Windows Server 2008 : Understanding Active Directory Sites (part 2)

1/31/2011 4:08:55 PM

Defining Site Link Bridging

By default, all site links are bridged, which means that all domain controllers in every site can communicate directly with any other domain controller through any of a series of site links. Such a bridge has the advantage of introducing redundancy into an environment; for example, if Site A has a link with Site B, and Site B is linked to Site C, servers in Site C can communicate directly with Site A.

On some occasions, it is preferable to turn off this type of replication. For example, your organization might require that certain domain controllers never communicate directly with other domain controllers. In this case, site bridging can be turned off through the following procedure:

Open Active Directory Sites and Services.

Navigate to Sites\Inter-Site Transports\IP (or SMTP, if appropriate).

Right-click the IP (or SMTP) folder, and choose Properties.

Uncheck the Bridge All Site Links check box.

Click OK to save the changes.


Turning off site link bridging will effectively make your domain controller replication dependent on the explicit site links you have established.

Understanding the Knowledge Consistency Checker (KCC) and the Intersite Topology Generator (ISTG)

Every domain controller contains a role called the Knowledge Consistency Checker (KCC) that automatically generates the most efficient replication topology at a default interval of every 15 minutes. The KCC creates connection objects that link domain controllers into a common replication topology. The KCC has two components: an intrasite KCC, which deals with replication within the site, and an intersite topology generator (ISTG), which establishes connection objects between sites.

In Windows Server 2003, the Active Directory design team vastly improved the algorithm used by the ISTG, which resulted in a several-fold increase in the number of sites that can effectively be managed in AD DS. The number of sites that can be effectively managed in AD DS now exceeds 5,000, particularly if 64-bit domain controllers are installed.


Because all domain controllers in a forest must agree on the ISTG algorithm, the improvements to the ISTG are not realized until the forest is in Windows Server 2003 or higher forest functional level.

Detailing Site Cost

An AD replication mechanism allows designers and administrators to establish preferred routes for replication to follow. This mechanism is known as site cost, and every site link in AD DS has a cost associated with it. The concept of site cost, which might be familiar to many administrators, follows a fairly simple formula. The lowest-cost site link becomes the preferred site link for communications to a site. Higher-cost site links are established mainly for redundancy or to reduce traffic on a specific segment. In this way, administrators can “shape” the flow of traffic between and among sites. Figure 4 illustrates a sample AD site structure that utilizes different costs on specific site links.

Figure 4. Understanding site costs.

In this example, traffic between the Morioka and Fukuoka sites follow the two Tokyo links for a total cost of 10. However, if there is a problem with the connection between Morioka and Tokyo or it is saturated, replication traffic will be routed through the Sendai-Morioka and then through the Sendai-Tokyo and Tokyo-Fukuoka site links because the total cost (all site link costs added together) for this route is 27. This type of situation illustrates the advantage of utilizing multiple routes in an AD DS site topology.

Utilizing Preferred Bridgehead Servers

Often, it becomes necessary to segregate all outgoing or incoming intersite traffic to a single domain controller, thus controlling the flow of traffic and off-loading the special processor requirements that are required for this functionality. This concept gave rise to preferred bridgehead servers, domain controllers that are specifically assigned as a preferred bridgehead server for a specific transport (IP or SMTP). The preferred bridgehead servers will subsequently be the handler for all intersite traffic for that specific transport.

Bridgeheads can be easily defined in AD DS. The following example illustrates how this is accomplished. In these steps, Server2 is added as a preferred site link bridgehead for the IP transport:

Open Active Directory Sites and Services.

Drill down to Sites\<Sitename>\Servers\<Servername>, where Servername is the server you want to establish as a bridgehead server.

Right-click <Servername> and choose Properties.

Select the IP transport and choose Add.

Click OK to save the settings.

Preferred bridgehead servers bring with them both advantages and disadvantages. The advantage of designating a preferred bridgehead server is that in an environment where domain controllers with weaker processors need to be excluded as designated site bridgeheads or when a domain controller holds an Operations Master (OM) role, especially that of the PDC emulator, having a designated preferred bridgehead server can allow for controlled communications to a specific bridgehead server.

