Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing and Administering AD DS Sites and Replication

Published byIgnacio Deane Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing and Administering AD DS Sites and Replication"— Presentation transcript:

1 Implementing and Administering AD DS Sites and Replication
Presentation: 60 minutes Lab: 30 minutes After completing this module, students will be able to: Describe Active Directory Domain Services (AD DS) replication. Configure AD DS sites. Configure and monitor AD DS replication. Required materials To teach this module, you need the Microsoft Office PowerPoint file 10969A_04.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who may get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Preparation for Demonstrations This module contains a couple of demonstrations that require the virtual machines LON-DC1 and TOR-DC1. You should start these virtual machines now, and sign in to them to be prepared. Module 4 Implementing and Administering AD DS Sites and Replication (More notes on the next slide)

2 Configuring and Monitoring AD DS Replication
Module Overview 4: Implementing and Administering AD DS Sites and Replication Configuring and Monitoring AD DS Replication Preparation for Labs This module contains one lab at the end that requires the virtual machines LON-DC1 and TOR-DC1. You can ask students to prepare by starting these virtual machines now and logging on by using the credentials on the lab slide. Introduce the module by explaining how important it is that a large organization implements multiple domain controllers within AD DS. This concept leads to a discussion regarding AD DS replication and how it works. Ask students what would happen if AD DS data does not replicate consistently to all domain controllers. For example, if a user creates a user object on one domain controller, but that information does not replicate to all other domain controllers, the user will be able to authenticate only to the domain controller in which the account was created, resulting in a unreliable logon experience. Point out that multiple sites enable an enterprise administrator to control replication, with the added benefit of efficient authentication and local access to site-aware resources.

3 Lesson 1: Overview of AD DS Replication
4: Implementing and Administering AD DS Sites and Replication How SYSVOL Replication Works Briefly describe the topics in this lesson. This content has not changed much from older versions of Windows Server operating systems, so if your students have previous experience with AD DS replication, you can summarize the information in the topics instead of going into detailed conversation about the topic content.

4 What Are AD DS Partitions?
4: Implementing and Administering AD DS Sites and Replication Forest-wide information about the Active Directory structure Describe the information that each AD DS partition stores. Consider using the Active Directory Service Interfaces Editor (ADSIEdit.msc) to show each partition’s contents. Point out that Domain Name System (DNS) actually uses application partitions for distribution between domain controllers. By default, two application partitions for DNS zones are created in this case: ForestDNSZones, and DomainDNSZones. The ForestDNSZones zone replicates to all domain controllers, which are DNS servers in the forest. The DomainDNSZones zone replicates to all domain controllers, which are DNS servers in the domain. In Microsoft Windows 2000 Server, the default was that DNS records were replicated without the use of application partitions to every domain controller in the domain, even if a domain controller was not a DNS server. Configuration Forest-wide definitions and rules for creating and manipulating objects and attributes Schema Information about domain-specific objects Domain Information about applications Application Active Directory Database

5 Characteristics of AD DS Replication
4: Implementing and Administering AD DS Sites and Replication Multimaster replication ensures: Accuracy (integrity) Consistency (convergence) Performance (keeping replication traffic at a reasonable level) Key characteristics of Active Directory replication include: Multimaster replication Pull replication Store-and-forward replication Data store partitions Automatic generation of an efficient and robust replication topology Attribute-level replication Distinct control of intrasite and intersite replication Collision detection and management Discuss the replication model. It is important that students understand that they can make changes from any domain controller in the domain, except for read-only domain controllers (RODCs), and that those changes then replicate to all other domain controllers. Compare this with a single-master replication model, where you make changes on one domain controller only. Ask students what benefits and disadvantages result from using a multimaster replication model. Stress that this model results in a more complicated replication process than the single-master model, but that it provides more redundancy and scalability. Use that as a transition to introduce the concepts of integrity, convergence, and performance. In a multimaster database, these must be balanced. Go on to define the key design characteristics of AD DS replication, which the slide shows.

