Child domains don't replicate with each other?

I have several child domains at different remote sites that are connected to
our site via VPN tunnel. These child domains are able to successfully
replicate with the parent domain. However, several of them have set up
automatic connection agreements with each other. Each child domain does not
have a vpn tunnel to any other child domain - only the parent - so the
replication to these partners is failing. We do not want to set up VPNs for
each of these child domains to contact every other child domain. Does
anybody have a solution for this? Do others have the same problem? All are
Windows 2003 domain controllers. Thanks -

Jan Dye
(E-Mail Removed)

The usual method is to use a hub and spoke model (ie a wheel with a hub
and spokes but no rim). Select one site to be the hub of your network. Every
other site has a link to this hub site.

You then configure the routing so that each site sends all private
traffic to the hub. The hub has a route to every site, so it can reroute the
traffic up the correct spoke. The remote sites have bundled routes to send
all traffic for the other sites to the hub.

This is easy to set up if all sites us similar routing. For instance, it
all sites use 192.168.x.0/24, you simply configure each remote site to send
192.168.0.0/16 to the central hub.

Jan Dye wrote:
> I have several child domains at different remote sites that are
> connected to our site via VPN tunnel. These child domains are able to
> successfully replicate with the parent domain. However, several of
> them have set up automatic connection agreements with each other.
> Each child domain does not have a vpn tunnel to any other child
> domain - only the parent - so the replication to these partners is
> failing. We do not want to set up VPNs for each of these child
> domains to contact every other child domain. Does anybody have a
> solution for this? Do others have the same problem? All are Windows
> 2003 domain controllers. Thanks -
> Jan Dye
> (E-Mail Removed)

Thanks Bill -
I understand the concept, but I'm a little vague on the implementation.
After I select one site to be the hub, where do I go to & how do I configure
the routing? Is this done through windows server? Or is it done on the
actual router? Also, in the AD sites & services, how do I get the
replication partners to stop automatically creating connections with domains
they can't get to?

Jan

"Bill Grant" <not.available@online> wrote in message
news:%23NXH$(E-Mail Removed)...
> The usual method is to use a hub and spoke model (ie a wheel with a hub
> and spokes but no rim). Select one site to be the hub of your network.
> Every other site has a link to this hub site.
>
> You then configure the routing so that each site sends all private
> traffic to the hub. The hub has a route to every site, so it can reroute
> the traffic up the correct spoke. The remote sites have bundled routes to
> send all traffic for the other sites to the hub.
>
> This is easy to set up if all sites us similar routing. For instance,
> it all sites use 192.168.x.0/24, you simply configure each remote site to
> send 192.168.0.0/16 to the central hub.
>
> Jan Dye wrote:
>> I have several child domains at different remote sites that are
>> connected to our site via VPN tunnel. These child domains are able to
>> successfully replicate with the parent domain. However, several of
>> them have set up automatic connection agreements with each other.
>> Each child domain does not have a vpn tunnel to any other child
>> domain - only the parent - so the replication to these partners is
>> failing. We do not want to set up VPNs for each of these child
>> domains to contact every other child domain. Does anybody have a
>> solution for this? Do others have the same problem? All are Windows
>> 2003 domain controllers. Thanks -
>> Jan Dye
>> (E-Mail Removed)
>
>

You configure it on the VPN routers. A one-to-one VPN connection has a
route to the "other" site through the VPN link. In your case, you need each
peripheral site to have a bundled route for all sites (including the hub).
Only the hub router has a route to each peripheral site. The fact that they
are VPN links doesn't alter the way IP routing works. You are simply using
two hops to get from site to site, via the hub, because you don't have a
direct connection.

For advice on configuring site links you would prbably get better advice
in the AD newsgroup.

Jan Dye wrote:
> Thanks Bill -
> I understand the concept, but I'm a little vague on the
> implementation. After I select one site to be the hub, where do I go
> to & how do I configure the routing? Is this done through windows
> server? Or is it done on the actual router? Also, in the AD sites &
> services, how do I get the replication partners to stop automatically
> creating connections with domains they can't get to?
>
> Jan
>
> "Bill Grant" <not.available@online> wrote in message
> news:%23NXH$(E-Mail Removed)...
>> The usual method is to use a hub and spoke model (ie a wheel with
>> a hub and spokes but no rim). Select one site to be the hub of your
>> network. Every other site has a link to this hub site.
>>
>> You then configure the routing so that each site sends all private
>> traffic to the hub. The hub has a route to every site, so it can
>> reroute the traffic up the correct spoke. The remote sites have
>> bundled routes to send all traffic for the other sites to the hub.
>>
>> This is easy to set up if all sites us similar routing. For
>> instance, it all sites use 192.168.x.0/24, you simply configure
>> each remote site to send 192.168.0.0/16 to the central hub.
>>
>> Jan Dye wrote:
>>> I have several child domains at different remote sites that are
>>> connected to our site via VPN tunnel. These child domains are able
>>> to successfully replicate with the parent domain. However, several
>>> of them have set up automatic connection agreements with each other.
>>> Each child domain does not have a vpn tunnel to any other child
>>> domain - only the parent - so the replication to these partners is
>>> failing. We do not want to set up VPNs for each of these child
>>> domains to contact every other child domain. Does anybody have a
>>> solution for this? Do others have the same problem? All are Windows
>>> 2003 domain controllers. Thanks -
>>> Jan Dye
>>> (E-Mail Removed)