Site links in Active Directory. We destroy the stereotype
It often happens that there are seemingly obvious concepts, but as soon as you start discussing them with someone, it turns out that you understand them quite differently. Today I want to talk about the concept of communication between sites in Active Directory Domain Services. Please look at the following diagram. You could see similar diagrams for representing the topology of a domain many times.
If you want to know why I think such diagrams are harmful (although I recognize their convenience), then welcome under cat.
What is the problem? The fact is that such diagrams fix a very serious stereotype - the link between sites links two sites within a domain.
Most recently, they turned to me for recommendations on how to organize an Active Directory domain topology. The customer uses the classic version of the star, with one central site in the main data center and several remote branches. The customer had a desire to organize a second main site in the same location (the hosting had a second data center in the same city, connected to the first very good channel) to increase the reliability of the infrastructure. Accordingly, the question arose how to add a new site to the current site structure. After several minutes of conversation, I was surprised to realize that a person does not know at all that it is possible to link several sites with the same connection between sites. That is, if you ask him, he will remember that in the management snap-in you are given to choose a list of sites included in a link, but in his mind the topology of the domain is always represented by such a diagram, where links are the lines connecting the two sites.
I do not deny the convenience of such a presentation and the fact that, more often than not, more is needed. It’s just a pity that by fixing such a stereotype, people deprive themselves of some of the opportunities provided by this tool. Do not forget that even Microsoft in its article on replication in Active Direcotry notes that a site link can include several sites if all of them are connected to each other equally well ("if you search for a phrase) .
')
Specifically, in this story, using this opportunity, it was possible to choose two options for organizing links between sites that provided fundamentally different system behavior.
The key question for understanding how to properly organize the structure of the customer’s sites here is whether the second main site is a stand-by DR location, which should be used only if problems arise with the first or first and second main sites become equal and must share the workload.
In the stand-by DR location option, we really have enough site links in pairs. All we need in order to add a new site is to connect it only with the main one with a connection weight less than for any remote site (and, of course, select the Bridge All Site Links option). Thus, if the first main site fails, then for controllers in all remote sites, it is the second main site that becomes a replication partner and can help with authentication if problems start at the remote site.
However, the customer wanted exactly equal sites. He was going to place many services in the second data center. In this case, this option would not be correct. To achieve this, in addition to creating a new link, we need to change each of the existing ones by adding a new site to it. The lines in the diagram will not help us now. This can be portrayed somehow.
Agree, such a diagram of connections in the domain, you see much less? What gives us this option? In general, about the same as the previous one:
But there is one important difference. With this organization, the controllers of the second data center are used even when the first one is working normally. This gives us two full-fledged major sites that share the load between themselves and cover each other in case of failure.
This article does not have any revelations. I think most readers knew it all. Nevertheless, I am sure that there were those who, knowing that the snap-in of creating site links allows you to add more than two objects, mentally drew themselves Active Directory replication topology diagrams only with links in the form of arrows.
ADF: The last diagram was changed after receiving valuable comments from ildarz in the comments.
If you want to know why I think such diagrams are harmful (although I recognize their convenience), then welcome under cat.
What is the problem? The fact is that such diagrams fix a very serious stereotype - the link between sites links two sites within a domain.
Most recently, they turned to me for recommendations on how to organize an Active Directory domain topology. The customer uses the classic version of the star, with one central site in the main data center and several remote branches. The customer had a desire to organize a second main site in the same location (the hosting had a second data center in the same city, connected to the first very good channel) to increase the reliability of the infrastructure. Accordingly, the question arose how to add a new site to the current site structure. After several minutes of conversation, I was surprised to realize that a person does not know at all that it is possible to link several sites with the same connection between sites. That is, if you ask him, he will remember that in the management snap-in you are given to choose a list of sites included in a link, but in his mind the topology of the domain is always represented by such a diagram, where links are the lines connecting the two sites.
I do not deny the convenience of such a presentation and the fact that, more often than not, more is needed. It’s just a pity that by fixing such a stereotype, people deprive themselves of some of the opportunities provided by this tool. Do not forget that even Microsoft in its article on replication in Active Direcotry notes that a site link can include several sites if all of them are connected to each other equally well ("if you search for a phrase) .
')
Specifically, in this story, using this opportunity, it was possible to choose two options for organizing links between sites that provided fundamentally different system behavior.
The key question for understanding how to properly organize the structure of the customer’s sites here is whether the second main site is a stand-by DR location, which should be used only if problems arise with the first or first and second main sites become equal and must share the workload.
In the stand-by DR location option, we really have enough site links in pairs. All we need in order to add a new site is to connect it only with the main one with a connection weight less than for any remote site (and, of course, select the Bridge All Site Links option). Thus, if the first main site fails, then for controllers in all remote sites, it is the second main site that becomes a replication partner and can help with authentication if problems start at the remote site.
However, the customer wanted exactly equal sites. He was going to place many services in the second data center. In this case, this option would not be correct. To achieve this, in addition to creating a new link, we need to change each of the existing ones by adding a new site to it. The lines in the diagram will not help us now. This can be portrayed somehow.
Agree, such a diagram of connections in the domain, you see much less? What gives us this option? In general, about the same as the previous one:
- Deleted branches reproduce data through one of the main locations
- If one of the main locations becomes unavailable, then remote branches will use another
But there is one important difference. With this organization, the controllers of the second data center are used even when the first one is working normally. This gives us two full-fledged major sites that share the load between themselves and cover each other in case of failure.
This article does not have any revelations. I think most readers knew it all. Nevertheless, I am sure that there were those who, knowing that the snap-in of creating site links allows you to add more than two objects, mentally drew themselves Active Directory replication topology diagrams only with links in the form of arrows.
ADF: The last diagram was changed after receiving valuable comments from ildarz in the comments.
Source: https://habr.com/ru/post/280800/
All Articles