6 How AD DS Replication Works Within a Site
4: Implementing and Administering AD DS Sites and Replication Intrasite replication uses: Connection objects for inbound replication to a domain controller KCC to create topology automatically: Efficient (maximum three hops) and robust (two-way) topology Notifications, in which the domain controller tells its downstream partners that a change is available Polling, in which the domain controller checks with its upstream partners for changes: Downstream domain controller directory replication agent replicates changes Changes to all partitions held by both domain controllers are replicated Use this slide to explain how AD DS replication works within a site. Discuss, demonstrate, or illustrate the role of the Knowledge Consistency Checker (KCC) in creating connection objects to create an efficient (maximum three hops) and robust (two-way) topology. Emphasize that there are few reasons to create connection objects manually within a site. In fact, administrators have very few options by which they can modify the replication topology within a site. Then, move on to the replication itself. Mention that within a single site, the replication goal is to update all domain controllers as quickly as possible. However, when a change is made on a domain controller, the domain controller waits as long as 15 seconds to notify its partners of the change. This increases the efficiency of replication if additional changes are made to the partition. As you continue to discuss the slide, discuss the following: There is a maximum of 15 seconds to notify the partner of the change; this means, on average, changes replicate every 7.5 seconds. A maximum of three hops means that within 45 seconds (22.5 seconds on average), the entire site is updated with a change. This does not include the notification delay. Introduce the directory replication agent. Partitions that are replicated between two domain controllers on a connection object are replicated simultaneously. There is no way to time the partitions differently. Replication traffic is not compressed, because it is assumed that all domain controllers in the same site will be connected with a fast network connection with abundant available bandwidth. DC01 DC02 DC03

7 Resolving Replication Conflicts
4: Implementing and Administering AD DS Sites and Replication In multimaster replication models, replication conflicts arise when: The same attribute is changed on two domain controllers simultaneously An object is moved or added to a deleted container on another domain controller Two objects with the same relative distinguished name are added to the same container on two different domain controllers To resolve replication conflicts, AD DS uses: Version number Time stamp Server GUID Highlight that replication conflicts are not likely to be an issue in most organizations that have a managed AD DS change-control process. In most organizations, only one group is likely to make changes to the same objects in AD DS, and that group should have a communication process that ensures that conflicting changes do not happen. If students are interested in more details about how AD DS resolves replication conflicts, draw a diagram of several domain controllers and show how attribute numbers, time stamps, and server GUIDs always result in a conflict resolution.

8 How the Replication Topology Is Generated
4: Implementing and Administering AD DS Sites and Replication Global Catalog Server A1 A2 B2 B2 Domain B topology Schema and configuration topology Global catalog replication Use the additional slides to show how the replication topology works for each directory partition. Because the configuration and schema partition replicate throughout the forest, the replication topology crosses domain boundaries. The second part of the build slide describes the global catalog replication. Although the global catalog is not a directory partition, it uses the same replication process. Point out that you can run the ntdsutil \ partition management \ (connect) \ list command to see the global catalog partitions on the domain controllers. B1 B1 Domain Controllers in Another Global Catalog Server A3 A3 A4 A4 Global Catalog Server B3 B3 Domain A topology

9 How RODC Replication Works
4: Implementing and Administering AD DS Sites and Replication When an RODC is implemented: The KCC detects that it is an RODC and creates one-way only connection objects from one or more source domain controllers An RODC performs replicate-single-object inbound replication during: Password changes DNS updates to a writable DNS server Updates to various client attributes Begin this topic by explaining the benefits of an RODC. Stress that an RODC only has inbound connection objects so that it can replicate changes from writable domain controllers, and that only replicated changes are allowed. Since RODCs do not propagate changes, outbound connection objects are not necessary. RODCs are for scenarios with lower physical security that may get compromised. One security benefit is that RODCs never replicate information out to other domain controllers. Mention that there are some attributes that never replicate to an RODC, such as attributes that contain BitLocker Drive Encryption and recovery keys, and that client applications must be aware to request them from full domain controllers specifically, because the RODC always would return empty values. Mention scenarios in which changes may be made to an RODC. For example, if a hacker gains physical access to the domain controller, the attacker may be able to make changes to the Active Directory database. However, with an RODC in place, these changes will not replicate to any other domain controller. Mention that with an RODC, a single connection object is created, but only from the writable domain controller to the RODC. RODC Domain Controllers

