1. Module 4: Configuring Active Directory Sites and Replication
Course 6425A
Module 4: Configuring Active Directory Sites and Replication
Presentation: 80 minutes
Lab: 60 minutes
This module helps students to configure Active Directory® sites and replication.
After completing this module, students will be able to:
Describe Active Directory® Domain Services (AD DS) replication.
Describe AD DS Sites and Replication.
Configure and monitor Active Directory Domain Services Replication.
Required materials
To teach this module, you need the Microsoft® Office PowerPoint® file 6425A_04.ppt.
Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly.
Preparation tasks
To prepare for this module:
Read all of the materials for this module.
Complete the practices.
This section contains information that will help you to teach this module.
For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information.
Module 4: Configuring Active Directory Sites and Replication

2. Module 4: Configuring Active Directory Sites and Replication
Course 6425A
Module Overview
Module 4: Configuring Active Directory Sites and Replication
Overview of Active Directory Domain Services Replication
Overview of AD DS Sites and Replication
Configuring and Monitoring AD DS Replication

3. Lesson 1: Overview of Active Directory Domain Services Replication
Course 6425A
Lesson 1: Overview of Active Directory Domain Services Replication
Module 4: Configuring Active Directory Sites and Replication
How Active Directory Replication Works
How AD DS Replication Works Within a Site
Resolving Replication Conflicts
Optimizing Replication
What Are Directory Partitions?
What Is Replication Topology?
How Directory Partitions and the Global Catalog Are Replicated
How the Replication Topology Is Generated
Demonstration: Creating and Configuring Connection Objects

4. How Active Directory Replication Works
Course 6425A
How Active Directory Replication Works
Module 4: Configuring Active Directory Sites and Replication
Active Directory replication:
Uses a multimaster model
Uses pull replication
Discuss the replication model. It is important that students understand that changes can be made on any domain controller in the domain, except for RODCs, and that the changes then are replicated to all other domain controllers. Compare this to a single master replication model, where changes can be made on one domain controller only. Ask students what benefits and disadvantages result from using a multimaster replication model. Stress that this model does result in a much more complicated replication process than a single master model, but provides more flexibility and resilience.
Mention that although replication is always a pull from the destination domain controller, the domain controller from where you make the changes to Active Directory will notify its replication partners that changes are available.
Consider using a diagram to describe the replication model.
Question: If a single domain controller in a site fails, how will this affect AD DS administrators and users?
Answer: As long as at least one domain controller in the same domain as the failed server remains, the impact to administrators and users should be minimal. The most significant impact may be that it takes longer for users to log on because of server-performance issues. Because all domain controllers are essentially equal (other than the operation master roles), and replication uses a multimaster model, AD DS functionality should not be affected.
Reference
Active Directory Sites and Services Help: Understanding Sites, Subnets, and Site Links
Replication Model Components
e3ca3f60b mspx?mfr=true
How the Active Directory Replication Model Works e3ca3f60b mspx?mfr=true
Uses store and forward replication
Uses loose consistency with convergence
Changes that initiate replication include:
Addition of an object to Active Directory
Modification of an object’s attribute values
Deletion of an object from the directory

5. How AD DS Replication Works Within a Site
Course 6425A
How AD DS Replication Works Within a Site
Module 4: Configuring Active Directory Sites and Replication
In a single site:
Domain controllers notify replication partners when updates are applied
Mention that the replication time settings are dependant on the forest functional level. If the forest is at a Windows 2000 Native functional level, replication partners are notified 300 seconds after the change is applied.
Mention that in a single site, the replication topology is configured automatically and that administrators have very few options by which they can modify the replication topology.
Mention that in a single site, the replication goal is to update all domain controllers as quickly as possible. The 15-second pause after an update is applied to AD DS enables an increase in the replication’s efficiency if additional changes are made to the partition information. Also, the replication traffic is not compressed, because it is assumed that all domain controllers in the same site will be connected with a fast network connection with abundant available bandwidth.
Question: If you have three domain controllers in the same domain in the same site, and you create a new user on one of the domain controllers, how long will it take for that new user to appear on the other domain controllers?
Answer: It will take about 15 – 20 seconds.
Question: Under what circumstances would it be beneficial if the replication traffic was compressed?
Answer: When the replication traffic crosses a slow network connection. This is why you would create multiple sites.
Reference
Active Directory Sites and Services Help: Understanding Sites, Subnets, and Site Links
How the Active Directory Replication Model Works e3ca3f60b mspx?mfr=true
For normal updates, the change notification happens 15 seconds after the change is applied
Notifications for security related changes are sent immediately
Replication updates are not compressed

