I was chatting with a friend the other day about a design scenario for a typical 3-Tier application that needed Active Directory. Funny this came up because I was just having a similar discussion with another friend last week. Joe covered last week's discussion here.
The discussion centered on an application that looks like this:
A few data points about the implementation plan for this system:
- Servers in each tier cannot talk to servers in the same tier in the opposite datacenter;
- Domain controllers will live in the Application Tier and Backend Tier at each datacenter;
- Clients in the Backend Tier will only be able to communicate with domain controllers in their tier;
- Clients in the Presentation Tier and Application Tier will only be able to communicate with domain controllers in the Application Tier.
The main contention point in this design was how to configure the site topology in Active Directory. Fundamentally these two datacenters and everything in them count as one site in most designs – they are well connected and there's no reason to segregate replication traffic. What there is a reason to segregate is client traffic. Since the clients in each of the tier can only communicate with a subset of the domain controllers, the site topology needs to match these boundaries so that DC Locator returns a domain controller which is actually useful to the client.
With this in mind the way the sites need to be laid out is:
- Backend-1
-
Application-1
- Contains subnets for Presentation-1 and Application-1
- Backend-2
-
Application-2
- Contains subnets for Presentation-2 and Application-2
Since in a design like this each of these tiers is typically a separate firewall interface or VLAN, normal subnet boundaries will exist. If that's not the case, refer to this post for a discussion on using host masks to associate specific hosts with a given Active Directory site.