10 How SYSVOL Replication Works
4: Implementing and Administering AD DS Sites and Replication SYSVOL contains logon scripts, Group Policy templates, and GPOs SYSVOL replication can take place by using: FRS, which is primarily used in Windows Server 2003 and older domain structures DFS Replication, which is used in Windows Server 2008 and newer domains To migrate SYSVOL replication from the FRS to DFS Replication: The domain’s functional level must be Windows Server 2008 or newer Use the Dfsrmig.exe tool to perform the migration Explain that it is critical that SYSVOL synchronizes between all domain controllers within a domain. Describe the benefits of using Distributed File System (DFS) Replication as opposed to the File Replication Service (FRS) for replication processes.

11 Lesson 2: Configuring AD DS Sites
4: Implementing and Administering AD DS Sites and Replication How Client Computers Locate Domain Controllers Within Sites Briefly describe the lesson content. Ask students if their organizations include multiple locations, and if so, what types of services those remote locations provide, such as domain controller authentication.

12 10969A What Are AD DS Sites? 4: Implementing and Administering AD DS Sites and Replication Sites identify network locations with fast, reliable network connections Sites are associated with subnet objects Sites are used to manage: Replication when domain controllers are separated by slow, expensive links Service localization: Domain controller authentication (LDAP and Kerberos protocol) Active Directory–aware (site aware) services or applications Provide the highest-level definition of a site: an object that supports replication and service localization. Stress the importance of maintaining subnet object-to-site mapping. Mention that when you install AD DS, a default site named Default-First-Site-Name is created. All computers, including domain controllers, are added automatically to the default site until you create and configure additional sites. Mention that an incorrect implementation of sites can cause problems later—for example, logon traffic over wide area network (WAN) links. Also, mention that recent versions of Microsoft Exchange Server use Active Directory sites to route . A1 A2 Site IP Subnets

13 Why Implement Additional Sites?
4: Implementing and Administering AD DS Sites and Replication Create additional sites when: A part of the network is separated by a slow link A part of the network has enough users to warrant hosting domain controllers or other services in that location You want to control service localization You want to control replication between domain controllers Explain that a location can contain more than one Active Directory site, or an Active Directory site may span more than one location. An important takeaway for this topic is that students should be able answer the question, “Would I want a separate site for this location?” A1 A1 A2 A2 Site A3 IP Subnets IP Subnets Site

14 Demonstration: Configuring AD DS Sites
4: Implementing and Administering AD DS Sites and Replication In this demonstration, you will see how to configure AD DS sites When you have completed the demonstration, leave the virtual machines running for subsequent demonstrations. Preparation Steps To complete this demonstration, make sure that the 10969A-LON-DC1 and the 10969A-TOR-DC1 virtual machines are running. Sign in to all virtual machines as Adatum\Administrator with the password Pa$$w0rd. You must complete the following steps before you can begin the demonstration: Switch to 10969A-TOR-DC1, and if necessary, sign in as Adatum\Administrator with the password Pa$$w0rd. On TOR-DC1, in Server Manager, click Manage, and from the drop-down box, click Add Roles and Features. On the Before you begin page, click Next. On the Select installation type page, confirm that Role-based or feature-based installation is selected, and then click Next. On the Select destination server page, ensure that Select a server from the server pool is selected, and that TOR-DC1.adatum.com is highlighted, and then click Next. On the Select server roles page, click Active Directory Domain Services. On the Add features that are required for Active Directory Domain Services? page, click Add Features, and then click Next. On the Select features page, click Next. On the Active Directory Domain Services page, click Next. On the Confirm installation selections page, click Install. This may take a few minutes to complete. (More notes on the next slide)