6. Resolving Replication Conflicts
Course 6425A
Resolving Replication Conflicts
Module 4: Configuring Active Directory Sites and Replication
In a multimaster replication model, replication conflicts can arise when:
The same attribute is changed on two domain controllers simultaneously
Highlight that replication conflicts are not likely to be an issue in most organizations that have a managed change-control process for making AD DS changes. In most organizations, only one group is likely to make changes to the same objects in AD DS, and that group should have a communication process that ensures that conflicting changes do not happen.
If students are interested in more detail on how replication conflicts are resolved in AD DS, draw a diagram of several domain controllers and show how attribute numbers, time stamps, and server GUIDs always result in a conflict resolution. Use the resource listed below to research the details.
Reference
How the Active Directory Replication Model Works
e3ca3f60b mspx?mfr=true
An object is moved or added to a deleted container on another domain controller
Two objects with the same relative distinguished name are added to the same container on two different domain controllers
To resolve replication conflicts, AD DS uses:
Version number
Time stamp
Server GUID

7. Optimizing Replication
Course 6425A
Optimizing Replication
Module 4: Configuring Active Directory Sites and Replication
In a multimaster replication model, AD DS updates can be replicated using multiple paths
AD DS uses update sequence numbers, high watermarks, and up-to-dateness vectors to ensure that updates are replicated to a specific domain controller only once
Mention that all AD DS domain controllers in a site participate in replication. As soon as one domain controller receives an update, it will try to replicate that update to its replication partners. The replication partner may already have received the update from another domain controller, so AD DS must have a means to stop the domain controllers from sending updates to replication partners that already have the updates.
If students are interested in more detail on how propagation dampening works, draw a diagram of several domain controllers and show how to use update sequence numbers (USN) and up-to-dateness vectors.
Question: Why is propagation dampening so important?
Answer: Without propagation dampening, the domain controllers conceivably could try to replicate updates to their replication partners continuously.
Reference
How the Active Directory Replication Model Works
e3ca3f60b mspx?mfr=true

8. What Are Directory Partitions?
Course 6425A
What Are Directory Partitions?
Module 4: Configuring Active Directory Sites and Replication
Instance (AD LDS)
AD DS
Contains:
Schema
Configuration
<Domain>
<Application>
Definitions and rules for creating and manipulating objects and attributes
Forest
Briefly describe the information that each of the directory partitions stores.
Consider using ADSIEdit.msc to show each directory partition’s contents.
Remind students that they have encountered application partitions already, in Module 2, when discussing Domain Name System (DNS) that is integrated with AD DS. By default, two application partitions for DNS zones are created in this case: ForestDNSZones and DomainDNSZones.
Question: Which application partitions are created by default in AD DS?
Answer: The DomainDNS and ForestDNS application partitions are created when you choose to install DNS on the first domain controller when installing AD DS.
Reference
How the Data Store Works (Directory Partition section)
e3ca3f60b mspx?mfr=true
How the Active Directory Replication Model Works
Information about the Active Directory structure
Information about domain-specific objects
Domain
Configurable replication
Information about applications
Active Directory Database

9. Forest 1 Forest (root) Tree/Root Trust Shortcut Trust External
Kerberos Realm
Realm
Domain D
Forest 1
Domain B
Domain A
Domain E
Domain F
Domain P
Domain Q
Parent/Child Trust
Forest 2
Domain C

10. Instance là một bộ các directory partition có liên quan
Trong nhiều trường hợp, một instance có thể là một domain controller
Trong môi trường Active Directory, mỗi một domain controller gồm có ba directory partition.
Configuration – Mục configuration lưu các thông tin cấu hình có liên quan đến forest mà trong đó domain controller tồn tại. Mục cấu hình lưu các đối tượng cấu hình có liên quan đến những thứ như vị trí, dịch vụ và directory partition.
Schema – Partition này làm việc giống như các giản đồ cơ sở dữ liệu khác. Nó định nghĩa các lớp, thuộc tính cho mọi đối tượng có thể trong toàn bộ Active Directory.
Domain – Partition này lưu các đối tượng cụ thể cho miền. Các đối tượng này gồm có những thứ như user, computer và group.