However, the problem with selecting a preferred bridgehead server is that they can reduce the inherent redundancy of AD DS by preventing the Knowledge Consistency Checker (KCC) from failing over to other domain controllers in the same site if the preferred bridgehead server goes offline. As a result, when bridgeheads are required, multiple bridgehead servers should be used within each site.

Typically, organizations choose to not implement preferred bridgehead servers, and only implement them when they have a specific need to designate a server in a site as a preferred bridgehead server.

Deploying AD DS Domain Controllers on Server Core

Windows Server 2008 R2 has an installation option called Server Core that allows the operating system to be deployed with only those services that are absolutely required for the role that the server holds. For domain controllers, this includes only those services that are needed for a DC to operate. Server Core is configured to run at a command prompt, without a graphical user interface (GUI) to further reduce the security profile of the box.

Deploying dedicated domain controllers using Server Core is ideal in many situations where security is a strong requirement. By doing so, only the necessary functionality is deployed, and no auxiliary services are required.

  •  Windows Server 2008 : Understanding AD DS Replication in Depth
  •  Programming Excel with VBA and .NET : Knowing the Basics - Classes and Modules
  •  Windows 7 : Indexing Your Computer for Faster Searches (part 3) - Optimizing File Properties for Indexing
  •  Windows 7 : Indexing Your Computer for Faster Searches (part 2) - Specifying Files Types to Include or Exclude
  •  Windows 7 : Indexing Your Computer for Faster Searches (part 1) - Adding or Removing Indexed Locations
  •  Windows Server 2008 : Designing Organizational Unit and Group Structure - Exploring Sample Design Models
  •  Windows Server 2008 : Designing Organizational Unit and Group Structure - Understanding Group Design
  •  Windows Server 2008 : Designing Organizational Unit and Group Structure - Group Policies and OU Design
  •  Windows 7 : Searching Your Computer (part 2) - Search Filters
  •  Windows 7 : Searching Your Computer (part 1)
  •  Windows 7 : Putting Windows Explorer to Work for You
  •  Windows Server 2008: Using OUs to Delegate Administration
  •  Windows Server 2008: Defining AD Groups
  •  Windows Server 2008: Defining Organizational Units in AD DS
  •  Windows 7 :Navigating Your Computer with the Address Bar (part 2) - Using Selected Paths to Quickly Navigate Your Computer
  •  Windows 7 :Navigating Your Computer with the Address Bar (part 1) - Accessing Locations on Your Computer
  •  Windows 7 : Exploring and Searching Your Computer - Exploring Your Documents
  •  Designing a Windows Server 2008 R2 Active Directory : Renaming an AD DS Domain
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Placeholder Domain Model
  •  Designing a Windows Server 2008 R2 Active Directory : Understanding the Empty-Root Domain Model
    Most View
    Developing BlackBerry Tablet Applications : OS Interactions - Splash Screen
    Running a SharePoint Site on Windows Home Server : Working with Site Settings (part 1) - Customizing a Site
    Adobe Fireworks CS5 : Selecting with the lasso tools
    Mac Mini (Late 2012) - Quad-Core Computing In A Tiny Box
    Top Tablet Apps – November 2012 (Part 2)
    Edimax IC-7110W - Strong IP Camera
    Audio Research REF-10 Preamp (Part 1)
    Handwriting Input And Recognition (Part 2)
    Asus P8H77-MSI - A Micro-ATX Motherboard
    ECS Z77H2-A2X v1.0 - Golden LGA 1155 Mainboard From The Black Series (Part 6)
    Top 10
    Gigabyte P35K - The 15.6”GIGABYTE Gaming Laptop
    Microsoft Surface Pro 2 and Surface 2
    Venom BlackBook 17 - A Powerhouse Notebook Computer
    7 Tips For Using iOS 7
    Top 7 Apps for Your First iPad
    The Best Mobile Apps (Part 3) - Switchr, QuizUp, Hudway Augmented Reality
    The Best Mobile Apps (Part 2) - Pages
    The Best Mobile Apps (Part 1) - BBM
    Apple MacBook Pro With Retina Display 13in (Late-2013)
    Asus MB168B+ - Portable Monitor