15 4: Implementing and Administering AD DS Sites and Replication
When the AD DS binaries have installed, click the blue Promote this server to a domain controller link. In the Deployment Configuration window, click Add a domain controller to an existing domain, and then click Next. In the Domain Controller Options window, ensure that both the Domain Name system (DNS) server and Global Catalog (GC) check boxes are selected. Confirm that Site name: is set to Default-First-Site-Name, and then under Type the Directory Services Restore Mode (DSRM) password, type Pa$$w0rd in both the Password and Confirm password boxes, and then click Next. On the DNS Options page, click Next. On the Additional Options page, click Next. On the Paths page, click Next. On the Review Options page, click Next. On the Prerequisites Check page, confirm that there are no issues, and then click Install. The server will restart automatically. After TOR-DC1 restarts, sign in as Adatum\Administrator with the password Pa$$w0rd. Note: You may decide to include these steps as part of your demonstration to enable students to see the process of promoting a server to a domain controller. Demonstration Steps Switch to LON-DC1, and in Server Manager, click Tools, and then click Active Directory Sites and Services. In Active Directory Sites and Services, expand Sites, and then click Default-First-Site-Name. Right-click Default-First-Site-Name, and then click Rename. (More notes on the next slide)

16 4: Implementing and Administering AD DS Sites and Replication
Type LondonHQ, and then press Enter. In the navigation pane, right-click Sites, and then click New Site. In the New Object – Site dialog box, in the Name text box, type Toronto. Select DEFAULTIPSITELINK, and then click OK. In the Active Directory Domain Services dialog box, click OK. In the navigation pane, right-click Subnets, and then click New Subnet. In the New Object – Subnet dialog box, in the Prefix text box, type /24. Under Select a site object for this prefix, click LondonHQ, and then click OK. In the New Object – Subnet dialog box, in the Prefix text box, type /24. Under Select a site object for this prefix, click Toronto, and then click OK. In the navigation pane, expand LondonHQ, and then expand Servers. Right-click TOR-DC1, and then click Move. In the Move Server dialog box, select Toronto, and then click OK. In the navigation pane, expand Toronto, and then expand Servers. Verify that TOR-DC1 is now located in the Toronto site.

17 How Replication Works Between Sites
4: Implementing and Administering AD DS Sites and Replication Replication within sites: Assumes fast, inexpensive, and highly reliable network links Does not compress traffic Uses a change notification mechanism Replication between sites: Assumes higher cost, limited bandwidth, and unreliable network links Has the ability to compress replication Occurs on a configured schedule Can be configured for immediate and urgent replications A1 Replication A2 Mention that creating sites is a primary means by which you can manage replication traffic across slow network connections. Replication between sites is compressed and is subject to a replication schedule. Mention that urgent changes, such as password changes, replicate between sites immediately, and to some extent, are not based on the replication schedule. Describe the difference between urgent and immediate replication. IP Subnets A1 Replication A2 IP Subnets B1 Replication B2 IP Subnets Replication

18 What Is the Intersite Topology Generator?
4: Implementing and Administering AD DS Sites and Replication ISTG defines the replication between AD DS sites on a network ISTG Mention that the intersite topology generator (ISTG) creates the replication topology between sites. ISTG uses KCC, but also adds an additional level of complexity when managing multiple sites. ISTG is an Active Directory process that defines replication between sites on a network. AD DS automatically designates a single domain controller in each site to act as the ISTG. Because this action occurs automatically, you do not have to perform any action to determine the replication topology and bridgehead server roles. Replication IP Subnets Replication Site Link ISTG IP Subnets

19 Overview of SRV Resource Records for Domain Controllers
4: Implementing and Administering AD DS Sites and Replication Domain controllers register SRV records as follows: _tcp.adatum.com: All domain controllers in the domain _tcp.sitename._sites.adatum.com: All services in a specific site Clients query DNS to locate services in specific sites Discuss how service (SRV) resource records help AD DS clients locate services on the network. Focus on how sites play a role in this service location process. Consider showing an example by using DNS Manager.

20 How Client Computers Locate Domain Controllers Within Sites
4: Implementing and Administering AD DS Sites and Replication The process for locating a domain controller occurs as follows: New client queries for all domain controllers in the domain Client attempts LDAP ping to find all domain controllers First domain controller responds Client queries for all domain controllers in the site Client attempts LDAP ping to find all domain controllers in the site, and the client stores domain controller and site name for further use Client forms an affinity with the domain controller, and the domain controller is used for the full logon process, including authentication, building the token, and building the list of GPOs to apply Use this topic to describe how a client locates a domain controller. Be sure to discuss how you can use sites to find the domain controller and service location, and what happens when a client moves to another site.

21 Lesson 3: Configuring and Monitoring AD DS Replication
4: Implementing and Administering AD DS Sites and Replication Tools for Monitoring and Managing Replication Briefly describe the lesson content.

