Presentation on theme: "Implementing and Administering AD DS Sites and Replication"— Presentation transcript:
1 Implementing and Administering AD DS Sites and Replication Presentation: 60 minutesLab: 30 minutesAfter completing this module, students will be able to:Describe Active Directory Domain Services (AD DS) replication.Configure AD DS sites.Configure and monitor AD DS replication.Required materialsTo teach this module, you need the Microsoft Office PowerPoint file 10969A_04.pptx.Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not display correctly.Preparation tasksTo prepare for this module:Read all of the materials for this module.Practice performing the demonstrations.Practice performing the labs.Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who may get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover.Preparation for DemonstrationsThis module contains a couple of demonstrations that require the virtual machines LON-DC1 and TOR-DC1. You should start these virtual machines now, and sign in to them to be prepared.Module 4Implementing and Administering AD DS Sites and Replication(More notes on the next slide)
2 Configuring and Monitoring AD DS Replication Module Overview4: Implementing and Administering AD DS Sites and ReplicationConfiguring and Monitoring AD DS ReplicationPreparation for LabsThis module contains one lab at the end that requires the virtual machines LON-DC1 and TOR-DC1. You can ask students to prepare by starting these virtual machines now and logging on by using the credentials on the lab slide.Introduce the module by explaining how important it is that a large organization implements multiple domain controllers within AD DS. This concept leads to a discussion regarding AD DS replication and how it works.Ask students what would happen if AD DS data does not replicate consistently to all domain controllers. For example, if a user creates a user object on one domain controller, but that information does not replicate to all other domain controllers, the user will be able to authenticate only to the domain controller in which the account was created, resulting in a unreliable logon experience.Point out that multiple sites enable an enterprise administrator to control replication, with the added benefit of efficient authentication and local access to site-aware resources.
3 Lesson 1: Overview of AD DS Replication 4: Implementing and Administering AD DS Sites and ReplicationHow SYSVOL Replication WorksBriefly describe the topics in this lesson. This content has not changed much from older versions of Windows Server operating systems, so if your students have previous experience with AD DS replication, you can summarize the information in the topics instead of going into detailed conversation about the topic content.
4 What Are AD DS Partitions? 4: Implementing and Administering AD DS Sites and ReplicationForest-wide information about the Active Directory structureDescribe the information that each AD DS partition stores. Consider using the Active Directory Service Interfaces Editor (ADSIEdit.msc) to show each partition’s contents.Point out that Domain Name System (DNS) actually uses application partitions for distribution between domain controllers. By default, two application partitions for DNS zones are created in this case: ForestDNSZones, and DomainDNSZones. The ForestDNSZones zone replicates to all domain controllers, which are DNS servers in the forest. The DomainDNSZones zone replicates to all domain controllers, which are DNS servers in the domain. In Microsoft Windows 2000 Server, the default was that DNS records were replicated without the use of application partitions to every domain controller in the domain, even if a domain controller was not a DNS server.ConfigurationForest-wide definitions and rules for creating and manipulating objects and attributesSchemaInformation about domain-specific objectsDomainInformation about applicationsApplicationActive Directory Database
5 Characteristics of AD DS Replication 4: Implementing and Administering AD DS Sites and ReplicationMultimaster replication ensures:Accuracy (integrity)Consistency (convergence)Performance (keeping replication traffic at a reasonable level)Key characteristics of Active Directory replication include:Multimaster replicationPull replicationStore-and-forward replicationData store partitionsAutomatic generation of an efficient and robust replication topologyAttribute-level replicationDistinct control of intrasite and intersite replicationCollision detection and managementDiscuss the replication model. It is important that students understand that they can make changes from any domain controller in the domain, except for read-only domain controllers (RODCs), and that those changes then replicate to all other domain controllers. Compare this with a single-master replication model, where you make changes on one domain controller only.Ask students what benefits and disadvantages result from using a multimaster replication model. Stress that this model results in a more complicated replication process than the single-master model, but that it provides more redundancy and scalability.Use that as a transition to introduce the concepts of integrity, convergence, and performance. In a multimaster database, these must be balanced. Go on to define the key design characteristics of AD DS replication, which the slide shows.
