Module 8: Designing an Active Directory Site Topology · PDF fileFinally it covers how to plan...

Contents

Overview 1

Using Sites in Active Directory 2

Assessing the Need for Active Directory Sites 5

Using Site Links in a Network 9

Planning the Inter-Site Replication Topology 14

Planning for Server Placement in Sites 19

Demonstration: Active Directory Sizer 23

Lab A: Planning Sites to Control Active Directory Replication 24

Review 35

Module 8: Designing an Active Directory Site Topology

Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2000 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows NT, Active Directory, BackOffice, PowerPoint, Visual Basic, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead: Andy Sweet (S&T OnSite) Instructional Designers: Andy Sweet (S&T OnSite), Ravi Acharya (NIIT), Sid Benavente, Richard Rose, Kathleen Norton Instructional Design Consultants: Paul Howard, Susan Greenberg Program Managers: Lorrin Smith-Bates (Volt), Megan Camp (Independent Contractor) Technical Contributors: Angie Fultz, Lyle Curry, Brian Komar (3947018 Manitoba, Inc.), Jim Clark (Infotec Commercial Systems), Bill Wade (Excell Data Corporation), David Stern, Steve Tate, Greg Bulette (Independent Contractor), Kathleen Cole (S&T OnSite) Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editor: Jeffrey Gilbert (Wasser) Copy Editor: Patti Neff (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Consulting) Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Compact Disc and Lab Testing: Testing Testing 123 Production Support: Ed Casper (S&T Consulting) Manufacturing Manager: Rick Terek (S&T OnSite) Manufacturing Support: Laura King (S&T OnSite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart

Module 8: Designing an Active Directory Site Topology i

Instructor Notes This module provides the information needed by students to design site topologies in Microsoft® Windows® 2000 Active Directory� directory service in order to optimize replication traffic. The module begins by explaining how to assess the need for sites. Next the module describes how to use site links in a network. Finally it covers how to plan for an inter-site replication topology and plan for server placement.

At the end of this module, students will be able to:

! Describe how sites are used in Active Directory to configure replication topology to take advantage of the physical network.

! Assess the need for Active Directory sites in a network. ! Plan connectivity between sites by configuring the various components of

site links. ! Explain the factors to consider while planning for inter-site replication in a

Windows 2000-based network. ! Describe the guidelines that are used to plan for server placement in a site.

Lab A, Planning Active Directory Server Placement, is a scenario-based planning lab that reinforces the methods for planning and documenting domain controller placement and illustrates the effect of domain controller placement on site topology. Students are given the physical structure of the network, as well as user, logon, and security information that plays a part in determining site and replication configuration. Students will work in pairs through scenarios for a medium-sized company and a large company. Students will identify site boundaries for both organizations. They will then use the Active Directory Sizer tool to determine the number and location of domain controllers, global catalog servers, and bridgehead servers in the various sites. They will also determine the locations of the single masters of operations.

Materials and Preparation This section provides you with the required materials and preparation tasks that are needed to teach this module.

Required Materials To teach this module, you need the Microsoft PowerPoint® file 1561B_08.ppt.

Preparation Tasks To prepare for this module, you should:

! Read all of the materials for this module. ! Complete the lab. ! Practice using the Active Directory Sizer tool, which is located in the

Microsoft Windows 2000 Server Resource Kit. ! Read the following topic located in the Distributed Systems Guide in the

Microsoft Windows 2000 Server Resource Kit:

• Active Directory Replication

Presentation: 60 Minutes Lab: 45 Minutes

ii Module 8: Designing an Active Directory Site Topology

Instructor Setup for a Lab This section provides setup instructions that are required to prepare the instructor computer or classroom configuration for a lab.

Lab A: Planning Sites to Control Active Directory Replication Ensure that Active Directory Sizer is installed and operational on student and instructor computers.

Be sure to remind the students that a Bridgehead server is also a Global Catalog server and a domain controller. Also remind the students that it is a best practice to have redundant domain controllers in each site, even though the Active Directory Sizer tool indicates that only one is necessary. Active Directory Sizer only indicates the number of domain controllers needed to satisfy logon, authentication, and replication requirements of the organization. After the lab has been completed, discuss the results with the students.

Demonstration This section provides demonstration procedures that will not fit in the margin notes or are not appropriate for the student notes.

Active Directory Sizer ! To demonstrate Active Directory Sizer 1. Click Start, point to Programs, and then click Active Directory Sizer. 2. Click File, and then New. 3. In the Active Directory Wizard, enter a name for the domain, and then click

Next. 4. Enter 10000 for the total number of users and 80% for number of users

logged on during peak times. Use 25 for additional attributes. Click Next. 5. Use 25 for average number of groups a user will belong to. Type 100 for

interactive, 10 for batch, and 10 for network in the average logon rate section, and then click Next.

6. Enter 45 days for password expiration and the default for additional access control entries (ACEs). Click Next.

7. Enter 10000 for the number of Windows 2000 computers, 1000 for other computers, and 1000 for other objects, and then click Next.

8. Use the defaults for CPU utilization and preferred CPU type. Click Next. 9. Use Weekly as the interval and 200 for add, 100 for delete, and 50 for

modify, and then click Next. 10. Use 20- average messages and the default for number of recipients. Click

Next.

Module 8: Designing an Active Directory Site Topology iii

11. Select Yes for Active Directory enabled DNS, 1000 for dial-in connections, and the defaults for Dynamic Host Configuration Protocol (DHCP) lease and NoRefreshInterval. Click Next.

12. Leave the Services using Active Directory section blank (default), and explain to your students that you would consult the documentation of an application when filling in this numbers. Click Next.

13. Click Finish.

Point out the number of objects and the number of Domain Controllers (servers) needed for this domain. Also, point out the size of the Active Directory and the Global catalog. Point out that bridgehead servers are also domain controllers and Global catalog servers.

! To use Active Directory Sizer to plan sites 1. Right-click Site Configuration in the left pane, and then click Add Site. 2. Enter a site name (ex. Chicago), and then click Apply. Enter a new site

name (ex. Paris), and then click Apply. Enter a third site name (ex. Nairobi), click Apply, and then click OK.