22 What Are AD DS Site Links?
4: Implementing and Administering AD DS Sites and Replication Site links contain sites: Within a site link, a connection object can be created between any two domain controllers The default site link, DEFAULTIPSITELINK, is not always appropriate given your network topology Point out that even with multiple sites that have a distinct hub-and-spoke network topology, all routers go through the headquarters. If AD DS has the sites on one site link, it may create connection objects between domain controllers in the spokes. To align your network topology with Active Directory replication, it may be necessary to create specific site links and ensure that the DEFAULTIPSITELINK is not used. Additionally, you must turn off site link bridging, which the next topic discusses. This is not a design class, so discuss the subject matter at a level that allows students to understand why the tasks are done, but does not delve too deeply into design concepts. SEA AMS Beijing HQ HQ-SEA Site Link DEFAULTIPSITELINK

23 What Is Site Link Bridging?
4: Implementing and Administering AD DS Sites and Replication By default, automatic site link bridging: Enables ISTG to create connection objects between site links Allows disabling of transitivity in the properties of the IP transport Site link bridges: Enable you to create transitive site links manually Are useful only when transitivity is disabled To describe site link bridging, mention that by default, site links are transitive, or bridged. For example, if site A has a common site link with site B, and site B has a common site link with site C, then the two site links are bridged. Therefore, domain controllers in site A can replicate directly with domain controllers in site C, even though there is no site link between sites A and C. In other words, the effect of bridged site links is that replication between sites in the bridge is transitive. If the routing configuration for an organization is such that all domain controllers in all sites can communicate directly with domain controllers in other sites, you do not need to change the default configuration. However, you can modify the replication topology, and then force additional hops in the replication process by disabling automatic site link bridging for all site links, and creating new site link bridges. SEA AMS Beijing HQ HQ-SEA Site Link Bridge HQ-Beijing Site Link HQ-AMS Site Link

24 What Is Universal Group Membership Caching?
4: Implementing and Administering AD DS Sites and Replication Universal group membership caching enables domain controllers in a site with no global catalog servers to cache universal group membership Universal group membership caching makes it possible to log on to AD DS without contacting a global catalog. Once this option is enabled and a user attempts to log on for the first time, universal group membership is cached on nonglobal catalog domain controllers. Once this information is obtained from a global catalog, it is cached indefinitely on the domain controller for the site and is updated periodically. By default, updates occur every eight hours. Enabling this feature results in faster logon times for users in remote sites without global catalogs because the authenticating domain controllers do not have to access a global catalog. Organizations may choose to use universal group membership caching for a site for which they do not want to deploy a global catalog server. Mention that replication has improved over the years, and that the best practice recommendation for most scenarios is to have a global catalog on every domain controller. One of the historical concerns with global catalogs was the schema update in Windows 2000 Server, which would trigger re-initialization of the global catalogs. You may want to discuss that universal group membership caching can be a security risk when an administrator relies on removing a user from a group. Universal group membership caching is not updated with replication and the users has up to eight hours access, and even more when the WAN link becomes offline. It also is somewhat unpredictable. When users log on the first time at a remote site, if the global catalog is not available, the behavior is different than for users who logged on previously. Because of these issues, universal group membership caching is not typically a recommended approach. Global Catalog Server Bridgehead Server IP Subnets Bridgehead Server IP Subnets

25 Managing Intersite Replication
4: Implementing and Administering AD DS Sites and Replication Site link costs: Replication uses the connection with the lowest cost Replication: Polling: Downstream bridgehead polls upstream partners Default is 3 hours Minimum is 15 minutes Recommended is 15 minutes Replication schedules: 24 hours a day Can be scheduled Describe the options for configuring intersite replication. The next topic provides a demonstration of these options.

