working with active directory sites

11

WORKING WITH ACTIVE DIRECTORY SITES

Chapter 3

Chapter 3: WORKING WITH ACTIVE DIRECTORY SITES 2

INTRODUCING SITES

Logical structure can be seen in Active Directory Users And Computers.

Physical network structure affects the efficiency of Active Directory replication. Up to the administrator to create sites in Active

Directory Sites And Services.

Sites are used to control Active Directory replication and authentication traffic.

Only site created by default is the Default-First-Site-Name.


SITES AND SITE LINKS

Sites are typically composed of fast and reliably connected computers.

Criteria for fast and reliable are up to the administrator.

Sites are independent of the domain structure. Domain computer accounts can be spread

over multiple sites.

Sites can contain resources from multiple domains.


SITES AND SITE LINKS

Although sites can be added, modified, and deleted at any time, planning the site structure before installing Active Directory saves you time.

Default-First-Site-Name site is default location for domain controllers. First domain controller is always placed into this

site.

Other domain controllers are placed here, if appropriate site definitions aren’t available.

If sites are created appropriately, newly installed domain controllers are automatically placed in the appropriate site.


SITES AND THE REPLICATION PROCESS

Replication topology describes the logical connections made between domain controllers for replication.

Replication is the transfer of directory information updates. Object additions or removals

Object attribute changes

Object renames


SITES AND THE REPLICATION PROCESS

Tracking replication changes. Update Sequence Number (USN)

Timestamp

Bridgehead server controls replication changes between sites. Compares USN for recent changes

Uses timestamp if modifications carry the same USN

Convergence occurs when all changes are updated.


INTRASITE REPLICATION OVERVIEW

Knowledge consistency checker (KCC) Creates initial replication topology (replication

ring) Creates connection objects between domain

controllers Process that runs on each domain controller

Active Directory replicates four partitions Domain (domain-wide) Schema (forest-wide) Configuration (forest-wide) Application Data (depends on configuration)


INTRASITE REPLICATION DETAILS

KCC runs every 15 minutes to ensure replication topology is efficient.

Intrasite replication latency is minimized in these ways: KCC creates a bidirectional Replication Ring

KCC ensures no more than three replication hops between any two domain controllers by adding additional connections as needed

Replication traffic is not compressed


INTRASITE REPLICATION DETAILS

Intrasite replication latency is 15 minutes by

default, but there is urgent replication for important changes.

Multiple domains in a single site. Each domain maintains a separate domain

partition replication topology.

Forest-wide replication is not conducted separately, because this information is sent to all domains in the forest.


INTERSITE REPLICATION

Designed to control replication traffic over slow WAN links.

KCC designates one domain controller per site to be the Intersite Topology Generator (ISTG).

ISTG designates the bridgehead server.

Site links are used to define the intersite replication topology.


INTERSITE REPLICATION: SITE LINKS

Connection between two sites that are logical and transitive

Represents physical network links

Manually defined by administrator

Sites communicate using same protocol


SITE LINK CONFIGURATION

Cost Lower cost routes are used first.

Default is 100; range 1 to 99,999.

Schedule Default is availability 7 days per week, 24

hours per day.

Administrator can modify to exclude certain days and hours the link is not available.


SITE LINK CONFIGURATION

Frequency Specifies how often the link attempts to

replicate information within the specified availability (schedule)

Default is 180 minutes; range is 15 minutes to once per week


CREATING SITES


CREATING SITE LINKS


CONFIGURING SITE LINK PROPERTIES


CREATING SUBNETS


REPLICATION PROTOCOLS

Remote procedure call (RPC) over Internet Protocol (IP) Default and most commonly used

Adheres to schedules by default

Synchronous; connection required

Only choice for domain controllers from same domain

Simple Mail Transfer Protocol (SMTP) Allows asynchronous communications


REPLICATION PROTOCOLS

Doesn’t adhere to schedules by default

Requires a certificate and certificate authority (CA)

Cannot replicate domain partition information


RPC REQUIRES A CONNECTION

contoso.comDCs

Site 1

Site 2

Link1-2Schedule

1:00 A.M. – 3:00 A.M.

Link2-3Schedule

3:00 A.M. – 5:00 A.M.

Cohowinery.com DCs

contoso.comDCs

Site 3


INTRASITE VERSUS INTERSITE REPLICATION

Intrasite Replication traffic not compressed.

Replication partners notify each other within 5 to 15 minutes of changes.

KCC automatically configures and maintains a replication ring.

RPC is used.

Intersite Replication traffic is compressed.


INTRASITE VERSUS INTERSITE REPLICATION

Bridgehead servers notify bridgehead servers at other sites of changes every 80 minutes by default.

Site links are required for replication to occur.

Protocols used intersite can be RPC over IP or SMTP.


DESIGNATING THE BRIDGEHEAD SERVER

ISTG automatically assigns preferred bridgehead server.

Administrator can designate preferred bridgehead servers. Done through properties of domain controller

object in Active Directory Sites And Services

Select the protocol, IP or SMTP, for which this server is to be considered a preferred bridgehead server

Allows administrator to designate that role to systems with most processing power to spare


PREFERRED BRIDGEHEAD SERVER DESIGNATION


SITE LINK BRIDGING

Used to allow communication over two different site links.

Bridge All Site Links is configured by default.

You can clear the Bridge All Site Links check box and configure site link bridges manually.

You cannot create a site link bridge until you have at least two site links.


CONFIGURING SITE LINK BRIDGING


MANAGING REPLICATION


CHECK REPLICATION TOPOLOGY


DETERMINING THE ISTG


FORCING REPLICATION

Active Directory Sites And Services

Active Directory Replication Monitor (Replmon)

Repadmin/syncall contoso.com


MONITORING REPLICATION

Windows Support Tools Microsoft Windows Server 2003 installation

CD-ROM

Support\Tools folder on the CD

Dcdiag

Repadmin

Replmon


DOMAIN CONTROLLERDIAG

Many options for diagnosing and repairing domain controller issues

Type dcdiag /? at a command prompt to see a list

Noteworthy examples dcdiag /test:replication

dcdiag /fix


REPADMIN

Command line utility for replication control and monitoring

Type repadmin /? at a command prompt to see a list

Noteworthy examples /showreps – view replication partners

/showconn – view connections

/sync and /syncall – force replication

/showmeta – view attributes of a specific object

/showvector – check USNs for a particular naming context, also named partition


REPLMON: ACTIVE DIRECTORY REPLICATION MONITOR

Graphical utility for replication control and monitoring

Launch from Support Tools option on Start menu or by typing replmon in Run dialog box or CMD prompt

Noteworthy capabilities Check replication topology

Force synchronization

Generate a status report to a log file

View bridgehead servers


SUMMARY

Intrasite versus intersite replication details

Site, site link, and site link bridge creation and configuration

Intersite replication configuration options Bridgehead servers

Protocol selection

Windows Support Tools: domain controllerdiag, Repadmin, Replmon

working with active directory sites

Documents

urgent replication

replication hops

active directory sitessites

active directory users

active directory sitesinter

domain structure

forestwide replication

domain controllersprocess