ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Module Overview
• Configure Sites and Subnets• Configure the Global Catalog and Application Partitions• Configure Replication
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Configure Sites and Subnets
• Understand Sites• Plan Sites• Create Sites• Manage Domain Controllers in Sites• SRV Records for Domain Controller• How Client Locates Domain Controller
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Understand Sites
• Loosely related to network “sites”• A highly connected portion of your enterprise
• Active Directory objects that support• Replication
• Active Directory changes must be replicated to all DCs• Some DCs might be separated by slow, expensive links• Balance between replication “cost” & convergence
• Service localization• Domain Controller (LDAP and Kerberos)• DFS• Active Directory–aware (site aware) apps• Location property searching, for example, printer location
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Plan Sites
• Active Directory sites may not map one-to-one with network sites• Two locations, well connected, may be one Active Directory site
• A large enterprise on a highly connected campus (one “site”) may be broken into multiple Active Directory sites for service localization
• Criteria• Connection speed: 512 kbps link is a guideline, but as low as 28 kbps is used
• Service placement: If there are no domain controllers or Active Directory–aware services, you might not need to create a site
• User population: If the number of users warrants a domain controller, consider a site
• Directory query traffic by users or applications
• Desire to control replication traffic between domain controllers
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Create Sites
• Active Directory Sites and Services• Default-First-Site-Name
• Should be renamed
• Create a site• Assign to site link
• Create a subnet• Assign to site• A site can have more than one subnet
A subnet can be associated withonly one site
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Manage Domain Controllers in Sites
• Domain controllers should be in the correct site• The Servers container will show only domain
controllers, not all servers
• Add a domain controller to a site• First domain controller will be
in Default-First-Site-Name• Additional domain controllers will be added
to sites based on their subnet address• DCPromo prompts you for the site• You can right-click the Servers container of
a site and precreate the server objectbefore promoting the domain controller
• Move a domain controller to a new site: Right-click the domain controller and click Move
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
SRV Records for Domain Controller
• Domain controllers register service locator records (SRV)in DNS in the following locations• _tcp.contoso.com: all DCs in the domain• _tcp.siteName._sites.contoso.com: all DCs in site siteName
• Clients query DNS for domain controllers
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
How Client Locates Domain Controller
1. New client queries for all domain controllers in the domain
• Retrieves SRVs from_tcp.domain
2. Attempts LDAP bind to all
3. First domain controller to respond• Examines client IP and
subnet definitions• Refers client to a site
4. Client stores site in registry
5. Client queries for all domain controllers in the site
• Retrieves SRVs from _tcp.site._sites.domain
6. Attempts LDAP bind to all
7. First domain controller to respond• Authenticates client• Client forms affinity
8. Subsequently• Client binds to affinity domain
controller• Domain controller offline? Client
queries for domain controllers in registry-stored site
• Client moved to another site? Domain controller refers client to another site
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Configure the Global Catalog and Application Partitions• Review Active Directory Partitions• Understand the Global Catalog• Global Catalog Servers Placement• Configure a Global Catalog Server• Universal Group Membership Caching• Understand Application Directory Partitions
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Review Active Directory Partitions
• Full replica (DC)• Read-only replica (RODC)
• Does not include secrets• Replicates passwords per policy
Domain
Forest
Definitions and rules for creating and manipulating objects and attributes
Information about the Active Directory structure
Information about domain-specific objects
Active Directory Database
DomainDomain
ConfigurationConfiguration
SchemaSchema
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Understand the Global Catalog• Global catalog hosts a
partial attribute set for other domains in the forest• Supports queries for
objects throughout the forest
Domain BDomain B
Domain BDomain B
ConfigurationConfiguration
SchemaSchema
Domain ADomain A
ConfigurationConfiguration
SchemaSchema
Global Catalog ServerDomain BDomain B
ConfigurationConfiguration
SchemaSchema
Domain ADomain A
ConfigurationConfiguration
SchemaSchema
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Global Catalog Servers Placement• Recommendation: Make every DC a global catalog• In particular
• If an application in a site queries the global catalog (port 3268)• If a site contains an Exchange server• If a connection to a GC in another site is slow or unreliable
Domain BDomain B
Domain ADomain A
ConfigurationConfiguration
SchemaSchema
Domain BDomain B
Domain ADomain A
ConfigurationConfiguration
SchemaSchema
HEADQUARTERS BRANCHA
Make a GC?