26 Demonstration: Configuring AD DS Intersite Replication
4: Implementing and Administering AD DS Sites and Replication In this demonstration, you will see how to configure AD DS intersite replication Leave the virtual machines running for subsequent demonstrations. Preparation Steps To complete this demonstration, you must have the 10969A-LON-DC1 and the 10969A-TOR-DC1 virtual machines running. Sign in to all virtual machines as Adatum\Administrator with the password Pa$$w0rd. You also must have completed all previous demonstrations in this module. Demonstration Steps On TOR-DC1, in Server Manager, click Tools, and then click Active Directory Sites and Services. In Active Directory Sites and Services, expand Sites, and then expand Inter-Site Transports. Click IP, right-click DEFAULTIPSITELINK, and then click Rename. Type LON-TOR, and then press Enter. Right-click LON-TOR, and then click Properties. Describe the Cost, Replicate every, and Change Schedule options. In the LON-TOR Properties dialog box, next to Replicate every, configure the value to be 60 minutes. Click Change Schedule. Highlight the range from Monday 12 PM to Friday 4PM, click Replication Not Available, and then click OK. Click OK to close the LON-TOR Properties dialog box. In the navigation pane, right-click IP, and then click Properties. In the IP Properties dialog box, point out and explain the Bridge all site links option. Click OK to close the IP Properties dialog box.

27 Options for Configuring Password Replication Policies for RODCs
4: Implementing and Administering AD DS Sites and Replication Password replication policies are: Used to determine which users’ credentials should be cached on the RODC Determined by the Allowed List and the Denied List Emphasize that despite the name password replication policy, this component is not actually a policy, like a Group Policy. In fact, the password replication policy is not a centralized policy at all. Instead, each RODC maintains an individual password replication policy. Additionally, the two domain global groups are added to each RODC’s password replication policy by default, creating a centralized effect. In the end, it is the Allow and Denied Lists on each RODC that determine what passwords are, and are not, cached on the RODC. Also emphasize that even though it is called replication policy, the cached secrets (password) are not replicated. As soon as a user logs on to the RODC, the RODC verifies whether the user has a stored password. If not, then the user is redirected to a full domain controller, but with a request to replicate that password. If the user is on the Allow List, the RODC will receive the password and cache it until it is changed. The password is not replicated to the RODC unless the user logs on again. The most manageable way to ensure that users in a branch have their credentials cached on the RODC is to have a group—for example, Branch Office Users—that is on the RODC’s Allow List. Then, you simply can add users to the Branch Office Users group, and the branch office RODC will cache their credentials automatically at the users' next logon.

28 Demonstration: Configuring Password Replication Policies
4: Implementing and Administering AD DS Sites and Replication In this demonstration, you will see how to configure password replication policies After completing this demonstration, revert all virtual machines. Preparation Steps To complete this demonstration, make sure that the 10969A-LON-DC1 and the 10969A-TOR-DC1 virtual machines are running. Sign in to all virtual machines as Adatum\Administrator with the password Pa$$w0rd. You also must have completed all previous demonstrations in this module. Demonstration Steps On LON-DC1, from Server Manager, click Tools, and then click Active Directory Users and Computers. In the console tree, expand the Adatum.com domain, and then click the Domain Controllers organizational unit (OU). Right-click Domain Controllers, and then click Pre-create Read-only Domain Controller account. In the Active Directory Domain Services Installation Wizard, on the Welcome page, click Next. On the Network Credentials page, click Next. On the Specify the Computer Name page, type LON-RODC1, and then click Next. On the Select a Site page, click Toronto, and then click Next. On the Additional Domain Controller Options page, click Next. Note: Note that the Read-only domain controller option is selected and cannot be cleared. This is because you launched the wizard by choosing to pre-create an RODC account. On the Delegation of RODC Installation and Administration page, click Next. Review your selections on the Summary page, and then click Next. (More notes on the next slide)

29 4: Implementing and Administering AD DS Sites and Replication
On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. In the console, click the Domain Controllers OU. Right-click LON-RODC1, and then click Properties. Click the Password Replication Policy tab, and then view the default policy. Click Cancel to close LON-RODC1 Properties. In the Active Directory Users and Computers console, click the Users container. Double-click Allowed RODC Password Replication Group, and then click the Members tab. Examine the default membership of Allowed RODC Password Replication Group, and then click OK. There should be no members by default. Double-click Denied RODC Password Replication Group. Click the Members tab. Click Cancel to close the Denied RODC Password Replication Group Properties dialog box.

