Embed Size (px)
Citation preview
Working with Working with Active Directory SitesActive Directory Sites
Lesson 3
Skills MatrixSkills MatrixTechnology Skill Objective Domain Objective #
Introducing Active Directory Sites
Configure sites 2.3
Configuring Active Directory Replication
Configure Active Directory replication
2.4
Logical Versus Physical StructureLogical Versus Physical StructureLogical• Forest• Trees• Domains• OUs• Leaf objects
Physical• IP Subnets/Sites• Domain Controllers
Active Directory SitesActive Directory Sites• Sites are defined by IP subnets that are
well-connected, which means that network infrastructure between them is fast and reliable. – In most cases, an Active Directory site will
map to a single LAN.
• Multiple sites will be joined together by site links.
• Intersite replication takes place along site links that you defined within Active Directory Sites and Services.
SitesSites
• When clients log on to Active Directory, they use DNS to query the Active Directory site topology to locate the closest available domain controller and other network resources.
• Domain controllers use the site topology to establish replication partners that provide efficiency and keep the Active Directory database consistent.
Default-First-Site-NameDefault-First-Site-Name
• When you install the forest root domain controller in an Active Directory forest, the Active Directory Installation Wizard creates a single site called Default-First-Site-Name.
• The forest root domain controller server object is placed within the Servers folder of this site.
• The site can be renamed to more accurately reflect a physical location.
Default-First-Site-NameDefault-First-Site-Name
Active Directory ReplicationActive Directory Replication• The process of duplicating Active Directory
information between domain controllers for the purposes of fault tolerance and redundancy.
• Based on a multimaster replication model, in which the domain controllers from each domain participate in the replication process for that domain.– They also replicates forest-wide schema and
configuration information.
• Active Directory sites are the means by which administrators can control replication traffic.
Active Directory ReplicationActive Directory Replication• Domain controllers that reside within the same
site participate in intrasite replication. – Transmit changes to the Active Directory
database almost as soon as they occur.
• Domain controllers located in different sites will participate in intersite replication. – Occurs on a scheduled basis (every 15 minutes
by default). – Intersite replication traffic is also compressed
by default to decrease the use of network bandwidth.
– Remember the goal is to minimize bandwidth usage.
Active Directory ReplicationActive Directory Replication
• Remember:– Intra means internal, such as an
intranet (your own network).– Inter means external, such as the
Internet (a conglomeration of networks).
Active Directory ReplicationActive Directory Replication
Understanding the Replication ProcessUnderstanding the Replication Process
• Replication within Active Directory will occur when one of the following conditions is met:– An object is added or removed from
Active Directory.– The value of an attribute has
changed.– The name of an object has changed.
Understanding the Replication ProcessUnderstanding the Replication Process• To track changes from different sources and
determine which objects need to be replicated from one domain controller to another, each domain controller uses the following:– Update sequence number (USN) that
keeps track of changes that are made at each DC and thus keeps track of which updates should be replicated to other domain controllers.
– Each Active Directory attribute has a version ID associated with it that keeps track of how many times that attribute has been changed.
– timestamp, the time when the modification took place.
Understanding the Replication ProcessUnderstanding the Replication Process• When replicating information between sites,
Active Directory will designate a bridgehead server in each site to act as a gatekeeper in managing site-to-site replication. – Allows intersite replication to update only one
domain controller within a site (usually over a slower WAN link).
– After a bridgehead server is updated, it updates the remainder of its domain controller partners with the newly replicated information.
– Active Directory convergence describes the amount of time that it takes for this process to take place so that all domain controllers in the environment contain the most up-to-date information.
Active Directory ReplicationActive Directory Replication
Knowledge Consistency Checker (KCC)Knowledge Consistency Checker (KCC)• Each domain controller uses an internal
process called the Knowledge Consistency Checker (KCC) to map the logical network topology between the domain controllers.
• For each domain controller in the site, the KCC will select one or more replication partners for that domain controller and will create connection objects between the domain controller and its new replication partners. – Each connection object is a one-way
connection.
Viewing Active Directory Connection Viewing Active Directory Connection ObjectsObjects
• Open the Active Directory Sites and Services MMC snap-in.
• Click the Sites folder, select the desired site, and then click the Servers folder.
• Expand the server name for which you wish to view connection objects and right-click NTDS Settings. Click Properties.
Viewing Active Directory Connection Viewing Active Directory Connection ObjectsObjects
Viewing Active Directory Connection Viewing Active Directory Connection ObjectsObjects
Creating a New SiteCreating a New Site
• In Active Directory Sites and Services, right-click the Sites folder and select New Site.
• In the New Object-Site dialog box, key the name for the site based on your plan.
• Select the DefaultIPSiteLink from the list of site names and click OK to complete the site creation.
Creating a New SubnetCreating a New Subnet
• In Active Directory Sites and Services, right-click the Subnets folder.
