Step C3: Create the Site Link Bridge Design

  • Article

Published: February 25, 2008

 

A site link bridge enables transitivity between site links. Each site link in a bridge needs to have a site in common in order for replication to flow correctly across the bridge. The site link bridge design can be changed, but it should be done carefully to ensure that the replication of Active Directory is not compromised or stopped.

Option 1: Default Behavior

If the network is fully routed and there is no need to control the Active Directory replication flow, then leave the transitivity enabled for all site links by leaving the Bridge All Site Links option enabled. This is the default state.

By allowing all transitivity across all sites, any domain controller in a site can create a direct replication partner with another domain controller in another site. This simplifies replication in that there is no need to restrict or define which sites a domain controller can use to search for replication partners.

This may become an issue with larger implementations that are based on a hub-and-spoke model. By bridging all site links, there is no control on which domain controller is considered part of the hub site when it comes to replication.

Option 2: Custom Site Link Bridge

If a network is not fully routed, disable the Bridge All Site Links option for the IP transport and configure site link bridges to map to the physical network connections. Additionally, if the IP network is fully routed but there are too many routes that the KCC should not consider, creating a custom site link bridge topology and disabling the automatic transitivity of site links will eliminate confusion. The KCC, by default, will consider all possible connections and bridges for replication.

Site link bridges can also be used to control replication flow of Active Directory. The two most common reasons for creating site link bridges are to control replication for failover of a hub-and-spoke network design and to control replication through a firewall. If Active Directory replication flow is to be controlled through the design of site link bridges, then disable the Bridge All Site Links option for the IP transport.

By configuring two site link bridges for replication of Active Directory between two sites, replication will succeed even if one link fails. This is necessary because the disabling of Bridge All Site Links will negate the KCC and Intersite Topology Generator (ISTG) from helping with the bridging of site links in the case of a failure of any aspect of the topology.

If replication traffic passes through a firewall and the firewall is configured to allow connections from specific domain controllers, then site link bridges need to be configured to match this environment. A site link bridge is created for each side of the firewall, and the site links connecting each site are associated to the site link bridge on the links’ side of the firewall. The site link that connects the two sites through the firewall will not be placed in a bridge. If a domain controller that is allowed to communicate through the firewall fails, its replication partners will attempt to set up new replication partners only with domain controllers in sites that are part of the bridge.

It should be noted that the robustness of Active Directory replication can be reduced by the choices being made. For example, if all domain controllers in the hub of a hub-and-spoke design fail, then the satellite sites will become disconnected from the replication topology because all their potential partners have been removed from the network.

Likewise, if the domain controllers that can communicate across the firewall fail, then replication will update only those changes that are made on either side of the firewall. Modifications will not cross the firewall until the failed domain controllers are brought back online.

Evaluating the Characteristics

Complexity

Default site link bridge

Using the default configuration means a less complex implementation.

Low

Custom site link bridge

Customizing the configuration increases the complexity of the environment.

High

Decision Summary

Site link bridges should be configured and the default configuration changed only when the network requires such modifications. All sites should be interconnected with one another, either directly or through the bridge.

The decision to establish or change site link bridges can be changed.

Record any additional site link bridges that are created and the associated site links with that bridge.

Additional Reading

“Creating a Site Link Bridge Design” at https://technet2.microsoft.com/windowsserver/en/library/5d05f4ed-a9ec-4dac-b9a8-8527b6c8e0da1033.mspx?mfr=true

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.
Download

Get the IPD Active Directory Domain Services
Solution Accelerators Notifications

Sign up to learn about updates and new releases
Feedback

Send us your comments or suggestions