30 Tools for Monitoring and Managing Replication
4: Implementing and Administering AD DS Sites and Replication Repadmin.exe examples: repadmin /showrepl Lon-dc1.adatum.com repadmin /showconn Lon-dc1 adatum.com repadmin /showobjmeta Lon-dc1 "cn=Linda Miller,ou=…" repadmin /kcc repadmin /replicate Tor-dc1 Lon-dc1 dc=adatum,dc=com repadmin /syncall Lon-dc1.adatum.com /A /e Dcdiag.exe /test:testName: FrsEvent or DFSREvent Intersite KccEvent Replications Topology Windows PowerShell Discuss how you can use the Repadmin.exe and Dcdiag.exe tools to monitor AD DS replication. You may want to consider showing an example of some of the commands. Other commands that you can discuss include: Repadmin /bind – Useful to verify that remote procedure call (RPC) is working against a domain controller. Repadmin /istg –Forces the ISTG to recalculate replication.

31 Lab: Implementing AD DS Sites and Replication
4: Implementing and Administering AD DS Sites and Replication Exercise 4: Troubleshooting AD DS Replication Exercise 1: Creating Subnets and Sites A. Datum decided to implement additional AD DS sites to optimize network usage for AD DS network traffic. The first step in implementing the new environment is to create the required site and subnet objects in AD DS. First, you must change the name of the default site to LondonHQ and associate it with the IP subnet /24, which is the subnet range used for the London head office. Next, you must configure the new Toronto AD DS site for the North American data center. The network team in Toronto also would like to dedicate a site called Test in the Toronto data center. You have been instructed that the Toronto IP subnet address is /24, and the Test network IP subnet address is /24. Exercise 2: Deploying an Additional Domain Controller You must now deploy a new domain controller to the Toronto site. Exercise 3: Configuring AD DS Replication Now that the AD DS sites have been configured for Toronto, the next step is to configure the site links to manage replication between the sites, and then to move the TOR-DC1 domain controller to the Toronto site. Currently, all sites belong to DEFAULTIPSITELINK. You must modify site linking so that LondonHQ and Toronto belong to one common site link called LON- TOR. You should configure this link to replicate every hour. Additionally, you should link the Test site only to the Toronto site by using a site link named TOR-TEST. Replication should not be available from the Toronto site to the Test site during the working hours of 9 A.M. and 3 P.M. You then will use tools to monitor replication between the sites. Virtual machines: A-LON-DC1 10969A-LON-DC2 10969A-TOR-DC1 User Name: Adatum\Administrator Password: Pa$$w0rd Logon Information Estimated Time: 30 minutes (More notes on the next slide)

32 4: Implementing and Administering AD DS Sites and Replication
Exercise 4: Troubleshooting AD DS Replication Users have been reporting problems with being able to sign in at the Toronto site. You must investigate the problem, and then attempt to resolve it. Document your solution in the Incident Record below. Incident Record Incident Reference Number: Date of Call Time of Call User Status July 13 13:45 Various OPEN Incident Details Some users cannot sign in to their computers. Others are experiencing slow sign in and poor performance of the application of desktop settings. Additional Information You have verified that the link that connects Toronto with London is functional. Plan of Action Resolution

33 10969A Lab Scenario 4: Implementing and Administering AD DS Sites and Replication A. Datum Corporation has deployed a single AD DS domain with all the domain controllers located in the London data center. As the company has grown and added branch offices with large numbers of users, it is increasingly becoming apparent that the current AD DS environment is not meeting company requirements. Users in some of the branch offices report that it can take a long time for them to log on to their computers. Access to network resources such as the company’s Microsoft Exchange 2013 servers and the Microsoft SharePoint servers can be slow, and sporadically fails.

34 Lab Scenario (continued)
4: Implementing and Administering AD DS Sites and Replication As one of the senior network administrators, you are responsible for planning and implementing an AD DS infrastructure that will help to address the business requirements for the organization. You are responsible for configuring AD DS sites and replication to optimize the user experience and network utilization within the organization.

