Active Directory: Multi Site, Subnet, and Replication Configuration


Windows Server 2019

Presentation

In this tutorial, we will approach the notions of Active Directory sites as well as subnets.

Active Directory sites can optimize management in multi-site / network infrastructures by:

  • Management of replication between domain controllers.
  • Authentication of users on the local controller (s).
  • GPO by sites

There are two types of replication links:

  • Intra-site : replication link between domain controllers in the same site
  • Inter-site : Replication link between Active Directory sites, which is configured in the Inter-Site Transport node.

The lab:

Configuring sites and networks

Ideally, it is best to declare the Active Directory site before promoting to the server’s domain controller, which allows you to place it directly in the right place. It is quite possible to move the DC a posteriori.

On a domain controller, open the Active Directory Sites and Services console.

Open management console

We can see that on the console, several nodes are available:

  • Inter-Site Transports : contains the various inter-site links as well as the protocol used for replication.
  • Subnets : contains the different networks that are declared and then assigned to the site.
  • Les sites : The nodes in blue (one per site) contain the parameters of the sites with the different servers (domain controller, transport edge …).
Sites and Services Active Directory

When creating the Active Directory domain, a default site is created (Default-First-Site-Name), the first step when implementing a multi-site architecture and renaming the site. To do this right click on the site 1 and click on Rename 2 .

Renommer le site par défaut / Rename default site

The site is now renamed

site nommé / site named

Now that the site is named correctly, we can declare it an IP network.

Add an IP network

The network declaration automatically places the servers in the correct site according to its IP.

If you want to add an IP network, for another site than this one by default, it is necessary to add the site.

Right click on Subnets 1 and click on New Subnet 2 .

Nouveau sous-réseau / New subnet

Enter the network address 1 then select the site 2 and click OK 3 to add the subnet.

Configuration du sous-réseau / Subnet configuration

The subnet is added 1 . You can also see in the properties of the site the subnet or subnets assigned to it 2 .

Sous-réseau ajouté / Subnet added

Add a site

From the console, right click on Sites 1 then click on New site 2 .

Ajouter un site / Add site

Enter the site name 1 , select a replication link object 2 and click OK 3 .

Nom du site / Name of site

A confirmation message appears, click OK 1 to close it.

Site ajouté / Site added

The site is added and available in the Active Directory Sites and Services console.

Site ajouté / Site added

Now that the site is added, configure the subnet (s) linked to it.

Configure a bridgehead server

A bridgehead server is a preferred domain controller for cross-site replication. It is useful to define a bridgehead server on the site that has multiple domain controllers to support replication from and to the domain controller and then replicate to its site controllers.

On server 1 , right-click and click Properties 2 .

Server properties

Select the 1 protocol (s) then click on Add 2 .

Select transport data

Click Apply 1 and OK 2 to validate the configuration.

Apply configuration

Add a replication link

When adding a domain controller, intra-site replication links are normally generated automatically.

Lien de réplication / Link rep

Because the LAB-AD1 server is a bridgehead for SiteA, there is no link from LAB-AD2 (SiteB) to LAB-AD3 (SiteA). If you still want to add a link manually this is possible.

From the console, unroll the server node and go to NTDS Settings 1 . Right-click in the central area and click New Active Directory Domain Services Connection 2 .

Ajouter un lien de replication / add link

Select source controller 1 and click OK 2 .

Choisir le contrôleur de domaine / select dc

Name the link 1 and click OK 2 .

Nom du lien / Name of link

The replication link is added from the LAB-AD2 server to LAB-AD3.

Lien ajouté / Link added

Frequency and replication planning

The replication frequency is configured according to the type of link (Inter or Intra site).

Inter-Site

On the console go to Inter-Site Transports 1 / Link type 2 (IP) then right click on the link 3 and click on Properties 4 .

Link inter site properties

The configuration of the frequency and the planning is done from the General tab.

  • Cost 1 : If multiple links are configured, it is possible to prioritize a link by changing the cost. The number to do the most is priority.
  • Replication every XXX minutes 2 : corresponds to the replication frequency.
  • The Change Schedule button 3 allows you to configure the hours when this one is active.

By going to see the properties of the inter-site replication link directly in NTDS Settings we can see the planning is done according to the Inter-Site Transport settings.

Schedule Inter-Site Link

If we change the frequency in the link configuration in Inter-Site Transports to 60 minutes and we go back to see the link at the controller, we can see the replication schedule has been changed automatically.

The change is not instantaneous, it is possible to force it with the commandrepadmin /kcc.

Intra-site

The frequency and scheduling of Intra-site replication is done directly at the link properties level in the NTDS Settings portion of the domain controller.

Links intra-site

Click Change Schedule 1 .

Edit schedule

Select the range with modification 1 then select the number of replications per hour 2 and validate by clicking on OK 3 .

Changement de la fréquence du lien intra-site / Change in the frequency of the intra-site link

Use Group Policies by Sites

From the Group Policy Management console, right-click on Sites 1 and click on Show Sites 2 .

Enable site in GPO

Choose sites to display 1 and click OK 2 .

Select sites

It’s now possible to link a GPO to a site, just right-click on the site and click Link an existing GPO.

GPO Site

Troubleshooting

Move a domain controller

From the Active Directory Sites and Services console, right-click on the 1 controller to move and click Move 2 .

Move DC

Choose destination site 1 and click OK 2 .

Sélectionner le site cible / Select the target site

The server has been moved to the new site.

Server moved in new site

Check the status of replication

On a domain controller, open a command prompt and enter the command below to view the status of the controller replication.

repadmin /showrepl
repadmin /showrepl

It is also possible to check the replication of a remote controller by specifying it from the command:

repadmin /showrepl 
repadmin /showrepl <DC>

Force replication

Enter the following command to force Intra-site replication:

repadmin /syncall
repadmin /syncall

Enter the following command to force Intra-site and Inter-site replication:

repadmin /syncall /e
repadmin /syncall /e

Enter the following command to force Intra-site and Inter-site replication on a remote controller:

repadmin /syncall /e 
repadmin /syncall /e <RemoteDC>

Regenerate replication links

If by mistake, you delete the replication links automatically generate as on the screenshot below by panic …

Liens supprimés / Links deleted

Open a command prompt on the domain controller and enter the command below:

repadmin /kcc
repadmin /kcc

Replication links are available again.

Liens de replication / Link rep

Depending on the topology and the number of domain controllers, link generation may take several minutes.

This command is normally run every 15 minutes to check the replication topology.


Links:

Repadmin : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc770963(v=ws.11) 
Design of the site topology : https://docs.microsoft.com/fr-fr/windows-server/identity/ad-ds/plan/designing-the-site-topology




Leave a Comment