JJ,
This will probably turn out to be a long response from me do you might just
want to look at the first couple of paragraphs and then forget the rest! I
tend to babble on this topic!
Also, it might be nice to have an idea of the total number of
users/computers in each location as well as the OSes involved ( assuming
WIN2000 Server on the server-side, but what about on the client-side? Are
there any WIN9x or WINNT boxes? If so, you should consider installing the AD
Client on them ).
Also, what does your Exchange 2000 ( I know, I am assuming again ) look
like?
I would suggest that you have eight Sites. But this is still very early in
the information gathering stage for us. So far this is what I would
suggest. And I am sure that you mean that in two locations you have two DCs
and that in the six others have only one DC. I would also suggest that you
eventually place a second DC in each of the six locations where there is
currently only one. But, we do not have the number of users in those six
locations so one might be all that you can really justify! Example, if you
have 11 users in one of those locations you might be hard pressed to get the
funding for a second Domain Controller.
What do Sites allow us, the Admins, to do? Pretty much two things: control
Active Directory Replication and assist user logons. This is naturally a
bit oversimplified but pretty much sums it up.
There are two types of replication in Active Directory: Intrasite and
Intersite. In the locations where you have only one DC ( assuming that you
would create a Site for each of your eight locations ) you would not have
Intrasite Replication. There is only one DC in that Site so there is
obviously no other DCs with which to replicate. However, in the two Sites
where you do currently have the two DCs there is Intrasite Replication going
on!
Intersite Replication is the replication that happens between DCs in
different Sites. Now, how in the world does this happen? There is one DC
in each Site ( regardless of the number of DCs in that Site ) that acts as
the so-called Bridgehead Server ( or BHS ) that is the replication partner
with the BHSes from the other Sites. In Sites where there are multiple DCs
once the DC that acted as the BHS for that replication cycle gets the
updates from the other BHSes then Intrasite Replication happens ( as
scheduled ). So, eventually everyone is on the same page. The key word is
eventually. You might notice that if you were to create a user account
object in the Site where you are located that it takes awhile for that user
to be able to logon were that user in another Site. You are seeing the
effects of Intersite Replication. There is a very specific schedule for
this ( 180 minutes out-of-the-box, but you can play with this ).
Now, how does all of this stuff happen? What is going on under the hood?
There is a little gremlin called the KCC ( or Knowledge Consistency
Checker ) that is responsible for creating the Replication topology. Active
Directory replication is based on incoming connection objects. This is
important to know and to understand. If you have DC01 and DC02 there would
be two different connection objects needed to complete the ( as intended in
this example, anyway ) Intrasite Replication. There is a connection object
for DC01 - DC02 and there is a connection object for DC02 - DC01. The KCC
has a very powerful little buddy called the ISTG ( or Intersite Topology
Generator ) that does a lot of the dirty work for the KCC.
Now, and please excuse me if you know this already. There are three
partitions, or Naming Contexts, that comprise the Active Directory. These
are the Schema NC, the Configuration NC and the Domain NC. I might suggest
installing the Support Tools on all of your Domain Controllers and taking a
look at ADSIEdit. You will very clearly see these three NCs and what is
contained in each. The first two ( the Schema and the Configuration ) are
replicated to each and every Domain Controller throughout the entire Forest.
If you have only one Domain ( which it sounds like you have ) then this is
not as obvious to see when if you have multiple Domains / Trees. If you
were to add a child domain or if you were to add another Tree this would
become very obvious. The Domain NC is replicated to all of the DCs in each
respective Domain. Again, with only one Domain this is not as obvious. Say
that you added a child domain ( for whatever reason - so far we have not
heard anything that would lead us to suggest that....I mention this only
because a lot of people who have a lot of experience in WINNT 4.0 but not
too much with WIN2000 AD see multiple physical locations and go into 'find a
good name for each domain' mode ). You would see that the DCs in the parent
Domain would replicate that Domain NC while the DCs in the child Domain
would replicate that Domain NC. However, both Domains ( Parent and Child )
would replicated the Schema and Configurations NCs.
I would really suggest that you install the Support Tools on all of your
Domain Controllers. This is an awesome set of very useful tools. The
Support Tools can be found on the WIN2000 Service Pack CD or on the MS
Website ( they can also be found on the WIN2000 Server CD but those versions
have some known issues ). Take a look at the 'repadmin' tool. Use the
/showconn and the /showreps switch and you will see a whole lotta things.
These are the connection objects that I mentioned earlier. dcdiag and
netdiag as well as netdom and replmon and nltest will become your friend as
well. There are a lot of very nice tools included in this 'suite'.
Also, you might want to swing on over to Joe Richard's website (
http://www.joeware.net ) and take a look at some of the tools that he has
created. There are some really good ones in there.
I might also suggest that you take a look at ADModify. This is a nice
little utility that helps you to make the same change to multiple user
account objects. It is really helpful if you can not script. Here is the
link:
ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/
One more finally suggestion would be for you to take a look at the
altools.exe set of utilities that will really help you out with account
lockouts. Here is the link for that:
http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
HTH,
Cary
