge. We have a vendor I could ask to do it for me but what good would that do me?? ^_^

So...we have (2) sites...DC04(primary)/DC02 at site 1...and DC03 at site 2.

Looking at DC03 this morning and it seems to only be replicating from DC02.

I am looking at the AD Sites/Services and under site 2 - servers - dc03 - NTDS...DC02 is the only one listed...so...my question is, how do I ADD DC04 as a replicating connection?
 
dave_the_nerd said:
So if you add a user account or something on DC03, it shows up on DC02 but not DC04?
Click to expand...

No, it's a round-about...

DC04 replicates to DC02 replicates to DC03....

What I'm looking for is for DC03 to replicate from EITHER DC02/DC04...right now only DC02 is listed and that's all that it has contacted (god forbid DC02 ever go down).
 
If you feel the need to, you can manually add connections using that same AD Sites and Services snap-in.
 
I wouldn't manually add a connection object if you can avoid it.

OP, sounds like DC02 is the replication bridgehead for site 1. Can you confirm?

Assuming that's the case, there is really no reason to have DC04 replicate directly with DC03. If DC02 becomes unavailable, the KCC will adjust the replication topology so that DC04 will then replicate directly with other sites (in your case, DC03). That's also why you don't want to add a connection object, because IIRC, the KCC will not properly route around manually created connection objects should the connection become unavailable.
 
Last edited:
DigitalCancer said:
No, it's a round-about...

DC04 replicates to DC02 replicates to DC03....

What I'm looking for is for DC03 to replicate from EITHER DC02/DC04...right now only DC02 is listed and that's all that it has contacted (god forbid DC02 ever go down).
Click to expand...
Sounds like you need to have these guys in a proper Forest so they all know about each other.

The Branch servers (forest, tree, branch) know about each other and cross-replicate, but provide local services.

I'm not a MS expert, but I used to work for a large organization with a very uncreative IT staff. That was how our AD was setup and it worked exactly the way you're saying you want.

This stuff would have to be front and center in the MS documentation, or those dudes wouldn't have done it.

(Holy crap, sorry, I just became the RTFM guy. I didn't mean to!)

I do know, thought, that "branch" servers have a different AD role installed than "root" servers.

So maybe that's enough keywords to get you on the right track.
 
dave_the_nerd said:
Sounds like you need to have these guys in a proper Forest so they all know about each other.

The Branch servers (forest, tree, branch) know about each other and cross-replicate, but provide local services.

I'm not a MS expert, but I used to work for a large organization with a very uncreative IT staff. That was how our AD was setup and it worked exactly the way you're saying you want.

This stuff would have to be front and center in the MS documentation, or those dudes wouldn't have done it.

(Holy crap, sorry, I just became the RTFM guy. I didn't mean to!)

I do know, thought, that "branch" servers have a different AD role installed than "root" servers.

So maybe that's enough keywords to get you on the right track.
Click to expand...

If you have multiple domain controllers in a site, one of those domain controllers becomes a replication bridgehead. This basically means it is in charge of replicating with domain controllers in other sites. I'm pretty sure the OP's environment is acting exactly as intended. It isn't an issue either -- if the preferred bridgehead goes down, the KCC will designate another DC in that site as the new replication bridgehead.

"Branch" DCs will generally differ in that they may be read-only domain controllers as opposed to "full" domain controllers where updates may take place.
 
So...let me clarify once more just to ensure that I'm (and everyone else) is on the same page...

Site 1 (primary site), has DC04 (primary DC) and DC02 (redundant).

Site 2 has DC03...which is the primary at that location b/c it's the only one.


Currently, DC03 replicates to DC02....and DC02 replicates to DC04.

Looking in the AD snap-in, I see DC02 listed for Site 2 but not DC04, so DC03 isn't communicating with DC04.

DC02 is set to replicate with DC03 and DC04...

DC04...is set to replicate with DC02...NOT DC03

PICS - may they provide a little clarification...
(please ignored DC01...that's a phantom that we haven't gotten rid of yet for fear of issues with it...previous IT REALLY sucked)
DC02
fq2z4.png


DC03
2jc8p5w.png


DC04
2w3t4pg.png
 
Right-click on DC02 and select properties. Post a screenshot of the General tab.

If DC01 is no longer physically available, you'll need to rip it using NTDSUTIL and then you'll need to clean the records from DNS. Not hard, but you have to be very careful.
 
IndyColtsFan said:
If you have multiple domain controllers in a site, one of those domain controllers becomes a replication bridgehead. This basically means it is in charge of replicating with domain controllers in other sites. I'm pretty sure the OP's environment is acting exactly as intended. It isn't an issue either -- if the preferred bridgehead goes down, the KCC will designate another DC in that site as the new replication bridgehead.
Click to expand...