3. Right-click Default-first site in the left pane, and then click Distribute Users.

4. Click Default-first Site in the Source Site window, and then type 6000 in the Users to Move box. Click Chicago in the destination site window, and then click Apply.

5. Click Default-first Site in the Source Site window, and then type 3500 in the Users to Move box. Click Paris in the destination site window, and then click Apply.

6. Click Default-first Site in the Source Site window, and then type 500 in the Users to Move box. Click Nairobi in the destination site window, and then click Apply.

7. Click My Domain in the left pane of Active Directory Sizer, and then point out the new server distributions in the right pane to your students. Explain that even though only one DC may be indicated in a site, redundancy should be built into the design.

Module Strategy Use the following strategy to present this module:

! Using Sites in Active Directory Describe the role of sites in Active Directory replication and how sites are used to manage network traffic. Explain the factors that affect replication and the strategies that can be used for inter-site and intra-site replication.

! Assessing the Need for Active Directory Sites The module offers methods for determining whether a site is necessary, and how to document the site design. Describe in detail the factors that need to be considered when assessing the need for sites in an Active Directory structure.

iv Module 8: Designing an Active Directory Site Topology

! Using Site Links in a Network Explain the components of site links and discuss how sites are linked. Finally, describe how the need of site links is assessed in an Active Directory structure.

! Planning the Inter-Site Replication Topology The section explains the concepts necessary to plan an inter-site replication topology for a Windows 2000-based network. Explain how the replication transport needs to be chosen for a given scenario. Describe the guidelines to consider when delegating bridgehead servers in a site. Explain the purpose of an Inter-site topology generator and, finally, explain the purpose of the least-cost spanning tree.

! Planning for Server Placement in Sites Explain how the placement of the various servers affects the site topology of a network. Discuss the placement of global catalog servers, operation masters, and bridgehead servers. Demonstrate the use of the Active Directory Sizer utility that is provided with Windows 2000 to estimate the network configuration required for a given organizational scenario.

Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. This module includes only a computer-based interactive lab exercise, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization.

Module 8: Designing an Active Directory Site Topology 1

Overview

! Using Sites in Active Directory

! Assessing the Need for Active Directory Sites

! Using Site Links in a Network

! Planning the Inter-Site Replication Topology

! Planning for Server Placement in Sites

Sites are used to organize well-connected computers within an organization to optimize network bandwidth. Excessive network traffic can occur between remote locations due to frequent exchange of large amounts of data and directory information. Designing an appropriate site topology in Microsoft® Windows® 2000 Active Directory� directory service helps you better organize your Windows 2000 network and optimize the exchange of data and directory information.

At the end of this module, you will be able to:

! Describe the purpose of sites and their role in Active Directory replication. ! Assess the need for Active Directory sites. ! Plan for the creation of site links and site link bridges. ! Plan an inter-site replication topology. ! Plan for server placement in sites.

Slide Objective To provide an overview of the module topics and objectives.

Lead-in In this module, you will learn how to design an Active Directory site topology.

2 Module 8: Designing an Active Directory Site Topology

#### Using Sites in Active Directory

Sites Control:

$ Workstation logon traffic

$ Replication traffic

$ Dfs topology

$ FRS

$ Other Site-Aware Applications

Paris Site192.168.2.0192.168.3.0

nwtraders.msftnwtraders.msft

Redmond Site192.168.4.0

A site is a collection of well-connected machines, based on Internet Protocol (IP) subnets. You use sites in Active Directory to define the physical structure of your network. A site consists of one or more subnets. For example, if a network has one subnetin Redmond and two subnets in Paris, the administrator can create one site in Redmond and one in Paris, and add the subnets to the local sites. Sites may contain domain controllers from one or more domains.

You can use sites to optimize network bandwidth in the following ways:

! Workstation logon traffic. When a user logs on, Windows 2000 searches for a domain controller in the same site as the workstation.

! Replication traffic. When a change occurs in Active Directory, sites can be used to control how and when the change is replicated to domain controllers in another site.

! Distributed file system (Dfs) topology. When a shared file or folder has multiple locations, a user will be directed to a server in his or her own site, if one exists. Localizing the availability of servers in a site reduces traffic across slow links.

! File Replication service (FRS). FRS is used to replicate the contents of the SYSVOL directory, which includes logon and logoff scripts, Group Policy settings, and system policies for Windows 95, Windows 98 and Windows NT® version 4.0. FRS uses sites to determine its replication topology.

! By using other site-aware applications. A site-aware application is a directory-enabled application that connects a client with a server in its own site, if the server is available there. As third party applications are developed, they may also make use of sites to allow clients to connect to shares within their own sites. Dfs and FRS point clients to servers within their site before pointing them to servers outside their site.

Slide Objective To describe the purpose of sites in an Active Directory environment. Lead-in Sites are related to the physical structure of a network and are configured so that network bandwidth usage can be optimized when replication takes place.


Active Directory uses site information in the following ways:

! The Knowledge Consistency Checker (KCC) generates a replication topology that is primarily used within sites rather than between sites. This intra-site topology may increase network traffic, but will reduce replication latency.

! Windows 2000 client computers use site information to find nearby domain controllers for logon and query operations.


Factors Affecting Replication


Redmond

Charlotte

Inter-Site ReplicationInter-Site Replication

Intra-Site ReplicationIntra-Site Replication

$ Replication latency

$ Replication efficiency

$ Replication cost

To optimize network bandwidth during replication, you must consider the factors that affect replication. The three significant replication factors include:

! Replication latency. The time needed for one domain controller to receive a change made on another domain controller.

! Replication efficiency. The ability to batch together the number of changes sent with each update.

! Replication cost. The amount of bandwidth needed to replicate the changes between domain controllers.

In a given network, optimizing one of these replication factors will impact the other factors. For example, a frequent replication interval lowers the replication latency and raises the replication cost and efficiency.