• Select New Subnet from the menu.• In the New Object-Subnet dialog box,
enter the IP address and subnet mask that correspond to the segment in your design.
• Select the site you wish to associate with this subnet and click OK.
Creating a New SubnetCreating a New Subnet
Configuring Intersite ReplicationConfiguring Intersite Replication• Cost
– Allows the administrator to define the path that replication will take.
– If more than one path can be used to replicate information, cost assignments will determine which path is chosen first.
– A lower-numbered cost value will be chosen over a higher-numbered cost value.
– Cost values can use a value of 1 to 99,999. – Chosen by the Active Directory administrator
and are relational only to one another.
Configuring Intersite ReplicationConfiguring Intersite Replication
• Schedule– The schedule of the site link object
determines when the link is available to replicate information.
– By default, newly created site link objects are available for replication 24/7.
Configuring Intersite ReplicationConfiguring Intersite Replication• Frequency
– A site link’s frequency determines how often information will be replicated over a particular site link.
– Keep in mind that replication will take place only during scheduled hours.
– The default replication frequency for a new site link is 180 minutes, but it can be configured to take place as frequently as every 15 minutes and as infrequently as once per week.
Replication ProtocolReplication Protocol• For both intrasite and intersite
replication, Active Directory uses Remote Procedure Calls over Internet Protocol (RPC over IP) by default for all replication traffic. – RPC is commonly used to communicate
with network services on various computers, whereas IP is responsible for the addressing and routing of the data.
– RPC over IP replication keeps data secure while in transit by using both authentication and encryption.
Replication ProtocolReplication Protocol• Simple Mail Transport Protocol (SMTP) is
an alternative solution for intersite replication when a direct or reliable IP connection is not available. – Use asynchronous replication, meaning that
each replication transaction does not need to complete before another can start because the transaction can be stored until the destination server is available.
– SMTP cannot replicate domain directory partitions.
– Requires an enterprise certification authority (CA) that is fully integrated with Active Directory.
Replication ProtocolReplication Protocol
• Unlike RPC over IP, SMTP does not adhere to schedules and should be used only when replicating between different domains over an extremely slow or unreliable WAN link.
Creating a New Site Link ObjectCreating a New Site Link Object
• In Active Directory Sites and Services, expand the Inter-Site Transports folder.
Summary of Replication MethodsSummary of Replication Methods
Refreshing the Intrasite Replication Refreshing the Intrasite Replication TopologyTopology
• In Active Directory Sites and Services, expand Sites, followed by the site where you wish to run the KCC.
• Expand Servers and double-click one of the domain controllers.
• In the details pane, right-click NTDS Settings, click All Tasks and select Check Replication Topology.
Determining Which Server Holds the Determining Which Server Holds the ISTG RoleISTG Role
• In Active Directory Sites and Services, expand the Sites folder and then expand the appropriate site.
• In the Details pane, right-click NTDS Site Settings and then select Properties. The Properties page displays the server holding the ISTG role.
Determining Which Server Holds the Determining Which Server Holds the ISTG RoleISTG Role
• To force the KCC to regenerate the intersite topology, right-click NTDS Settings.
• Click All Tasks and then select Check Replication Topology.
Forcing Manual ReplicationForcing Manual Replication• In Active Directory Sites and Services,
expand Sites, followed by the site that contains the connection for which you wish to force replication.
• Locate the server in the Servers container that provides the connection object.
• Click NTDS Settings in the console tree.• In the details pane, right-click the
connection for which you want replication to occur and select Replicate Now.
Monitoring ReplicationMonitoring Replication
• Dcdiag• Repadmin
DcdiagDcdiag
• A command-line tool used for monitoring Active Directory. – Perform connectivity and replication
tests, reporting errors that occur.– Report DNS registration problems.– Analyze the permissions required for
replication.– Analyze the state of domain
controllers within the forest.
RepadminRepadmin• A command-line tool used for the following:
– To view the replication topology from the perspective of each domain controller.
– To manually create a replication topology if site link bridging is disabled because the network is not fully routed.
– To force replication between domain controllers when you need updates to occur immediately without waiting for the next replication cycle.
– To view the replication metadata, which is the combination of the actual data and the up-to-date vector or USN information. This is helpful in determining the most up-to-date information prior to seizing an operations master role.
SummarySummary
• You learned how to define and manage sites and site links.
• You learned how to determine a site strategy based on the physical network infrastructure.
• You learned how to use Active Directory Sites and Services to configure replication.
SummarySummary
• You learned how to understand the differences between intrasite and intersite replication.
• You learned how to describe the role of the Intersite Topology Generator (ISTG) and Knowledge Consistency Checker (KCC) in site replication.
SummarySummary
• You learned how to optimize replication by configuring bridgehead servers and site link bridging.
• You learned how to monitor replication using dcdiag and repadmin.
