Active Directory Replication Topology for 2-DC Setups
For 2 DCs in one site, default replication just works. Multi-site needs Sites/Subnets/Site Links. FSMO placement + repadmin /replsummary monitoring.
On this page
Don't have a Windows Server yet?
Deploy Windows Server 2019/2022/2025 in ~2 minutes. 6-month evaluation licence included.
In short
For a 2-DC AD deployment on Raff Windows VPSes, default replication "just works" — both DCs in the same site, intra-site replication every 15 seconds via change notification. Multi-site (geo-distributed DCs) needs explicit Sites/Subnets/Site Links: each region = a Site, each subnet assigned to its Site, Site Links control replication frequency between sites (default 180 minutes, tune to 15 if you want fast). Always run at least 2 DCs for redundancy, place a PDC Emulator in your primary site, and verify replication monthly with repadmin /replsummary.
Why topology matters
Active Directory replicates EVERY change (passwords, group membership, GPO, etc.) between every DC. Default ("automatic site-link bridging") works fine for small single-site deployments. As you grow:
- Multi-region = need Sites + Site Links to control which DCs replicate to which (saves WAN bandwidth)
- Multi-DC same site = automatic full mesh (every DC replicates with every other)
- Read-Only DC (RODC) at branch offices = optional, for security in low-trust environments
For SMB Windows VPS deployments, you typically need: 2 DCs in one site, period. Multi-site only matters when geographic distribution becomes a real factor.
What you'll need
- AD domain with at least one DC (see Promote a Windows VPS to a Domain Controller)
- Adding a 2nd DC: a second Raff Windows VPS, joined to the same domain
- AD admin tools —
gpmc.msc,dssite.msc(Active Directory Sites and Services),repadmin.exe - Network connectivity between DCs — TCP 88 (Kerberos), TCP 389/636 (LDAP), TCP 445 (SMB), TCP 49152-65535 (RPC dynamic), and a few more
Topology pattern 1 — Single site, 2 DCs (the SMB default)
For most SMB VPS deployments:
Site: Default-First-Site-Name
├── Subnet: 10.0.0.0/24
├── DC01 (PDC Emulator, RID Master, Infrastructure Master)
└── DC02 (backup DC, Schema Master / Domain Naming Master)
Action: just promote DC02 (see DC promotion guide). Default config places both in Default-First-Site-Name. Replication starts automatically. Done.
Verify:
# List all DCs Get-ADDomainController -Filter * # Check replication repadmin /replsummary
Healthy output: 0 errors, 0 deltas pending (or small deltas catching up to recent changes).
Topology pattern 2 — Multi-site, geo-distributed
When you have DCs in different Raff regions (or one in Raff + one in your office for hybrid):
Site: us-east
├── Subnet: 10.0.0.0/24
└── DC01 (PDC Emulator)
Site: eu-west
├── Subnet: 10.1.0.0/24
└── DC02
Steps to configure:
Step 1 — Create the sites
Open dssite.msc (Active Directory Sites and Services):
- Sites → right-click → New Site
- Name:
us-east - Pick a Site Link — initially you only have
DEFAULTIPSITELINK; you'll create proper ones in Step 3 - Repeat for
eu-west
Step 2 — Create subnets and assign to sites
- Sites → Subnets → right-click → New Subnet
- Prefix:
10.0.0.0/24, Site:us-east - Repeat for
10.1.0.0/24→eu-west
This tells AD which DC to direct clients to based on their IP — clients in 10.0.0.0/24 use DC01 (in us-east).