Intra-site Replication Replication latency within a site is low, because of the high network bandwidth available within a site. Low latency ensures that users within the site will have access to the most recent information at all times. Replication within a site will take place five minutes after a change has occurred. The originating server will notify its replication partners of the change, and they will, in turn, request the change.

Inter-site Replication Usually there is limited bandwidth available for replication between sites. Before being replicated, data is compressed to about 10 percent of original volume to reduce the amount of data on the network. To optimize the limited network bandwidth and replication efficiency even more, you can raise replication latency by scheduling when replication will occur between sites.

Slide Objective To describe the factors influencing inter-site and intra-site replication in an Active Directory structure.

Lead-in While planning replication in an Active Directory environment, you need to balance replication latency, replication efficiency, and replication cost.


#### Assessing the Need for Active Directory Sites

! Planning Domain Controller Placement

! Evaluating Connectivity and Available Bandwidth

! Determining Replication Traffic

Before planning the site topology of a network, you need to assess the need for sites in the network. The unnecessary addition of sites in a network may result in replication across slow links and inefficient use of network bandwidth. There are several factors that will determine where site locations are required:

! Available bandwidth ! Anticipated replication traffic ! Placement of domain controllers.

Begin the site design process by documenting the existing network infrastructure. Document the types of links between physical locations, the amount of available bandwidth, and the number of users and computers at each location.

Slide Objective To explain the factors to consider while dividing a network into sites.

Lead-in Unnecessary addition of sites in a network may slow down replication traffic. Therefore, you should assess the need for sites in a network.


Planning Domain Controller Placement

Philadelphia

Pittsburgh

Allentown

$ At Least One Domain Controller Per Site for Best Performance

$ For Sites with Few Users, Use a Slow Link

$ Total � Used = Net Available


The first step in planning a site structure is to determine where a domain controller is required. A domain controller must be able to respond to client requests in a timely manner that suits the requirements of the clients. For best performance, place at least one domain controller in each site that contains users or computers of that domain. With a domain controller at each location in your network, all users will have a local computer that can service query requests for their domain over local area network (LAN) connections.

In some situations, however, it may make sense not to place a domain controller at each location. For example, if there is a location with only ten users, you may decide it is a better use of the available bandwidth to have those users log on and query the directory over a slow link.

To help determine domain controller placement, identify potential speed and net available bandwidth by using the equation total � used = net available, where total refers to the total bandwidth available to the network, used refers to the bandwidth that is being used up by the network, and net available bandwidth refers to the bandwidth available to other applications.

Slide Objective To assess the need for an Active Directory site by determining the need for a domain controller.

Lead-in Domain controller placement has an affect on network response time and application availability.


Evaluating Connectivity and Available Bandwidth

! Connectivity

% Fast, Reliable, Inexpensive

% If Use is Low Between Locations, Slower Connectivity May Be Sufficient

! Available Bandwidth

% Amount of Connectivity Use

% If Use is High Between Locations, Consider Separate Sites

You need to examine connectivity and available bandwidth when grouping subnets into sites. The decision to combine multiple subnets to form a Windows 2000 site is a function of both well-connected subnets and networks with a lot of available bandwidth.

Connectivity Only combine subnets that are connected by fast, inexpensive, and reliable links into a site. The definition of a fast link will vary from organization to organization, but a Windows 2000 site should be connected with links of 10 Megabits per second (Mbps) or greater. For example, a slow connection, such as a 56Kbit/s RAS connection, is sufficient if changes happen rarely. However, if employee turnover at an organization is high and group memberships change daily, even a medium-sized domain might take up considerable bandwidth on a 128Kbps link.

Available Bandwidth Available bandwidth is also an important consideration in determining a site plan, because a connection that is fast, inexpensive, and reliable may be heavily used. For example, you may consider a 1.544-megabit network connection between two locations fast, inexpensive, and reliable. However, if 75 percent of this connection is used without any traffic from Active Directory or users logging on, it may be desirable to control the replication traffic and logon requests that use this connection. Even though the connection between locations is fast, inexpensive, and reliable, it still may be advantageous to create sites on both sides of the connection.

Slide Objective To explain how available bandwidth can be used to determine a site plan.

Lead-in You need to examine connectivity and net available bandwidth between locations when grouping subnets into sites.


Determining Replication Traffic

! Compression Occurs Once Traffic Exceeds 50KB

! Use Active Directory Sizer to Determine Replication Traffic

! Size of Organization Is Poor Indicator of Traffic

! Increasing Latency Can Also Increase Efficient Use of Network

When assessing the need for sites, consider the estimated amount of traffic that replication will generate. Replication between sites is compressed, but only when the amount of traffic exceeds 50,000 bytes (50KB). Use the Active Directory Sizer utility available in the Windows 2000 Server Resource Kit to determine replication traffic.

The size of an organization is not a good indicator of traffic. For example, a medium-sized organization may have regular staff changes, which will generate a significant amount of replication traffic, whereas a large organization may be fairly stable, with few changes occurring on a regular basis. If there are only very small changes occurring, inter-site replication may cause increased traffic because of the need to refer to additional naming contexts outside the site.

You can increase network efficiency by increasing replication latency. Increasing latency will increase the amount of traffic, but once the level of traffic exceeds 50KB, it is compressed, thereby reducing overall traffic.

Less information is replicated between domain controllers of different domains than between domain controllers in the same domain. The global catalog server replication only replicates a subset of the object attributes.

Slide Objective To describe the factors influencing replication traffic.

Lead-in Estimating the amount of replication traffic will help you determine the need for sites.

Key Point Tell students that the Active Directory Sizer tool will be demonstrated at the end of this module.

Note


#### Using Site Links in a Network

Paris

Site Link: Par-ChaSite Link: Par-Cha

RedmondCharlotte

Atlanta

ATM Backbone

Site Link: Red-Cha-AtlSite Link: Red-Cha-Atl

56KB WAN Link

Site Links Are Defined By:! Transport! Member Sites! Cost! Schedule

Inter-Site Topology Spans All Sites in a Network

The connection between two sites is defined as a site link. Site links can be used for replication. Planning site links involves considering the best replication path and the replication schedule between sites. Replication paths can be prioritized by assigning costs to different replication paths.