6 How AD DS Replication Works Within a Site 4: Implementing and Administering AD DS Sites and ReplicationIntrasite replication uses:Connection objects for inbound replication to a domain controllerKCC to create topology automatically:Efficient (maximum three hops) and robust (two-way) topologyNotifications, in which the domain controller tells its downstream partners that a change is availablePolling, in which the domain controller checks with its upstream partners for changes:Downstream domain controller directory replication agent replicates changesChanges to all partitions held by both domain controllers are replicatedUse this slide to explain how AD DS replication works within a site. Discuss, demonstrate, or illustrate the role of the Knowledge Consistency Checker (KCC) in creating connection objects to create an efficient (maximum three hops) and robust (two-way) topology.Emphasize that there are few reasons to create connection objects manually within a site. In fact, administrators have very few options by which they can modify the replication topology within a site.Then, move on to the replication itself. Mention that within a single site, the replication goal is to update all domain controllers as quickly as possible.However, when a change is made on a domain controller, the domain controller waits as long as 15 seconds to notify its partners of the change. This increases the efficiency of replication if additional changes are made to the partition.As you continue to discuss the slide, discuss the following:There is a maximum of 15 seconds to notify the partner of the change; this means, on average, changes replicate every 7.5 seconds. A maximum of three hops means that within 45 seconds (22.5 seconds on average), the entire site is updated with a change. This does not include the notification delay.Introduce the directory replication agent.Partitions that are replicated between two domain controllers on a connection object are replicated simultaneously. There is no way to time the partitions differently.Replication traffic is not compressed, because it is assumed that all domain controllers in the same site will be connected with a fast network connection with abundant available bandwidth.DC01DC02DC03
7 Resolving Replication Conflicts 4: Implementing and Administering AD DS Sites and ReplicationIn multimaster replication models, replication conflicts arise when:The same attribute is changed on two domain controllers simultaneouslyAn object is moved or added to a deleted container on another domain controllerTwo objects with the same relative distinguished name are added to the same container on two different domain controllersTo resolve replication conflicts, AD DS uses:Version numberTime stampServer GUIDHighlight that replication conflicts are not likely to be an issue in most organizations that have a managed AD DS change-control process. In most organizations, only one group is likely to make changes to the same objects in AD DS, and that group should have a communication process that ensures that conflicting changes do not happen.If students are interested in more details about how AD DS resolves replication conflicts, draw a diagram of several domain controllers and show how attribute numbers, time stamps, and server GUIDs always result in a conflict resolution.
8 How the Replication Topology Is Generated 4: Implementing and Administering AD DS Sites and ReplicationGlobalCatalogServerA1A2B2B2Domain B topologySchema and configuration topologyGlobal catalog replicationUse the additional slides to show how the replication topology works for each directory partition. Because the configuration and schema partition replicate throughout the forest, the replication topology crosses domain boundaries.The second part of the build slide describes the global catalog replication. Although the global catalog is not a directory partition, it uses the same replication process. Point out that you can run the ntdsutil \ partition management \ (connect) \ list command to see the global catalog partitions on the domain controllers.B1B1DomainControllers in AnotherGlobalCatalogServerA3A3A4A4GlobalCatalogServerB3B3Domain A topology
9 How RODC Replication Works 4: Implementing and Administering AD DS Sites and ReplicationWhen an RODC is implemented:The KCC detects that it is an RODC and creates one-way only connection objects from one or more source domain controllersAn RODC performs replicate-single-object inbound replication during:Password changesDNS updates to a writable DNS serverUpdates to various client attributesBegin this topic by explaining the benefits of an RODC. Stress that an RODC only has inbound connection objects so that it can replicate changes from writable domain controllers, and that only replicated changes are allowed. Since RODCs do not propagate changes, outbound connection objects are not necessary. RODCs are for scenarios with lower physical security that may get compromised. One security benefit is that RODCs never replicate information out to other domain controllers.Mention that there are some attributes that never replicate to an RODC, such as attributes that contain BitLocker Drive Encryption and recovery keys, and that client applications must be aware to request them from full domain controllers specifically, because the RODC always would return empty values.Mention scenarios in which changes may be made to an RODC. For example, if a hacker gains physical access to the domain controller, the attacker may be able to make changes to the Active Directory database. However, with an RODC in place, these changes will not replicate to any other domain controller.Mention that with an RODC, a single connection object is created, but only from the writable domain controller to the RODC.RODCDomain Controllers
10 How SYSVOL Replication Works 4: Implementing and Administering AD DS Sites and ReplicationSYSVOL contains logon scripts, Group Policy templates, and GPOsSYSVOL replication can take place by using:FRS, which is primarily used in Windows Server 2003 and older domain structuresDFS Replication, which is used in Windows Server 2008 and newer domainsTo migrate SYSVOL replication from the FRS to DFS Replication:The domain’s functional level must be Windows Server 2008 or newerUse the Dfsrmig.exe tool to perform the migrationExplain that it is critical that SYSVOL synchronizes between all domain controllers within a domain.Describe the benefits of using Distributed File System (DFS) Replication as opposed to the File Replication Service (FRS) for replication processes.
