Creating a Site Link Bridge Design to Control Active Directory Replication Flow

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Two scenarios where you might want to control replication flow include controlling replication failover and controlling replication through a firewall.

Controlling Replication Failover

If your organization has a hub-and-spoke network topology, you generally do not want the satellite sites to create replication connections to other satellite sites if all domain controllers in the hub site fail. In such scenarios, you must disable Bridge all site links and create site link bridges such that replication connections are created between the satellite site and another hub site that is just one or two hops away from the satellite site.

Figure 3.20 illustrates an organization’s hub-and-spoke network topology, consisting of two hub sites (A and B) and six satellite sites (C through H). The site links between all sites are named A-B, A-C, A-D, A-E, B-F, B-G, and B-H.

Figure 3.20   Creating a Site Link Bridge to Control Replication Failover

Site Link Bridge to Control Replication Failover

With Bridge All Site Links enabled, if DC-1 in hub site A fails, DC-3 can create replication connections between DC-2, DC-4, DC-5, DC-6, DC-7 or DC-8. The only intended connection for DC-3 in this case is with DC-2 in hub site B, as this connection will not congest network traffic. To ensure that DC-3 only replicates with DC-2 when DC-1 fails, you can disable site link transitivity and create the AC-AB site link bridge between the A-C and A-B site links. Similarly, you can create the AB-BH site link bridge between the A-B and B-H site links. With the AC-AB site link bridge, if DC-1 is unavailable, the replication connections from DC-3 are created only with DC-2 in hub site B. With the AB-BH site link bridge, if DC-2 is unavailable, the replication connections from DC-8 are created only with DC-1 in hub site A. Create similar site link bridges between all satellite sites so that the KCC failover occurs only to the domain controllers at the hub sites.

Controlling Replication Through a Firewall

If two domain controllers representing the same domain in two different sites are specifically allowed to communicate with each other only through a firewall, you can disable Bridge all Site Links and create site link bridges for sites on the same side of the firewall.

Figure 3.21 illustrates a similar scenario as shown in Figure 3.20, but in this case a firewall separates hub site A and hub site B. IPSec is used to replicate through the firewall. The IPSec policy allows only DC-1 and DC-2 to communicate through the firewall by using IPSec. With transitivity enabled, if DC-1 fails, then DC-3 in satellite site C can create replication connections not only with DC-4 and DC-5 as intended, but it can try to create replication connections across the firewall with DC-2, DC-6, DC-7, or DC-8.

To ensure that DC-3 directly replicates only on one side of the firewall, you can disable transitivity and create the WEST site link bridge, which includes site links A-C, A-D, and A-E. Creating the WEST site link bridge ensures that if domain controller DC-1 fails, DC-3, DC-4, and DC-5 directly replicate only with each other and not with DC-2, DC-6, DC-7, or DC-8. Similarly, you can create the EAST site link bridge, which includes site links B-F, B-G, and B-H, to ensure that if DC-2 fails, then DC-6, DC-7, or DC-8 directly replicate only with each other.

Figure 3.21   Creating Site Link Bridges to Control Replication Through a Firewall

Creating Site Link Bridges Through a Firewall

Therefore, if your network is separated by firewalls, it is recommended that you disable transitivity of site links and create site link bridges for the network on one side of the firewall. For information about managing replication through firewalls, see "Active Directory in Networks Segmented by Firewalls" on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=37928).