Site links are defined by the following components:

! Transport. The networking technology that is used to transfer the data that is replicated, such as a 56KB or a T1 link.

! Member sites. Two or more sites to be connected by the site link. ! Cost. A number that determines which site link will be used for replication

when there are multiple site links between two locations. ! Schedule. The times when replication will occur.

A typical site link connects two sites only and corresponds to a wide area network (WAN) link, although it could correspond to a backbone, which connects several sites together. Sites are connected by different network technologies, such as a T1 line, network, or dial-up link. Each site in a multiple-site environment must be connected by at least one site link. Otherwise, domain controllers within a site will not be able to replicate with domain controllers in any other site.

Inter-site replication topology spans across all sites in the organization. As long as a replication route can be constructed between all sites in the enterprise, the replication topology is functional. You can create site links that allow domain controllers from any site to communicate with domain controllers in any other site.

Slide Objective To describe the components of site links.

Lead-in Planning for site links involves planning each of the four site link components: transport, member, cost and schedule.


Planning Site Link Schedules and Costs

Redmond

Charlotte

Atlanta

Red-Cha-Atl Site LinkCost=1Available At All Times

Red-Cha-Atl Site LinkCost=1Available At All Times

Red-Atl Site LinkCost=300Available 8 PM to 6 AM

Red-Atl Site LinkCost=300Available 8 PM to 6 AM

ParisCha-Par Site LinkCost=500Available 7 PM to 2 AM

Cha-Par Site LinkCost=500Available 7 PM to 2 AM

Red-Par Site LinkCost=500Available 7 PM to 1 AM

Red-Par Site LinkCost=500Available 7 PM to 1 AM

Control Topology by:! Setting Costs! Scheduling Availability

Site links are based on the cost of replication, which reflects the speed and reliability of the underlying network, and its schedule, which defines a time period when replication is allowed over the link.

Site Link Schedules You have the option of controlling when replication will occur between sites. Unlike intra-site replication, inter-site replication does not use a notification process. Because there is no notification between the replication partners, a domain controller must check all replication partitions on the originating domain controller.

Try to schedule inter-site replication when bandwidth utilization is low. For example, you may schedule the link to be used only outside of regular business hours. However, this scheduling will increase replication latency, and you may decide that updating once a day is unacceptable. You can offset the increase in latency by scheduling replication to occur only once an hour.

When setting schedules, be aware of connections that use multiple site links. For example, you may have a domain that resides in three sites, A, B, and C. If the site link for AB is available from 9 p.m. to 1 a.m., and the site link for BC is available from 2 a.m. to 6 a.m., the replication partners in A and C will never replicate with each other.

Slide Objective To explain the guidelines for planning the schedules and costs of site links in an Active Directory environment.

Lead-in While planning for site links, you need to determine the cost and the schedule of these site links.


Site Link Cost Site link cost is a number that represents the priority an organization assigns to replication traffic between the sites identified in the site link. For example, an IP site link named Red-Cha-Atl connects three sites, Redmond, Charlotte, and Atlanta, with a cost of 1. This tells Active Directory that an IP message can be sent between all pairs of sites with a cost of 1.

Higher cost numbers represent lower priority replication paths. If there are multiple site links between two sites, Active Directory replication will use the link with the lowest cost that is available. For example, if there is a site link named Red-Cha-Atl that connects Redmond and Charlotte with a cost of 1, and a site link called Red-Cha that connects Redmond and Charlotte with a cost of 300, any replication will attempt to use the Red-Cha-Atl link first.

Options for Controlling Site Links Any number of site links can connect a site to other sites. Each site in a multi-site directory must be connected by at least one site link. You can control and schedule each site topology independently. You can control:

! Topology by setting the costs on site links. In a common scenario you might set cost = 1 for site links that are part of your backbone network, and cost = 100 for site links corresponding to slow connections to branch offices. Setting costs in this way ensures that a branch office replicates with a domain controller in a site that is part of the backbone, never directly with a second branch office.

! Replication frequency by setting the number of minutes between replication attempts on site links. In a common scenario you might set the global default replication frequency to 15 minutes, and set a longer frequency on site links corresponding to slow connections to branch offices. The longer frequency makes more efficient use of the link but increases replication latency.

! Link availability by using the schedule on site links. You would use the default schedule of 100 percent availability on most links, but you could block replication traffic during peak business hours on links to certain branches. By blocking replication, you give priority to other traffic but increase replication latency.


Assessing the Need for Site Link Bridges

Red-Cha Site LinkCost = 3Red-Cha Site LinkCost = 3

Cha-Atl Site LinkCost = 4Cha-Atl Site LinkCost = 4

Red-Cha-AtlSite Link BridgeCost = 7

Red-Cha-AtlSite Link BridgeCost = 7

Par-Red Site LinkCost = 2Par-Red Site LinkCost = 2


Redmond

Charlotte

Atlanta

Paris

A site link bridge connects two or more sites together by using multiple site links. Site link bridges model the routing behavior of a network. By default, all site links are considered transitive. That is, all site links for a given transport will implicitly belong to a single site link bridge for that transport. This means site link bridges are not necessary in fully routed IP networks.

If your IP network is not fully routed, the transitive site link feature for the IP transport can be turned off. This will result in all IP site links being considered intransitive, so site link bridges will need to be configured to model the actual routing behavior of the network. Specifying two or more site links creates a site link bridge object for a specific inter-site transport, typically RPCs over IP.

For example:

! Site link Red-Cha connects sites Redmond and Charlotte through an IP with a cost of 3.

! Site link Cha-Atl connects sites Charlotte and Atlanta through an IP with a cost of 4.

! Site link bridge Red-Cha-Atl connects Red-Cha and Cha-Atl. The site link bridge Red-Cha-Atl implies that an IP message can be sent from Redmond to Atlanta with a cost of 3 plus 4, or 7.

Slide Objective To assess the need for a site link bridge in an Active Directory environment.

Lead-in Site link bridges are used to connect two or more sites together by using multiple site links.