11 Lesson 2: Configuring AD DS Sites 4: Implementing and Administering AD DS Sites and ReplicationHow Client Computers Locate Domain Controllers Within SitesBriefly describe the lesson content. Ask students if their organizations include multiple locations, and if so, what types of services those remote locations provide, such as domain controller authentication.
12 10969AWhat Are AD DS Sites?4: Implementing and Administering AD DS Sites and ReplicationSites identify network locations with fast, reliable network connectionsSites are associated with subnet objectsSites are used to manage:Replication when domain controllers are separated by slow, expensive linksService localization:Domain controller authentication (LDAP and Kerberos protocol)Active Directory–aware (site aware) services or applicationsProvide the highest-level definition of a site: an object that supports replication and service localization. Stress the importance of maintaining subnet object-to-site mapping.Mention that when you install AD DS, a default site named Default-First-Site-Name is created. All computers, including domain controllers, are added automatically to the default site until you create and configure additional sites.Mention that an incorrect implementation of sites can cause problems later—for example, logon traffic over wide area network (WAN) links. Also, mention that recent versions of Microsoft Exchange Server use Active Directory sites to route .A1A2SiteIP Subnets
13 Why Implement Additional Sites? 4: Implementing and Administering AD DS Sites and ReplicationCreate additional sites when:A part of the network is separated by a slow linkA part of the network has enough users to warrant hosting domain controllers or other services in that locationYou want to control service localizationYou want to control replication between domain controllersExplain that a location can contain more than one Active Directory site, or an Active Directory site may span more than one location.An important takeaway for this topic is that students should be able answer the question, “Would I want a separate site for this location?”A1A1A2A2SiteA3IP SubnetsIP SubnetsSite
14 Demonstration: Configuring AD DS Sites 4: Implementing and Administering AD DS Sites and ReplicationIn this demonstration, you will see how to configure AD DS sitesWhen you have completed the demonstration, leave the virtual machines running for subsequent demonstrations.Preparation StepsTo complete this demonstration, make sure that the 10969A-LON-DC1 and the 10969A-TOR-DC1 virtual machines are running. Sign in to all virtual machines as Adatum\Administrator with the password Pa$$w0rd.You must complete the following steps before you can begin the demonstration:Switch to 10969A-TOR-DC1, and if necessary, sign in as Adatum\Administrator with the password Pa$$w0rd.On TOR-DC1, in Server Manager, click Manage, and from the drop-down box, click Add Roles and Features.On the Before you begin page, click Next.On the Select installation type page, confirm that Role-based or feature-based installation is selected, and then click Next.On the Select destination server page, ensure that Select a server from the server pool is selected, and that TOR-DC1.adatum.com is highlighted, and then click Next.On the Select server roles page, click Active Directory Domain Services.On the Add features that are required for Active Directory Domain Services? page, click Add Features, and then click Next.On the Select features page, click Next.On the Active Directory Domain Services page, click Next.On the Confirm installation selections page, click Install. This may take a few minutes to complete.(More notes on the next slide)
