In the first two parts of this series (
Using Sites in Windows 2000
), I’ve explained how breaking your Active Directory into sites can reduce replication-related network traffic over slow WAN links. Part 1 explains the basic workings of Active Directory sites, and Part 2 focuses on the specifics of site links. In this article, I’ll continue the discussion by talking about site link bridges and some other ways of achieving Active Directory replication between sites.
Working With Multiple Sites
As you may recall from part 2, simply dividing your Active Directory into sites isn’t enough. If you want the sites to exchange Active Directory information, you must implement a site link . A site link tells Windows 2000 which sites should be replicated, and how often that replication should occur. In Part 2, I show you how to build a site link between two sites. However, in real life, networks that are big enough to be broken into sites tend to use more than two sites. When you start working with more than two sites, you run into some interesting situations.
In Windows 2000, any time you link more than two sites using the same link transport (IP or SMTP), those sites are said to be bridged. Of course, this is assuming that the site links involve common sites. For example, in Figure 1, you can see three sites linked by common IP-based site links. The sites in the figure use the names site A, site B, and site C. Because these sites share common site links, each site can communicate directly with any other site, in much the same way that nodes on an IP-based network can communicate directly with each other.
To put this concept into more precise terms, when sites are bridged, they are said to be transitive in nature. This means that if you create a site link, any sites that fall into that site link are bridged automatically, and can therefore communicate directly with each other. If your entire organization is composed of sites that are linked by a single common site link, then those sites are automatically bridged, and are therefore transitive in nature.
As you can see, Windows 2000 was designed in a way that was intended to save you work whenever possible. After all, in Part 2 I linked some sites together and the topic of a site link bridge never even came up. Assuming that your sites all exist on a fully routed IP network, you’ll never need to manually create a site link bridge.
However, things are rarely this simple in the real world. For example, in networks that consist of several isolated IP segments or a combination of IP and SMTP site links, the isolated or dissimilar portions of the network wouldn’t have site link bridges between them by default. In such situations, it’s necessary to manually create site link bridges if you want to enable replication between the various sites.
Manually Creating Site Link Bridges
A site link bridge is a logical device that connects existing site links. For example, suppose that you have two dissimilar networks. The first network contains sites A and B and the second network includes sites C and D. The site link within each of the two networks establishes the transitive link among the sites within the network. However, because the two networks are isolated, the sites can’t replicate Active Directory information between the two networks. This is where the site link bridge comes in: It connects the two networks at the site link level. To better understand the idea of a site link bridge, consider that it links site links together similarly to the way that site links link sites together.
Now that you know a little bit about the purpose and functionality of site link bridges, let’s look at an example of how to create one. To do so, follow these steps:
- Click the Start button and select Programs|Administrative Tools|Active Directory Sites and Services from the Start menu.
- When the Active Directory Sites and Services console loads, navigate to Active Directory Sites and Services|Sites|Inter-Site Transports.
- Right-click on either the IP folder or the SMTP folder and select the New Site Link Bridge command from the context menu. For the purposes of this article, I’ll be using the IP transport in my examples.
- You’ll see the New Object-Site Link Bridge dialog box. To create a site link bridge, type a name for the new site link bridge in the Name field, as shown in Figure 2.
- Select the site links that you want to bridge and click Add. A bridge requires a minimum of two site links.
This example creates a simple site link.
You’ll generally use the Windows default option to bridge all the site links for each type of site link transport. However, sometimes this option isn’t appropriate. By default, Windows 2000 assumes that your network is fully routed–that node A can communicate with node B regardless of where the two nodes physically exist on the network. If no direct route exists (over normal IP ports) between your main network and some isolated segment of the network, you must tell Windows that the site present on that part of the network is isolated. By doing so, you’ll make Windows understand that it can’t communicate with that site transitively. The downside of doing this is that when you tell Windows that your network has isolated sites, you in effect destroy any automatically created site link bridges. Basically, you’re telling Windows 2000 to disable transitive routing for the entire network. After doing so, you’ll be totally dependent on site link bridges that you’ve manually created.
You should also keep in mind that when you create a new site link bridge, all the sites serviced by the bridge can transitively communicate with each other, but they can’t communicate with sites outside the bridge.
Disabling Transitive Site Bridging
If you decide that you need to disable transitive site bridging, you can do so in the AD Sites and Services console. Once in the console, navigate to Active Directory Sites and Services|Sites|Inter-Site Transports. Now, right-click on the transport of choice (in this case, IP) and select Properties from the context menu. On the General tab of the resulting properties sheet is a check box labeled Bridge All Site Links. This option is checked by default, but you can uncheck it to disable transitive site routing.
So far, I’ve explained how to create a variety of different types of site links and site link bridges. Given the complexity of subdividing your network in this way, it’s easy to lose sight of the big picture. Remember, you’re going through all this work for the sole purpose of reducing the amount of traffic flowing across your slow WAN links. Although reducing network traffic related to replication is a good thing, you don’t want to completely stop the traffic–but if you don’t set up the sites and site links correctly, that’s exactly what will happen. Therefore, when you’ve completed all your hard work, you probably don’t want to have to wait for several hours to find out if replication is working. Fortunately, there’s a way to force replication to begin immediately.
To force immediate replication over a portion of your network, open the AD Sites and Services console and navigate to the site that you want to replicate your Active Directory information to or from. Once you’ve selected the appropriate site container, navigate to the Servers folder|a domain controller within the site|NTDS Settings. Now, right-click on NTDS Settings and select Replicate Now from the context menu.
Now that I’ve discussed sites, site links, and site link bridges, you can begin optimizing your own network by dividing it into sites. As I’ve just demonstrated, you can use the Replicate Now feature to quickly determine whether replication is working. If for some reason replication between the sites isn’t working correctly, don’t worry: In Part 4 (
Troubleshooting Active Directory Replication
), I’ll discuss several troubleshooting techniques that you can use to track down the problem when replication fails. //
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of healthcare facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it’s impossible for him to respond to every message, although he does read them all.