Each site link in a bridge needs to have a site in common with another site link in the bridge. If not, the bridge cannot compute the cost from sites in one link to sites in other links of the bridge.

Multiple site link bridges for the same transport work together to model multi-hop routing. Add the following objects to the preceding example:

! Site link Par-Red connects sites Paris and Redmond through an IP with a cost of 2.

! Site link bridge Par-Red-Cha connects Par-Red and Red-Cha.

Now the site link bridges Par-Red-Cha and Red-Cha-Atl together imply that an IP message can be sent from site Paris to site Atlanta with a cost of 2 plus 3 plus 4, or 9.


#### Planning the Inter-Site Replication Topology

! Choosing Inter-Site Replication Transports

! Delegating Bridgehead Servers

! Examining the Inter-Site Topology Generator

! Determining the Least-Cost Spanning Tree

Inter-site replication topology refers to the configuration of replication between sites in a network. Planning replication topology includes choosing a replication transport and delegating bridgehead servers. The topology will depend on the scenario in which it is being applied. For example, a reliable network connection may use a synchronous transport, while an unreliable network connection may use an asynchronous transport.

Slide Objective To explain the factors to consider when planning inter-site replication in a Windows 2000-based network.

Lead-in Two sites are generally connected by slower links, and therefore appropriate planning is required to ensure appropriate replication between the sites.


Choosing Inter-Site Replication Transports

! Remote Procedure Calls (RPCs) over TCP/IPSynchronous Transfer

Requires Reliable Connections

Generates Less Traffic

Can be Used with DCs in Same Domain

! Simple Message Transport ProtocolAsynchronous Transfer

Used with Unreliable Connections

Generates More Traffic

Cannot be Used with DCs in Same Domain

You will need to select a transport method for inter-site replication. Windows 2000 provides two transport methods: Remote procedure calls (RPCs) and Simple Message Transport Protocol (SMTP).

Remote Procedure Calls over TCP/IP RPCs sent over a TCP/IP connection uses synchronous transport. The RPC transport will appear as the IP transport option. To send data using RPCs, a direct connection with the replication partner must be achieved. Thus, if the partner is unavailable, replication will not occur. With inter-site replication, the replication partner always pulls data in from its replication partner. There is no notification of changes.

Simple Message Transport Protocol SMTP sends replication data as asynchronous e-mail messages. Since SMTP is capable of storing messages and then forwarding them, it is the ideal transport in an unreliable network. Active Directory allows the underlying SMTP messaging system to take care of routing. Schedules set on a connection using SMTP are ignored. Because the replication data must be encapsulated within an SMTP packet, the SMTP transport generates from 80 percent to 100 percent more traffic than RPCs.

The SMTP transport supports schema configuration and global catalog replication but cannot be used for replication between domain controllers that belong to the same domain. This is because some domain operations, such as Group Policy, require the support of the FRS, which does not yet support asynchronous transport for replication.

If you plan to use SMTP, you will need to use RPC for intra-domain replication. Refer to Notes from the Field by MS Press.

Slide Objective To determine the appropriate transport to be used for replication between sites.

Lead-in You can use the RPC over TCP/IP transport for synchronous transfer of data and SMTP for asynchronous transfer of data.

Note


Delegating Bridgehead Servers

Charlotte

Redmond

contoso.msft

Bridgeheads for:contoso.msftSchema & ConfigGlobal Catalog

Bridgeheads for:contoso.msftSchema & ConfigGlobal Catalog

Bridgeheads for:Nwtraders.msftBridgeheads for:Nwtraders.msft

Global Catalog

nwtraders.msft

contoso.msft

nwtraders.msft

Schema & Config

contoso.msft

nwtraders.msft

A bridgehead server is a single server in each site used for replication between sites. Connection objects are created between bridgehead servers. The KCC automatically designates the bridgehead server, or you can manually assign one for the appropriate transport (IP for RPC over IP, or SMTP for SMTP over IP).

Manual Bridgehead Configuration If you choose to manually configure a single domain controller as the preferred bridgehead server for a site, the KCC will only use that server. If that server is unavailable, the KCC will not automatically assign another. The KCC only chooses another bridgehead if you have not designated a preferred bridgehead server. However, if you have configured multiple domain controllers in the same site as preferred bridgehead servers, the KCC will then arbitrarily select one of these servers.

Multiple Naming Contexts Because a bridgehead server must be designated for each naming context, you may need multiple bridgehead servers. For example, you have two sites, Redmond and Charlotte, and two domains, contoso.msft and nwtraders.msft. Each site has a domain controller from each domain. In this case, replication of the two domain naming contexts can occur between the two sites only if the domain controllers for nwtraders.msft and contoso.msft are selected as bridgehead servers in each site. Therefore, if there is a single domain controller for a domain in a site, that domain controller must be a bridgehead server in its site because it can replicate domain data to only a domain controller in its own domain. In addition, that single domain controller must be able to connect to a bridgehead server in the other site that also holds the same domain naming context.

Slide Objective To describe the guidelines to consider while delegating bridgehead servers in a site.

Lead-in A bridgehead server accommodates much more replication traffic than nonbridgehead servers.


Examining the Inter-Site Topology Generator

Redmond

contoso.msft

BridgeheadsBridgeheads

BridgeheadsBridgeheads

nwtraders.msft

contoso.msft

nwtraders.msft

nwtraders.msft

Charlotte

contoso.msft

Global Catalog

Schema & Config

ISTGISTG

ISTGISTG

Topology generation for replication between sites is more complex than for replication within a site. In intra-site replication, the KCC assumes any server is capable of replicating with any other server. This is not the case with inter-site replication.

With intra-site replication, the KCC on each domain controller plays a role in topology generation. Similarly, each site plays a role in inter-site topology generation. One domain controller in each site assumes the role of inter-site topology generator (ISTG). By default, this is the first domain controller in the site. The KCC on this domain controller is responsible for creating the connections between the domain controllers in its site and the domain controllers in other sites. The KCC creates inbound connection objects between the bridgehead servers in its own site and the other sites.

There is only one ISTG for each site, regardless of the number of domains represented in the site. The ISTG reviews the site topology and creates the appropriate inbound connections for the site in which it resides.