15 4: Implementing and Administering AD DS Sites and Replication When the AD DS binaries have installed, click the blue Promote this server to a domain controller link.In the Deployment Configuration window, click Add a domain controller to an existing domain, and then click Next.In the Domain Controller Options window, ensure that both the Domain Name system (DNS) server and Global Catalog (GC) check boxes are selected.Confirm that Site name: is set to Default-First-Site-Name, and then under Type the Directory Services Restore Mode (DSRM) password, type Pa$$w0rd in both the Password and Confirm password boxes, and then click Next.On the DNS Options page, click Next.On the Additional Options page, click Next.On the Paths page, click Next.On the Review Options page, click Next.On the Prerequisites Check page, confirm that there are no issues, and then click Install. The server will restart automatically.After TOR-DC1 restarts, sign in as Adatum\Administrator with the password Pa$$w0rd.Note: You may decide to include these steps as part of your demonstration to enable students to see the process of promoting a server to a domain controller.Demonstration StepsSwitch to LON-DC1, and in Server Manager, click Tools, and then click Active Directory Sites and Services.In Active Directory Sites and Services, expand Sites, and then click Default-First-Site-Name.Right-click Default-First-Site-Name, and then click Rename.(More notes on the next slide)
16 4: Implementing and Administering AD DS Sites and Replication Type LondonHQ, and then press Enter.In the navigation pane, right-click Sites, and then click New Site.In the New Object – Site dialog box, in the Name text box, type Toronto.Select DEFAULTIPSITELINK, and then click OK.In the Active Directory Domain Services dialog box, click OK.In the navigation pane, right-click Subnets, and then click New Subnet.In the New Object – Subnet dialog box, in the Prefix text box, type /24.Under Select a site object for this prefix, click LondonHQ, and then click OK.In the New Object – Subnet dialog box, in the Prefix text box, type /24.Under Select a site object for this prefix, click Toronto, and then click OK.In the navigation pane, expand LondonHQ, and then expand Servers.Right-click TOR-DC1, and then click Move.In the Move Server dialog box, select Toronto, and then click OK.In the navigation pane, expand Toronto, and then expand Servers.Verify that TOR-DC1 is now located in the Toronto site.
17 How Replication Works Between Sites 4: Implementing and Administering AD DS Sites and ReplicationReplication within sites:Assumes fast, inexpensive, and highly reliable network linksDoes not compress trafficUses a change notification mechanismReplication between sites:Assumes higher cost, limited bandwidth, and unreliable network linksHas the ability to compress replicationOccurs on a configured scheduleCan be configured for immediate and urgent replicationsA1ReplicationA2Mention that creating sites is a primary means by which you can manage replication traffic across slow network connections. Replication between sites is compressed and is subject to a replication schedule.Mention that urgent changes, such as password changes, replicate between sites immediately, and to some extent, are not based on the replication schedule. Describe the difference between urgent and immediate replication.IP SubnetsA1ReplicationA2IP SubnetsB1ReplicationB2IP SubnetsReplication
18 What Is the Intersite Topology Generator? 4: Implementing and Administering AD DS Sites and ReplicationISTG defines the replication between AD DS sites on a networkISTGMention that the intersite topology generator (ISTG) creates the replication topology between sites. ISTG uses KCC, but also adds an additional level of complexity when managing multiple sites.ISTG is an Active Directory process that defines replication between sites on a network. AD DS automatically designates a single domain controller in each site to act as the ISTG. Because this action occurs automatically, you do not have to perform any action to determine the replication topology and bridgehead server roles.ReplicationIP SubnetsReplicationSite LinkISTGIP Subnets
19 Overview of SRV Resource Records for Domain Controllers 4: Implementing and Administering AD DS Sites and ReplicationDomain controllers register SRV records as follows:_tcp.adatum.com: All domain controllers in the domain_tcp.sitename._sites.adatum.com: All services in a specific siteClients query DNS to locate services in specific sitesDiscuss how service (SRV) resource records help AD DS clients locate services on the network. Focus on how sites play a role in this service location process.Consider showing an example by using DNS Manager.