Step 3 — Move DCs to their sites
In dssite.msc:
- Sites →
Default-First-Site-Name→ Servers → DC01 → drag tous-east→ Servers - Repeat for DC02 →
eu-west
Step 4 — Create / configure Site Link
- Sites → Inter-Site Transports → IP → right-click → New Site Link
- Name:
us-east__eu-west - Select both sites
- Right-click the new link → Properties
- Replicate every: 15 minutes (default 180 — too slow for most SMB use cases)
- Cost: 100 (default; only matters in 3+ site topologies for routing decisions)
Replication frequency tuning
| Pattern | Frequency | Why |
|---|---|---|
| Same site (multi-DC) | 15 seconds (change notification) | Automatic, no config needed |
| Site link, default | 180 minutes (3 hours) | Conservative; reduces WAN traffic |
| Site link, business hours | 15 minutes | Real-time enough for most work |
| Site link, high-criticality | 5 minutes | Maximum speed without thrashing |
Set in Site Link Properties → "Replicate every".
FSMO roles — where they live matters
Each AD forest has 5 Flexible Single Master Operations (FSMO) roles. By default, ALL 5 are on the first DC you promote. You can transfer them to spread the load:
| Role | Recommended placement |
|---|---|
| Schema Master | Forest root domain, any DC (rarely used; only during schema extensions) |
| Domain Naming Master | Forest root domain, any DC |
| PDC Emulator | Same site as the most users (handles password changes, time sync) |
| RID Master | Any DC; co-locate with PDC Emulator usually |
| Infrastructure Master | Any DC; if running a single-domain forest, doesn't matter |
Check current placement:
netdom query fsmo
Move a role:
Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole PDCEmulator
For 2-DC SMB: leave FSMO roles all on DC01 (the primary). DC02 takes over via "seize" if DC01 fails permanently.
Verify replication health
Run weekly (or daily for production):
# Quick summary repadmin /replsummary # Detailed per-partner status repadmin /showrepl # Check which partner replicated which DCs lately repadmin /showbackup * # Force replication NOW (instead of waiting for the schedule) repadmin /syncall /AeP
Look for:
- Failures: 0 = good. Anything else = investigate
- Deltas pending: small numbers OK; growing numbers = replication is falling behind
- Last success time: should be recent (within the replication interval)
Common mistakes
- Single DC for production AD — if it dies, the entire domain dies. Always 2+ DCs
- Both DCs in the same Raff VPS / same hardware — defeats redundancy. Use separate VPSes (different regions if possible)
- Multi-site without subnet assignments — clients get directed to wrong DC. Always create subnets in
dssite.msc - Default 180-minute site link replication — passwords take 3 hours to propagate; users get locked out trying to log in to remote sites with old passwords
- Not monitoring
repadmin /replsummary— replication breaks silently; you discover it months later when a DC's data is way out of date - Promoting on a VM with installed software — DCs should be dedicated. Mixed-role DCs are harder to update + secure
Tested on
[HUMAN-REQUIRED: Replace before publishing.]
Tested on two Raff Windows VPSes, both $36 plan (4 vCPU / 8 GB), Windows Server 2022 build [VERIFY], 2-DC same-site topology with default replication, [DATE]. Tester: [Engineer name].
What's next
- Promote a Windows VPS to a Domain Controller — set up DCs first
- Active Directory Group Policy from Scratch — once you have DCs, configure GPOs
- Microsoft Learn — Active Directory Sites
Sources
- Microsoft Learn — Designing the Site Topology
- Microsoft Learn — How Active Directory Replication Topology Works
- Microsoft Learn — FSMO roles overview
- Date last verified: 2026-04-20
Related articles
Host Sage 50, 100, and 300 on a Windows VPS
Set up Sage 50, Sage 100, or Sage 300 on a Windows VPS for remote accounting teams. Covers sizing, RDS access, backups, and common pitfalls.
Free SSL on IIS with Let's Encrypt and win-acme
Install a free Let's Encrypt certificate on IIS with win-acme, bind it to your site, and verify automatic renewal on a Raff Windows VPS in 45 minutes.
Active Directory Group Policy from Scratch
Create your first GPO in 30 minutes: open gpmc.msc, link to an OU, set policies, test on one OU before broad deployment. Backup + restore included.