If the ISTG determines that a connection object needs to be modified, it makes the change to its local Active Directory replica. The change propagates to the bridgehead servers in the site as part of normal replication. When the KCC on the bridgehead server reviews the new topology, it makes the received change.

Slide Objective To explain the function of an inter-site topology generator during replication between sites.

Lead-in Topology generation for replication between sites is more complex than for replication within a site.


Determining the Least-Cost Spanning Tree

Type of Network LinkType of Network Link Proposed Assigned CostProposed Assigned Cost

5000International Link

1000Branch Office

50056KB Link

200T1 to backbone

1Backbone Link

The KCC uses a least-cost spanning tree algorithm to determine the replication topology between multiple sites and domains in the same forest. You set cost so the KCC will prefer certain routes.

To maximize efficiency and minimize cost, the replication topology must consider your network environment, physical location, and business needs. While the KCC generates the inter-site topology automatically, the settings on the site links are the factors that the KCC uses to consider the topology.

The default cost of a site link is 100. When setting costs, try to assign the same number to similar links. For example, if you have a T-1 connection that is at 30 percent utilization, and another T-1 at 35 percent utilization, assign the cost of 200 to each of them.

Slide Objective To explain the purpose of determining the least-cost spanning tree in an Active Directory environment.

Lead-in You assign costs to site links to ensure that the site links used for replication are from the fastest links to the slow links in the network.


#### Planning for Server Placement in Sites

! Placing Global Catalog Servers

! Planning Placement of Operations Masters

! Demonstration: Active Directory Sizer

A site consists of domain controllers, global catalog servers, operation masters and bridgehead servers. For the appropriate utilization of these servers, it is important to plan their placement in sites. Planning server placement includes determining the need of a server in a network and, if it is required, determining the number of servers that will result in optimum utilization of the servers.

Slide Objective To describe the guidelines to consider when planning placement of servers in a site.

Lead-in You need to follow certain guidelines to ensure the optimal usage of server resources in a site.


Placing Global Catalog Servers

Global Catalog Server

LDAP query port 3289

Exchange2000 Server

In an ideal environment, there would be a global catalog server at each site that can service query requests for the entire directory over the LAN. However, this many global catalog servers may significantly increase network traffic because of the partial replication of all objects from all domains. Consider the following guidelines for placing global catalog servers:

! A global catalog server must have the capacity to hold partial replicas of all objects from all other domains in the Active Directory.

! The best query performance results from placing a domain controller designated as a global catalog server at small sites, thereby enabling the server to fulfill queries about objects in all domains in the Active Directory.

! Once a domain has been placed in native mode, a user will be unable to log on to the network without a global catalog server, unless the option allowing a user to log on using cached credentials is enabled.

Instead of placing a global catalog server at all sites, you can place one in each major site, in a regional Information Technology (IT) hub, or in a location on the WAN in which a large number of people and resources are present.

Microsoft Exchange 2000 Microsoft Exchange 2000 uses the Active Directory directory service as its directory. All mailbox names are resolved through queries that go through Active Directory. When a query occurs, Exchange queries a global catalog server. The number of queries a global catalog server must handle can increase extensively in a large Exchange environment. Try to place a global catalog server in each site that contains an Exchange server.

Slide Objective To explain the guidelines for placing global catalog servers in Active Directory.

Lead-in The global catalog server contains a partial replica of every Windows 2000 domain in a network.


Planning Placement of Operation Masters

nwtraders.msft

na.nwtraders.msft sa.nwtraders.msft

Schema MasterDomain Naming MasterRID MasterPDC EmulatorInfrastructure Master

RID MasterPDC EmulatorInfrastructure Master

RID MasterPDC EmulatorInfrastructureMaster

Operations masters control critical single master updates that cannot be easily resolved using multi-master replication. The placement of the operation masters needs to be considered.

Schema Master The schema master is the only domain controller on which you can make schema modifications. By default, it is the first domain controller in the Active Directory forest. There is one schema master per enterprise.

Domain Naming Master The domain naming master is used when domains are added or removed from the Active Directory forest. It allows the definition of new cross-reference objects representing domains and external directories, and prevents duplication of domain names. If the domain naming master is unavailable, you cannot add or remove domains. By default, the first server created in the forest is the domain naming master. There is one domain-naming master per enterprise.

Primary Domain Controller Emulator The Primary Domain Controller (PDC) emulator replaces a Windows NT 4.0 primary domain controller, but is necessary in Windows 2000-based networks as well. When a user changes his or her password, the change is sent to the PDC emulator immediately. If a user is unable to log on due to an incorrect password, the authenticating domain controller always checks with the PDC emulator before denying the logon request. If an account is locked out, this change is also immediately sent to the PDC emulator. There is one PDC emulator per domain.

Slide Objective To explain how placement of operation masters can be planned in an Active Directory environment.

Lead-in Operations masters control critical single master updates that cannot be easily resolved using multi-master replication.


Relative Identifier Master Each object created in Active Directory has a security identifier (SID), a number unique within the domain. A portion of that number is the relative identifier (RID). To ensure a unique SID within a domain, each domain controller is assigned a pool of numbers to use for the RID of each object. The RID master assigns these numbers to each domain controller in its domain. By default, once a domain controller has used 450 of its 500 numbers, it contacts the RID for a new pool of numbers. There is one RID master per domain.

Infrastructure Master The infrastructure master for a domain is responsible for updating the cross-domain references if the name of an object is changed. When an object name changes, the object receives a new distinguished name, and possibly a new SID if the object is moved to another domain. The infrastructure master removes any inconsistencies by matching the SID and the distinguished name of the object with its globally unique identifier (GUID). The infrastructure master updates these references locally and uses replication to bring all other replicas of the domain up-to-date. If the infrastructure master is unavailable, these updates are delayed.

It is recommended that only domain controllers that are not global catalog servers act as infrastructure masters. A global catalog server would not identify inconsistencies in these cross-domain references because it has all objects in its directory database. There is one infrastructure master per domain.