35 10969A Lab Review 4: Implementing and Administering AD DS Sites and Replication You have added a new domain controller named LON-DC2 to the LondonHQ site. Which AD DS partitions will be modified as a result? Question In the last exercise, there was a problem on TOR-DC1. What was the problem? Answer The subnet mask was incorrect for the current network configuration. This caused DNS problems that resulted in replication failures. You decide to add a new domain controller to the LondonHQ site named LON-DC2. How could you ensure that LON-DC2 is used to pass all replication traffic to the Toronto site? You would have to configure this new domain controller as the preferred bridgehead server for the LondonHQ site. You have added a new domain controller named LON-DC2 to the LondonHQ site. Which AD DS partitions will be modified as a result? It is likely that all of the partitions except the schema partition will be modified. You add the new domain controller to both the domain partition and the configuration partition to ensure that AD DS replication is configured correctly. If you are using AD DS–integrated DNS, then the domain controller records also will update in the DNS application partitions.

36 Module Review and Takeaways
4: Implementing and Administering AD DS Sites and Replication Common Issues and Troubleshooting Tips Review Questions Question Why is it important that all subnets are identified and associated with a site in a multisite enterprise? Answer The process of locating domain controllers and other services can be made more efficient by referring clients to the correct site based on the client’s IP address and the definition of subnets. If a client has an IP address that does not belong to a site, the client will query for all domain controllers in the domain. This is not an efficient strategy. In fact, a single client can perform actions against domain controllers in different sites, which can lead to strange results if those changes have not yet replicated. Therefore, it is crucial that each client knows what site it is in, which you can achieve by ensuring that domain controllers can identify a client’s site location. What are the advantages and disadvantages of reducing the intersite replication interval? Reducing the intersite replication interval improves convergence. Changes made in one site replicate more quickly to other sites. There are actually few, if any, disadvantages. If you consider that the same changes must replicate whether they wait 15 minutes or three hours, it is really a matter of replication timing rather than replication quantity. However, in some extreme situations, it is possible that allowing a smaller number of changes to occur more frequently might be less preferable than allowing a large number of changes to replicate less frequently. What is the purpose of a bridgehead server? The bridgehead server is responsible for all replication into and out of the site. Instead of replicating all domain controllers from one site with all domain controllers in another site, you can use bridgehead servers to manage intersite replication. (More notes on the next slide)

37 4: Implementing and Administering AD DS Sites and Replication
Best Practice: Implement the following best practices when you manage Active Directory sites and replication in your environment: Always provide at least one or more global catalog servers per site. Ensure that all sites have appropriate subnets associated with them. Do not set up long intervals without replication when you configure replication schedules for intersite replication. Avoid using SMTP as a protocol for replication. Common Issues and Troubleshooting Tips Common Issue: Client cannot locate domain controller in its site. Troubleshooting Tip: Verify whether all service (SRV) resource records for the domain controller are present in DNS. Verify whether the domain controller has an IP address from the subnet that is associated with that site. Verify that the client is a domain member and has the correct time. Common Issue: Replication between sites does not work. Troubleshooting Tip: Verify whether site links are configured correctly. Verify the replication schedule. Verify whether the firewall between the sites permits traffic for Active Directory replication. Common Issue: Replication between two domain controllers in the same site does not work. Troubleshooting Tip: Verify whether both domain controllers appear in same site. Verify whether AD DS is operating correctly on the domain controllers. Verify network communication, and that the time on each server is valid.

Download ppt "Implementing and Administering AD DS Sites and Replication"

Similar presentations

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.
Module 10: Troubleshooting AD DS, DNS, and Replication Issues.

Module 10: Troubleshooting AD DS, DNS, and Replication Issues.
Implementing Domain Name System

Implementing Domain Name System
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Administering Active Directory

Administering Active Directory
Introduction to Dfs. Limits of Dfs 260 characters per file path 32 alternatives per volume 1 Dfs root per server Unlimited Dfs roots per domain Volumes.

Introduction to Dfs. Limits of Dfs 260 characters per file path 32 alternatives per volume 1 Dfs root per server Unlimited Dfs roots per domain Volumes.
Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.

Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.
Understanding Active Directory

Understanding Active Directory
Module 1: Introduction to Active Directory

Module 1: Introduction to Active Directory
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.

1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Implementing Dynamic Host Configuration Protocol

Implementing Dynamic Host Configuration Protocol
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Nassau Community College

Nassau Community College
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.

11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.

Similar presentations

Ads by Google