Share via

Active Directory Replication with Mesh Topology

Md. Rubiat Haque 0 Reputation points
2025-05-04T09:39:30.8633333+00:00

Hello,

I have a total of three Active Directory Sites: NG1, NG2, and NG3. There is 1 domain controller placed in the NG1 site, 4 domain controllers placed in the NG2 site, and 4 domain controllers placed in the NG3 site. I have a total of 9 domain controllers. However, from a network security perspective, my network team suggested domain controller segregation. For example, NG1 can communicate with NG2, NG3 can also communicate with NG2, but there is no communication between NG3 and NG1. Even though NG2 and NG3 have a total of 8 domain controllers, from a network security perspective, each site contains 2 different network zones. For instance, NG1 is an Active Directory Site, but from a network perspective, it contains 2 different network zones called core and DMZ. The same applies to NG3. Therefore, the network team suggested that NG3 core domain controllers can contact only NG2 core domain controllers, and NG3 DMZ domain controllers can communicate or replicate only with NG2 DMZ. However, with this scenario, we sometimes face replication issues and cannot properly address which DC is affected.

We now want to rebuild our replication architecture with a mesh topology. What is Microsoft's best practice regarding this? Should we go with a mesh topology (where every domain controller can communicate with each other) or maintain this type of segregated replication topology? Please suggest a plan in summary. Please post the summary of the suggestion here and also provide a reference document where the mesh replication topology is mentioned.

Thanks in advance.

Windows Server Identity and access Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 45,005 Reputation points MVP
    2025-05-04T11:08:47.9366667+00:00

    Active Directory automatically uses a spanning tree topology for inter-site replication. This is by design, not a configurable or optional setting. The Knowledge Consistency Checker (KCC) generates this topology to ensure efficient and loop-free replication between sites. Reflect Real Network Segmentation in Site Design: If each AD site (e.g., NG1, NG3) contains multiple isolated network zones such as core and DMZ, those should be modeled as separate AD Sites. This ensures the replication topology aligns with actual network connectivity constraints.

    Regarding your intent to allow communication between any pair of domain controllers, for inter-site repliation, that's accomplished by Site Link Bridging:

    • By default, site link bridging is enabled, allowing transitive replication paths through intermediate sites.
      • In a segmented network where certain paths (e.g., NG1 ↔ NG3) are blocked, you should disable site link bridging and manually create explicit site links to enforce only valid, routable replication paths.

    To optimize your existing configuration, you might want to consider the following:

    1. Redefine your AD Sites to match network segmentation:
      • NG1-Core, NG1-DMZ
      • NG2-Core, NG2-DMZ
      • NG3-Core, NG3-DMZ
    2. Create site links only where communication is allowed:
      • NG1-Core ↔ NG2-Core
      • NG1-DMZ ↔ NG2-DMZ
      • NG3-Core ↔ NG2-Core
      • NG3-DMZ ↔ NG2-DMZ
    3. Disable site link bridging, so replication follows only explicitly defined links.
    4. Assign domain controllers appropriately and ensure bridgehead servers are chosen or managed to support proper replication.

    This approach respects both Active Directory's design and your network security model, while eliminating replication ambiguity and improving manageability.

    Otherwise, simply ensure that site link bridging is enabled.

    More at https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts and https://download.microsoft.com/download/5/2/f/52f23d76-7d56-44d6-ad25-a95bf0be5516/06_CHAPTER_3_Designing_the_Site_Topology.doc

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.