20 How Client Computers Locate Domain Controllers Within Sites 4: Implementing and Administering AD DS Sites and ReplicationThe process for locating a domain controller occurs as follows:New client queries for all domain controllers in the domainClient attempts LDAP ping to find all domain controllersFirst domain controller respondsClient queries for all domain controllers in the siteClient attempts LDAP ping to find all domain controllers in the site, and the client stores domain controller and site name for further useClient forms an affinity with the domain controller, and the domain controller is used for the full logon process, including authentication, building the token, and building the list of GPOs to applyUse this topic to describe how a client locates a domain controller. Be sure to discuss how you can use sites to find the domain controller and service location, and what happens when a client moves to another site.
21 Lesson 3: Configuring and Monitoring AD DS Replication 4: Implementing and Administering AD DS Sites and ReplicationTools for Monitoring and Managing ReplicationBriefly describe the lesson content.
22 What Are AD DS Site Links? 4: Implementing and Administering AD DS Sites and ReplicationSite links contain sites:Within a site link, a connection object can be created between any two domain controllersThe default site link, DEFAULTIPSITELINK, is not always appropriate given your network topologyPoint out that even with multiple sites that have a distinct hub-and-spoke network topology, all routers go through the headquarters. If AD DS has the sites on one site link, it may create connection objects between domain controllers in the spokes.To align your network topology with Active Directory replication, it may be necessary to create specific site links and ensure that the DEFAULTIPSITELINK is not used. Additionally, you must turn off site link bridging, which the next topic discusses.This is not a design class, so discuss the subject matter at a level that allows students to understand why the tasks are done, but does not delve too deeply into design concepts.SEAAMSBeijingHQHQ-SEASite LinkDEFAULTIPSITELINK
23 What Is Site Link Bridging? 4: Implementing and Administering AD DS Sites and ReplicationBy default, automatic site link bridging:Enables ISTG to create connection objects between site linksAllows disabling of transitivity in the properties of the IP transportSite link bridges:Enable you to create transitive site links manuallyAre useful only when transitivity is disabledTo describe site link bridging, mention that by default, site links are transitive, or bridged. For example, if site A has a common site link with site B, and site B has a common site link with site C, then the two site links are bridged. Therefore, domain controllers in site A can replicate directly with domain controllers in site C, even though there is no site link between sites A and C. In other words, the effect of bridged site links is that replication between sites in the bridge is transitive.If the routing configuration for an organization is such that all domain controllers in all sites can communicate directly with domain controllers in other sites, you do not need to change the default configuration. However, you can modify the replication topology, and then force additional hops in the replication process by disabling automatic site link bridging for all site links, and creating new site link bridges.SEAAMSBeijingHQHQ-SEASite LinkBridgeHQ-Beijing Site LinkHQ-AMS Site Link
24 What Is Universal Group Membership Caching? 4: Implementing and Administering AD DS Sites and ReplicationUniversal group membership caching enables domain controllers in a site with no global catalog servers to cache universal group membershipUniversal group membership caching makes it possible to log on to AD DS without contacting a global catalog. Once this option is enabled and a user attempts to log on for the first time, universal group membership is cached on nonglobal catalog domain controllers.Once this information is obtained from a global catalog, it is cached indefinitely on the domain controller for the site and is updated periodically. By default, updates occur every eight hours. Enabling this feature results in faster logon times for users in remote sites without global catalogs because the authenticating domain controllers do not have to access a global catalog. Organizations may choose to use universal group membership caching for a site for which they do not want to deploy a global catalog server.Mention that replication has improved over the years, and that the best practice recommendation for most scenarios is to have a global catalog on every domain controller. One of the historical concerns with global catalogs was the schema update in Windows 2000 Server, which would trigger re-initialization of the global catalogs.You may want to discuss that universal group membership caching can be a security risk when an administrator relies on removing a user from a group. Universal group membership caching is not updated with replication and the users has up to eight hours access, and even more when the WAN link becomes offline. It also is somewhat unpredictable. When users log on the first time at a remote site, if the global catalog is not available, the behavior is different than for users who logged on previously. Because of these issues, universal group membership caching is not typically a recommended approach.Global Catalog ServerBridgehead ServerIP SubnetsBridgehead ServerIP Subnets
25 Managing Intersite Replication 4: Implementing and Administering AD DS Sites and ReplicationSite link costs:Replication uses the connection with the lowest costReplication:Polling: Downstream bridgehead polls upstream partnersDefault is 3 hoursMinimum is 15 minutesRecommended is 15 minutesReplication schedules:24 hours a dayCan be scheduledDescribe the options for configuring intersite replication. The next topic provides a demonstration of these options.