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Configure a Global Catalog Server• Right-click the NTDS Settings node underneath the DC
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Universal Group Membership Caching• Universal group membership replicated in the global catalog
• Normal logon: User’s token built with universal groups from global catalog• Global catalog not available at logon: Domain controller denies authentication
• If every Domain controller is a global catalog, this is never a problem
• If connectivity to a global catalog is not reliable• Domain controllers can cache universal group membership for a user when user logs on• Global catalog later not available: User authenticated with cached Universal groups
• In sites with unreliable connectivity to global catalog, enable universal group membership caching
• Right-click NTDS Settings for site Properties• Enables universal group membership caching for all domain controllers on the site
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Configure Replication
• Understand Active Directory Replication• Intrasite Replication• Site Links• Replication Transport Protocols• Bridgehead Servers• Site Link Transitivity and Bridges• Control Intersite Replication• Monitor and Manage Replication
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Understand Active Directory Replication• Multimaster replication’s balancing act: “loose coupling”
• Accuracy (integrity)
• Consistency (convergence)
• Performance (keeping replication traffic to a reasonable level)
• Key characteristics of Active Directory Replication• Multimaster replication
• Pull replication
• Store-and-forward
• Partitions
• Automatic generation of an efficient & robust replication topology
• Attribute level replication
• Distinct control of intrasite and intersite replication
• Collision detection and remediation
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Intrasite Replication
• Connection object: inbound replication to a DC• Knowledge consistency checker (KCC) creates topology
• Efficient (maximum three hop) and robust (two-way) topology• Runs automatically, but you can “Check Replication Topology”• Few reasons to manually create connection objects
• Standby operations masters should have connections to masters
• Replication• Notification: DC tells its
downstream partners changeis available (15 seconds)
• Polling: DC checks with itsupstream partners (1 hour) for changes
• Downstream DC directory replication agent (DRA) replicates changes• Changes to all partitions held by both DCs are replicated
DC2
DC1 DC3
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Site Links• Intersite topology generator (ISTG) builds replication topology
between sites• Site links
• Contain sites• Within a site link, a connection object can be created between any two DCs• Not always appropriate given your network topology!
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Replication Transport Protocols
• Directory Service Remote Procedure Call (DS-RPC)• Appears as IP in Active Directory Sites and Services• The default and preferred protocol for intersite replication
• Inter-Site Messaging—Simple Mail Transport Protocol (ISM-SMTP)• Appears as SMTP in Active Directory Sites and Services• Rarely used in the real world• Requires a certificate authority• Cannot replicate the domain naming context—only schema and configuration• Any site that uses SMTP to replicate must be in a separate domain within the forest
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Bridgehead Servers• Replicates changes from bridgeheads in all other sites• Polled for changes by bridgeheads in all other sites• Selected automatically by ISTG (new method in R2)• Or you can configure preferred bridgehead servers
• Firewall considerations• Performance considerations
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Control Intersite Replication
• Site link costs• Replication uses the connections with the lowest cost
• Replication• Notifications off by default. Bridgeheads do not notify partners• Polling. Downstream bridgehead polls upstream partners
• Default: 3 hours• Minimum: 15 minutes• Recommended: 15 minutes
• Replication schedules• 24 hours a day• Can be scheduled
100100
100300
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Whiteboard: Replication
IP SubnetIP Subnet
Site B
IP Subnet
Site A
IP Subnet
BH
Site Link Bridge
BH
BH
Site C
Site D
IP SubnetIP Subnet
BH
IP Subnet
RODC Branch
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Monitor and Manage Replication
• RepAdmin• repadmin /showrepl hqdc01.contso.com• repadmin /showconn hqdc01.contoso.com• repadmin /showobjmeta hqdc01 "cn=Linda Miller,ou=…"• repadmin /kcc• repadmin /replicate hqdc02 hqdc01 dc=contoso,dc=com• repadmin /syncall hqdc01.contoso.com /A /e
• DCDiag /test:testName• FrsEvent or DFSREvent• Intersite• KccEvent• Replications• Topology
Top Related