Demonstration: Active Directory Sizer

Active Directory Sizer is a tool that the network architect can use to estimate replication traffic and server requirements based on parameters entered by the user. The parameters requested characterize the network and Active Directory tasks required on the network. Active Directory Sizer also estimates the size of the Active Directory and is used to plan sites and site links.

Slide Objective To demonstrate the use of Active Directory Sizer.

Lead-in Active Directory Sizer will be used in the following lab.


Lab A: Planning Sites to Control Active Directory Replication

Objectives After completing this lab, you will be able to:

! Use the Active Directory Sizer to determine placement of Active Directory servers.

! Create an optimal Active Directory replication plan for an organization.

Prerequisites Before working on this lab, you must have:

! Knowledge of the advantages and disadvantages of intra-site and inter-site Active Directory replication.

! Knowledge of types of information needed to make a site determination.

Estimated time to complete this lab: 45 minutes

Slide Objective To introduce the lab.

Lead-in In this lab, you will create an optimal replication plan for an organization.

Explain the lab objectives.


Exercise 1 Site Planning for a Medium-sized Organization

You will have 30 minutes to complete this exercise. You will create an optimal Active Directory site plan for Woodgrove Bank, a medium-sized company.

Scenario Woodgrove Bank is a regional bank with 200 branches located in Ohio, Illinois, and Indiana. Below is a map of Woodgrove Bank�s regional centers. Each regional center has its own IT staff that reports back to the corporate IT staff based in Chicago. Woodgrove bank has chosen a single domain strategy with the domain name of corp.woodgrove.msft and three sites: Chicago, Indianapolis, and Columbus.

Woodgrove Bank officials have provided you with the following information about the number of users supported at each regional center.

Site Number of Branches Total Users Chicago 100 2,675

Indianapolis 60 1,350

Columbus 35 925

Total 195 4,950

T-1 20%

T-1 28%

56KIndianapolis

Branch OfficesBranch Offices



Chicago

Columbus


You have consulted the various IT groups at Woodgrove Bank regarding their network and desktop utilization. The information they provided is summarized in the following table:

Item Information Percent of users concurrently active 90

Average additional attributes 25

Average groups per user 30

Average interactive logon rate peak per second 5

Average batch logon rate peak per second 0

Average network logon rate peak per second 25

Password Expiration in days 45

Additional ACEs 100

Windows 2000 computers 1,000

Other computers 4,000

Other objects to be published 2,030

Desired Average CPU utilization 60%

Preferred DC CPU Auto Select

Number of Processors in DC Auto Select

Object additions per week 20

Object deletions per week 15

Object modifications per week 500

Microsoft Exchange 2000 messages 75

Microsoft Exchange 2000 recipients per message 15

Windows 2000 DNS Yes

Dial-in connections 100

DHCP Lease Expiration in days 12

DNS NoRefreshInterval in days 7

Other Active Directory Services None

Criteria Woodgrove bank has chosen:

! A single domain strategy. ! A domain name of corp.woodgrove.msft. ! Three sites: Chicago, Indianapolis, and Columbus.


Decisions Use the Active Directory Sizer to help you develop a site plan for Woodgrove Bank.

! To determine server placement with the Active Directory Sizer, perform the following steps:

1. On the Start menu, point to Programs, point to Active Directory Sizer, and then click Active Directory Sizer.

2. In the Active Directory Sizer dialog box, on the menu bar, click File, and then click New.

3. When prompted by the Active Directory Sizer wizard, use the information provided in the scenario to complete the wizard.

4. To accept your wizard entries and close the wizard, click Finish. In the console tree, under Domain Configuration, the domain corp.Woodgrove.msft appears. In the console tree under Site Configuration, a default site named Default-First-Site appears.

5. To add a new site, on the console tree, right-click Site Configuration and then click Add Site.

6. In the New Site dialog box, in the Site Name box, enter the name of one of the sites given for corp.woodgrove.msft.

7. Click Apply. 8. Repeat steps 6 and 7 for the other two sites, and then click OK.

Three new sites should appear in the console tree. At this point, all users are still contained in the Default-First-Site.

9. To distribute users from the Default-First-Site to their specified sites, on the console tree, right-click Default-First-Site, and then click Distribute Users.

10. In the Distribute Users dialog box, from the Source Site list, click Default-First-Site (the site that contains the users that will be moved).

11. In the Users to Move box, enter the number of users that will move to the new site.

12. From the Destination Site list, click the site to which the users will move. 13. Click Apply. 14. Repeat steps 10 through 13 until all users have been removed from Default-

First-Site, and then click OK. You have successfully created sites and populated them with users.

15. To view the site report, in the console tree, under Domain Configuration, click corp.woodbridge.msft. The site report appears in the details pane. The site report specifies the recommended distribution of DCs, bridgehead servers, and global catalogs by site.


16. On the following graphic, indicate the location and number of devices.

17. Where will you locate the following operations masters?

Role Site

PDC Emulator Chicago

RID Master Chicago

ISTG Chicago

Schema Master Chicago

Domain Naming Master Chicago

T-1 20%

T-1 28%

56KIndianapolis




Chicago

Columbus

DCs ___1____GCs ___1____

DCs ____1___GCs ___1____

DCs ____1___GCs ____1___

T-1 20%

T-1 28%

56KIndianapolis




Chicago

Columbus

DCs _______GCs _______

DCs _______GCs _______

DCs _______GCs _______


Exercise 2: Planning for Site Replication at a Large Organization

You will have 30 minutes to complete this exercise. You will create an optimal Active Directory replication plan for a large organization.

Scenario Quality Computer Manufacturing Company is an international manufacturer of server and workstation computers. They have four regional headquarters in Chicago, Buenos Aires, Frankfurt, and Tokyo, with 17 additional distribution centers worldwide.

The corporate headquarters is also located in the Chicago office. Each regional headquarters has a human resources, sales, marketing, manufacturing, and distribution function. The number of employees in each regional office is as follows:

Office Users Chicago 5,000

Buenos Aires 2,700

Frankfurt 2,800

Tokyo 2,450

Buenos Aires

ChicagoFrankfurt

Tokyo

56K

T1T3

T1


In addition to the regional offices, there are distribution centers. You have prepared the following table to summarize the locations of the distribution centers and the number of users at each location. Asterisks indicate distribution centers that need at least one domain controller.