26 Demonstration: Configuring AD DS Intersite Replication 4: Implementing and Administering AD DS Sites and ReplicationIn this demonstration, you will see how to configure AD DS intersite replicationLeave the virtual machines running for subsequent demonstrations.Preparation StepsTo complete this demonstration, you must have the 10969A-LON-DC1 and the 10969A-TOR-DC1 virtual machines running. Sign in to all virtual machines as Adatum\Administrator with the password Pa$$w0rd.You also must have completed all previous demonstrations in this module.Demonstration StepsOn TOR-DC1, in Server Manager, click Tools, and then click Active Directory Sites and Services.In Active Directory Sites and Services, expand Sites, and then expand Inter-Site Transports.Click IP, right-click DEFAULTIPSITELINK, and then click Rename.Type LON-TOR, and then press Enter.Right-click LON-TOR, and then click Properties. Describe the Cost, Replicate every, and Change Schedule options.In the LON-TOR Properties dialog box, next to Replicate every, configure the value to be 60 minutes.Click Change Schedule.Highlight the range from Monday 12 PM to Friday 4PM, click Replication Not Available, and then click OK.Click OK to close the LON-TOR Properties dialog box.In the navigation pane, right-click IP, and then click Properties.In the IP Properties dialog box, point out and explain the Bridge all site links option.Click OK to close the IP Properties dialog box.
27 Options for Configuring Password Replication Policies for RODCs 4: Implementing and Administering AD DS Sites and ReplicationPassword replication policies are:Used to determine which users’ credentials should be cached on the RODCDetermined by the Allowed List and the Denied ListEmphasize that despite the name password replication policy, this component is not actually a policy, like a Group Policy. In fact, the password replication policy is not a centralized policy at all. Instead, each RODC maintains an individual password replication policy. Additionally, the two domain global groups are added to each RODC’s password replication policy by default, creating a centralized effect. In the end, it is the Allow and Denied Lists on each RODC that determine what passwords are, and are not, cached on the RODC.Also emphasize that even though it is called replication policy, the cached secrets (password) are not replicated. As soon as a user logs on to the RODC, the RODC verifies whether the user has a stored password. If not, then the user is redirected to a full domain controller, but with a request to replicate that password. If the user is on the Allow List, the RODC will receive the password and cache it until it is changed. The password is not replicated to the RODC unless the user logs on again.The most manageable way to ensure that users in a branch have their credentials cached on the RODC is to have a group—for example, Branch Office Users—that is on the RODC’s Allow List. Then, you simply can add users to the Branch Office Users group, and the branch office RODC will cache their credentials automatically at the users' next logon.
28 Demonstration: Configuring Password Replication Policies 4: Implementing and Administering AD DS Sites and ReplicationIn this demonstration, you will see how to configure password replication policiesAfter completing this demonstration, revert all virtual machines.Preparation StepsTo complete this demonstration, make sure that the 10969A-LON-DC1 and the 10969A-TOR-DC1 virtual machines are running. Sign in to all virtual machines as Adatum\Administrator with the password Pa$$w0rd.You also must have completed all previous demonstrations in this module.Demonstration StepsOn LON-DC1, from Server Manager, click Tools, and then click Active Directory Users and Computers.In the console tree, expand the Adatum.com domain, and then click the Domain Controllers organizational unit (OU).Right-click Domain Controllers, and then click Pre-create Read-only Domain Controller account.In the Active Directory Domain Services Installation Wizard, on the Welcome page, click Next.On the Network Credentials page, click Next.On the Specify the Computer Name page, type LON-RODC1, and then click Next.On the Select a Site page, click Toronto, and then click Next.On the Additional Domain Controller Options page, click Next.Note: Note that the Read-only domain controller option is selected and cannot be cleared. This is because you launched the wizard by choosing to pre-create an RODC account.On the Delegation of RODC Installation and Administration page, click Next.Review your selections on the Summary page, and then click Next.(More notes on the next slide)
29 4: Implementing and Administering AD DS Sites and Replication On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.In the console, click the Domain Controllers OU.Right-click LON-RODC1, and then click Properties.Click the Password Replication Policy tab, and then view the default policy.Click Cancel to close LON-RODC1 Properties.In the Active Directory Users and Computers console, click the Users container.Double-click Allowed RODC Password Replication Group, and then click the Members tab.Examine the default membership of Allowed RODC Password Replication Group, and then click OK. There should be no members by default.Double-click Denied RODC Password Replication Group.Click the Members tab.Click Cancel to close the Denied RODC Password Replication Group Properties dialog box.
