This blog post will apply more to environments with multiple physical sites that have domain services deployed to them.
Active Directory uses Sites and Services to automatically build its replication topology. Getting sites and services right is imperitive to a working AD environment. Designing AD Sites and Services is outside of the scope of this blog as it’s very much environment specific. As a result I won’t go in to designing a sites topology. There are however a couple of small tweaks that can be made to potentially improve your environment. For this tip, we will use the following very basic diagram. We will assume that clients are using VLAN 10 on 10.x.10.x and Servers are using VLAN 5 on 10.x.5.x.
Change Notification Replication
The first tweak you can look to make is enable Change Notification Replication between sites. By default changes are only replicated as per the schedule configured on the site link. This could be as little as 15 minutes, by default it’s 180 minutes. Using the diagram above, if an account gets locked out in Site B, it will take a minimum of 15 minutes for that lock out to be seen in Site A. By enabling Change Notification Replication this can be within a minute. Configuring this is done via ADSIEdit.msc.
- Open ADSIEdit.msc.
- In ADSI Edit, expand the Configuration container.
- Expand Sites, navigate to the Inter-Site Transports container, and select CN=IP.
Note: You cannot enable change notification for SMTP links.
- Right-click the site link object for the sites where you want to enable change notification, e.g CN=DEFAULTSITELINK, click Properties.
- In the Attribute Editor tab, double click on options.
- If the Value(s) box shows <not set>, type 1
- If the Value(s) box contains a value, you must derive the new value by using a Boolean BITWISE-OR calculation on the old value, as follows: old_value BITWISE-OR 1. For example, if the value in the Value(s) box is 2, calculate 0010 OR 0001 to equal 0011. Type the integer value of the result in the Edit Attribute box; for this example, the value is 3.
- Click OK.
Before enabling this, you should make sure your connection is able to support this (i.e. the connection is always on and plenty of bandwidth)
One of the things you will notice if you use PowerShell and the Resolve-DNSName cmdlet for your domain (run this several times), the top address returned will cycle (round robin) through all your domain controllers. This occurs because by default Windows DNS uses Class C subnets to mask ordering to determine the closest server. If you setup WSUS for roaming clients (multiple A records as per the best practice document) then you will notice that clients check in to WSUS Servers all over the place.
To configure the match to use a Class B subnet (as in above), we use DNSCmd, for class B you can use
Dnscmd /Config /LocalNetPriorityNetMask 0x0000FFFF
Now, if you re-run the Resolve-DNSName for your domain, your top entry (or entries) should always be a server local to you. If you’re using WSUS with multiple A records, clients should start using their local, preferred server.