I agree. AD has automatically generated the replication topology exactly as I would expect it to. In fact, i have access to an environment that's very similar to the OP's (2 sites, with 2 DCs at the primary site and 1 DC at the branch office), and I just looked at the replication topology to find that it's the same as the OPs.
 
seepy83 said:
I agree. AD has automatically generated the replication topology exactly as I would expect it to. In fact, i have access to an environment that's very similar to the OP's (2 sites, with 2 DCs at the primary site and 1 DC at the branch office), and I just looked at the replication topology to find that it's the same as the OPs.
Click to expand...

Good to know! I just wanted to make sure everything was correct...I wasn't certain if it should be connecting to the other one or not since technically it's replicating to another DC that is already replicating to the primary so...it'd be redundant anyway.

I appreciate the help guys! Now I just have to get rid of that pesky DC01...but...as IndyColtsFan said...it's all about being cautious and I would hate to be the one to blame for any issues that come from it. We're only a 2-man team here right now. ^_^
 
By the way guys...this is what sparked this for me...we had an outage this morn (turns out it was an internet related issue) but...everyone was online once I was made aware, but they said they weren't connecting to exchange/messenger...that site gets their AD from DC03 first off so I decided to check it, found this error:

This is the replication status for the following directory partition on this directory server.

Directory partition:
DC=DomainDnsZones,DC=<editedforCompanyDomain>,DC=local

This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.

More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
180

and I've set our DC's to replicate every hour btw.
 
DigitalCancer said:
Good to know! I just wanted to make sure everything was correct...I wasn't certain if it should be connecting to the other one or not since technically it's replicating to another DC that is already replicating to the primary so...it'd be redundant anyway.

I appreciate the help guys! Now I just have to get rid of that pesky DC01...but...as IndyColtsFan said...it's all about being cautious and I would hate to be the one to blame for any issues that come from it. We're only a 2-man team here right now. ^_^
Click to expand...

You can try running repadmin /bridgeheads from an administrative command prompt on a domain controller and it should ID the bridgeheads in each site. If you'd prefer to make DC04 the bridgehead, you can do that as well but I'd probably leave it as-is.
 
DigitalCancer said:
By the way guys...this is what sparked this for me...we had an outage this morn (turns out it was an internet related issue) but...everyone was online once I was made aware, but they said they weren't connecting to exchange/messenger...that site gets their AD from DC03 first off so I decided to check it, found this error:

This is the replication status for the following directory partition on this directory server.

Directory partition:
DC=DomainDnsZones,DC=<editedforCompanyDomain>,DC=local

This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.

More than 24 hours:
1
More than a week:
1
More than one month:
1
More than two months:
1
More than a tombstone lifetime:
1
Tombstone lifetime (days):
180

and I've set our DC's to replicate every hour btw.
Click to expand...

Was the circuit between the sites down? Also, is DC03 a global catalog (I'm assuming it is)?
 
Was the circuit between the sites down? Also, is DC03 a global catalog (I'm assuming it is)?
Click to expand...

Yes...it is a global catalog and yes, our internet connection dropped...it's a 100MB comcast cable out there (we're on 50MB Fibre here). ^_^


cool, thanks for the help guys.

seepy83, it was being used in a 'non-traditional' setup...(DC01 was actually an HP consumer machine...complete with Pentium (dual core I think) - 2GB - 120GB hdd)...

I wanted to make sure it wasn't being referenced anywhere before we wiped it out I just haven't had time to look at it yet...it's not hurting anything as is so maybe after this next big project I have coming up I can start doing some clean up.

We've actually spent $87,000 this year on server upgrades/storage. I've been here for 2yrs now and it's been terrible trying to clean up previous IT. It was so bad that they had one group policy setup for a single share drive that everyone accessed. They had a home drive but anyone could access each others, lol. They have 25 printers...no daily backups...etc. etc.

We now have 40TB worth of storage, 5 printers and 2 MFC's, daily backups with redundancy...we're running 4 VM's now and we re-purposed one of those physical boxes for DC03 at the other site (b/c they had nothing out there previously). We're on track...but it's been a long road. ^_^
 
IndyColtsFan said:
You can try running repadmin /bridgeheads from an administrative command prompt on a domain controller and it should ID the bridgeheads in each site. If you'd prefer to make DC04 the bridgehead, you can do that as well but I'd probably leave it as-is.
Click to expand...

Looks like DC03/02 are the bridgeheads...?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top