30 Tools for Monitoring and Managing Replication 4: Implementing and Administering AD DS Sites and ReplicationRepadmin.exe examples:repadmin /showrepl Lon-dc1.adatum.comrepadmin /showconn Lon-dc1 adatum.comrepadmin /showobjmeta Lon-dc1 "cn=Linda Miller,ou=…"repadmin /kccrepadmin /replicate Tor-dc1 Lon-dc1 dc=adatum,dc=comrepadmin /syncall Lon-dc1.adatum.com /A /eDcdiag.exe /test:testName:FrsEvent or DFSREventIntersiteKccEventReplicationsTopologyWindows PowerShellDiscuss how you can use the Repadmin.exe and Dcdiag.exe tools to monitor AD DS replication. You may want to consider showing an example of some of the commands.Other commands that you can discuss include:Repadmin /bind – Useful to verify that remote procedure call (RPC) is working against a domain controller.Repadmin /istg –Forces the ISTG to recalculate replication.
31 Lab: Implementing AD DS Sites and Replication 4: Implementing and Administering AD DS Sites and ReplicationExercise 4: Troubleshooting AD DS ReplicationExercise 1: Creating Subnets and SitesA. Datum decided to implement additional AD DS sites to optimize network usage for AD DS network traffic. The first step in implementing the new environment is to create the required site and subnet objects in AD DS. First, you must change the name of the default site to LondonHQ and associate it with the IP subnet /24, which is the subnet range used for the London head office. Next, you must configure the new Toronto AD DS site for the North American data center. The network team in Toronto also would like to dedicate a site called Test in the Toronto data center. You have been instructed that the Toronto IP subnet address is /24, and the Test network IP subnet address is /24.Exercise 2: Deploying an Additional Domain ControllerYou must now deploy a new domain controller to the Toronto site.Exercise 3: Configuring AD DS ReplicationNow that the AD DS sites have been configured for Toronto, the next step is to configure the site links to manage replication between the sites, and then to move the TOR-DC1 domain controller to the Toronto site. Currently, all sites belong to DEFAULTIPSITELINK.You must modify site linking so that LondonHQ and Toronto belong to one common site link called LON- TOR. You should configure this link to replicate every hour. Additionally, you should link the Test site only to the Toronto site by using a site link named TOR-TEST. Replication should not be available from the Toronto site to the Test site during the working hours of 9 A.M. and 3 P.M.You then will use tools to monitor replication between the sites.Virtual machines: A-LON-DC110969A-LON-DC210969A-TOR-DC1User Name: Adatum\AdministratorPassword: Pa$$w0rdLogon InformationEstimated Time: 30 minutes(More notes on the next slide)
32 4: Implementing and Administering AD DS Sites and Replication Exercise 4: Troubleshooting AD DS ReplicationUsers have been reporting problems with being able to sign in at the Toronto site. You must investigate the problem, and then attempt to resolve it. Document your solution in the Incident Record below.Incident RecordIncident Reference Number:Date of CallTime of CallUserStatusJuly 1313:45VariousOPENIncident DetailsSome users cannot sign in to their computers. Others are experiencing slow sign in and poor performance of the application of desktop settings.Additional InformationYou have verified that the link that connects Toronto with London is functional.Plan of ActionResolution
33 10969ALab Scenario4: Implementing and Administering AD DS Sites and ReplicationA. Datum Corporation has deployed a single AD DS domain with all the domain controllers located in the London data center. As the company has grown and added branch offices with large numbers of users, it is increasingly becoming apparent that the current AD DS environment is not meeting company requirements. Users in some of the branch offices report that it can take a long time for them to log on to their computers. Access to network resources such as the company’s Microsoft Exchange 2013 servers and the Microsoft SharePoint servers can be slow, and sporadically fails.