Region Headquarters Distribution Centers Users North America Chicago Toronto*

New York* Los Angeles* Houston* Seattle Atlanta

95 130 75 105 15 11

South and Central America

Buenos Aires Mexico City* Panama City Sao Paolo* Caracas

80 15 55 12

Europe and Africa Frankfurt London* Stockholm* Istanbul Rome Nairobi*

68 110 10 12 95

Asia and Oceania Tokyo Hong Kong* Singapore Bangkok Sydney*

150 12 15 90

Criteria Quality Computers has chosen:

! A single domain strategy ! A domain name of qualitycomputer.msft


Decisions Based on the information presented in the scenario, use the table to identify the number of users at each site.

Site name Number of users

Chicago 5,000 + 15 + 11 = 5,026

Buenos Aires 2,700 + 15 + 12 = 2,727

Frankfurt 2,800 + 10 + 12 = 2,822

Tokyo 2,450 + 12 + 15 = 2,477

Toronto 95

New York 130

Los Angeles 75

Houston 105

Mexico City 80

Sao Paolo 55

London 68

Stockholm 110

Nairobi 95

Hong Kong 150

Sydney 90


You consulted the various IT groups at Quality Computing regarding their network and desktop utilization. The information they provided is summarized in the following table.

Item Information

Total Users in the domain 14,105

Percent active during peak hours 45

Average additional attributes 25

Average groups per user 30

Average interactive logon rate peak per second 10

Average batch logon rate peak per second 0

Average network logon rate peak per second 500

Password Expiration in days 45

Additional ACEs 110

Windows 2000 computers 5,000

Other computers 9,105

Other objects to be published 5,000

Desired Average CPU utilization 70%

Preferred DC CPU Auto Select

Number of Processors in DC Auto Select

Object additions per week 80

Object deletions per week 20

Object modifications per week 1,500

Microsoft Exchange 2000 messages 50

Microsoft Exchange 2000 recipients per message 25

Windows 2000 DNS Yes

Dial-in connections 1,100

DHCP Lease Expiration in days 15

DNS NoRefreshInterval in days 7

Other Active Directory Services None

Use the Active Directory Sizer to help you develop a site plan for Quality Computers.


! To determine server placement, perform the following steps: 1. On the Start menu, point to Programs, point to Active Directory Sizer,

and then click Active Directory Sizer. 2. In the Active Directory Sizer dialog box, on the menu bar, click File, and

then click New. 3. When prompted by the Active Directory Sizer wizard, use the information

you gathered plus the scenario to complete the wizard. 4. To accept your wizard entries and to close the wizard, click Finish.

In the console tree, under Domain Configuration, the domain qualitycomputer.msft appears. In the console tree under Site Configuration, a default site named Default-First-Site appears.

5. To add sites to the domain, on the console tree, right-click Site Configuration, and then click Add Site.

6. In the New Site dialog box, in the Site Name box, enter the name of one of the sites that you previously specified.

7. Click Apply. 8. Repeat steps 6 and 7 until all new sites have been added, and then click OK.

All new sites that you previously identified should appear in the console tree. However, all users are still contained in the Default-First-Site.

9. To distribute users from the Default-First-Site to their specified sites, on the console tree, right-click Default-First-Site and then click Distribute Users.

10. In the Distribute Users dialog box, from the Source Site list, click Default-First-Site (the site that contains the users that will be moved).

11. In the Users to Move box, enter the number of users that will move to the new site.

12. From the Destination Site list, click the site to which the users will move.


13. Click Apply. 14. Repeat steps 10 through 13 until all users have been removed from Default-

First-Site, and then click OK. You have successfully created sites and populated them with users.

15. To view the site report, in the console tree, under Domain Configuration, click qualitycomputer.msft. The site report shows the recommended distribution of DCs, bridgehead servers, and global catalogs by site. From the site report for qualitycomputers.msft, complete the following table.

Site name Users DCs GCs-

Chicago 5,026 2 1

Buenos Aires 2,727 1 1

Frankfurt 2,822 1 1

Tokyo 2,477 1 1

Toronto 95 0 1

New York 130 0 1

Los Angeles 75 0 1

Houston 105 0 1

Mexico City 80 0 1

Sao Paolo 55 0 1

London 68 0 1

Stockholm 110 0 1

Nairobi 95 0 1

Hong Kong 150 0 1

Sydney 90 0 1

If asked, remind the students that the global catalog servers will also serve as bridgehead servers.


Review

! Using Sites in Active Directory

! Assessing the Need for Active Directory Sites

! Using Site Links in a Network

! Planning the Inter-Site Replication Topology

! Planning for Server Placement in Sites

1. How would you balance the different replication factors while planning for replication within a site? Keep replication latency within a site as low as possible. Keeping the replication latency low requires additional bandwidth; however, computers within a site are generally connected with high bandwidth connections, so you can take advantage of the high bandwidth and have low replication latency.

2. Identify the components of site links that need to be considered before planning for site links in a network. The four site-link components are Transport, Member sites, Cost and Schedule.

Slide Objective To reinforce module objectives by reviewing key points.

Lead-in The review questions cover some of the key concepts taught in the module.


3. Which are the two transports that can be used for inter-site replication? RPCs over TCP/IP and SMTP are the two types of Transports that can be used for inter-site replication. RPCs over TCP/IP is a synchronous transport and can, therefore, easily be used for reliable networks. SMTP is an asynchronous transport and is, therefore, preferable for unreliable networks.

4. Identify the important factors that you would consider while assessing the need for a site in an Active Directory environment. The factors that are used to assess the need for sites in an Active Directory are requirement of a domain controller, bandwidth availability, and estimation of replication traffic.

Module 8: Designing an Active Directory Site Topology · PDF fileFinally it covers how to plan...

Documents

Transcript of Module 8: Designing an Active Directory Site Topology · PDF fileFinally it covers how to plan...