34 Lab Scenario (continued) 4: Implementing and Administering AD DS Sites and ReplicationAs one of the senior network administrators, you are responsible for planning and implementing an AD DS infrastructure that will help to address the business requirements for the organization. You are responsible for configuring AD DS sites and replication to optimize the user experience and network utilization within the organization.
35 10969ALab Review4: Implementing and Administering AD DS Sites and ReplicationYou have added a new domain controller named LON-DC2 to the LondonHQ site. Which AD DS partitions will be modified as a result?QuestionIn the last exercise, there was a problem on TOR-DC1. What was the problem?AnswerThe subnet mask was incorrect for the current network configuration. This caused DNS problems that resulted in replication failures.You decide to add a new domain controller to the LondonHQ site named LON-DC2. How could you ensure that LON-DC2 is used to pass all replication traffic to the Toronto site?You would have to configure this new domain controller as the preferred bridgehead server for the LondonHQ site.You have added a new domain controller named LON-DC2 to the LondonHQ site. Which AD DS partitions will be modified as a result?It is likely that all of the partitions except the schema partition will be modified. You add the new domain controller to both the domain partition and the configuration partition to ensure that AD DS replication is configured correctly. If you are using AD DS–integrated DNS, then the domain controller records also will update in the DNS application partitions.
36 Module Review and Takeaways 4: Implementing and Administering AD DS Sites and ReplicationCommon Issues and Troubleshooting TipsReview QuestionsQuestionWhy is it important that all subnets are identified and associated with a site in a multisite enterprise?AnswerThe process of locating domain controllers and other services can be made more efficient by referring clients to the correct site based on the client’s IP address and the definition of subnets. If a client has an IP address that does not belong to a site, the client will query for all domain controllers in the domain. This is not an efficient strategy. In fact, a single client can perform actions against domain controllers in different sites, which can lead to strange results if those changes have not yet replicated. Therefore, it is crucial that each client knows what site it is in, which you can achieve by ensuring that domain controllers can identify a client’s site location.What are the advantages and disadvantages of reducing the intersite replication interval?Reducing the intersite replication interval improves convergence. Changes made in one site replicate more quickly to other sites. There are actually few, if any, disadvantages. If you consider that the same changes must replicate whether they wait 15 minutes or three hours, it is really a matter of replication timing rather than replication quantity. However, in some extreme situations, it is possible that allowing a smaller number of changes to occur more frequently might be less preferable than allowing a large number of changes to replicate less frequently.What is the purpose of a bridgehead server?The bridgehead server is responsible for all replication into and out of the site. Instead of replicating all domain controllers from one site with all domain controllers in another site, you can use bridgehead servers to manage intersite replication.(More notes on the next slide)
37 4: Implementing and Administering AD DS Sites and Replication Best Practice: Implement the following best practices when you manage Active Directory sites and replication in your environment:Always provide at least one or more global catalog servers per site.Ensure that all sites have appropriate subnets associated with them.Do not set up long intervals without replication when you configure replication schedules for intersite replication.Avoid using SMTP as a protocol for replication.Common Issues and Troubleshooting TipsCommon Issue: Client cannot locate domain controller in its site.Troubleshooting Tip: Verify whether all service (SRV) resource records for the domain controller are present in DNS.Verify whether the domain controller has an IP address from the subnet that is associated with that site.Verify that the client is a domain member and has the correct time.Common Issue: Replication between sites does not work.Troubleshooting Tip: Verify whether site links are configured correctly.Verify the replication schedule.Verify whether the firewall between the sites permits traffic for Active Directory replication.Common Issue: Replication between two domain controllers in the same site does not work.Troubleshooting Tip: Verify whether both domain controllers appear in same site.Verify whether AD DS is operating correctly on the domain controllers.Verify network communication, and that the time on each server is valid.