11. What Is Replication Topology?
Course 6425A
What Is Replication Topology?
Module 4: Configuring Active Directory Sites and Replication
Domain A Topology
Domain B Topology A1 A2 A3 A4 B1 B2 B3
Domain controllers from various domains A1 A2
Replication topology is the route by which replication data travels throughout a network. The replication topology is created automatically based on site configurations.
Highlight that each domain has a unique replication topology for the domain partition -- because domain controllers only replicate the domain partition with the domain’s other domain controllers, you will have several replication topologies in a single site.
Question: Which application partitions are created by default in AD DS?
Answer: The DomainDNS and ForestDNS application partitions are created when you choose to install DNS on the first domain controller when installing AD DS.
Reference
What Is Active Directory Replication Topology? e3ca3f60b mspx?mfr=true A3 A4
Domain controllers in the same domain
Domain A Topology

12. How Directory Partitions and the Global Catalog Are Replicated
Course 6425A
How Directory Partitions and the Global Catalog Are Replicated
Module 4: Configuring Active Directory Sites and Replication
Global catalog server A1 A2 B2
Use the build slide to show how the replication topology works for each directory partition. Because the configuration and schema partition are replicated throughout the forest, the replication topology crosses domain boundaries.
The second part of the build slide describes the global catalog replication. Although the global catalog is not a directory partition, it uses the same replication process. In the slide’s example, domain controller B1 will generate the global catalog for its domain, and then replicate the information to A1 and A4.
Reference
What Is Active Directory Replication Topology?: e3ca3f60b mspx?mfr=true B1 A3 A4 B3
Domain controllers from various domains
Domain A topology
Domain B topology
Schema and configuration topology
Global catalog replication

13. How the Replication Topology Is Generated
Course 6425A
How the Replication Topology Is Generated
Module 4: Configuring Active Directory Sites and Replication
Active Directory uses the KCC (Knowledge Consistency Checker) to establish a replication path between domain controllers
Mention that the Knowledge Consistency Checker (KCC) on each domain controller recalculates the replication topology in a site every 15 minutes. Also mention that as you add additional domain controllers to a site, the KCC creates additional connection objects to ensure that no two domain controllers are ever more than three network hops away. Consider drawing a diagram to show that this occurs when you add a seventh domain controller to a site.
Consider demonstrating a connection object. Highlight the partitions that are replicated for each connection object. Also show the reciprocal connection object.
Question: Your organization has three domain controllers in a site’s same domain, and five domain controllers from another domain in the same site. Four of the domain controllers -- two in each domain -- are configured as global catalog servers. What is the fewest number of connection objects that you could create in this scenario?
Answer: The answer is 20 connection objects, or 10 pairs of one-way connection objects.
Within the domain with three domain controllers, six connection objects would be created to replicate domain information. The connection objects also could replicate the schema and configuration partitions.
Within the domain with five domain controllers, 10 connection objects would be created to replicate domain information. The connection objects also could replicate the schema and configuration partitions.
To ensure that each global catalog server has two replication partners, and to ensure that each global catalog server gets the partial replica from each domain, you would need an additional four connection objects (two pairs of one-way connection objects). These connection objects also could replicate the schema and configuration partitions between the two domains.
Reference
How the Active Directory Replication Model Works e3ca3f60b mspx?mfr=true
Each domain controller has two replication partners for each Active Directory partition
The KCC creates two one-way connection objects between replication partners to ensure that no two domain controllers are ever more than three network hops away
When a new domain controller is added to a site, the KCC recalculates connection objects
Connection objects can replicate one or more partitions

14. How the Replication Topology Is Generated
The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers. 
This article describes the role of one server per site, known as the Inter-Site Topology Generator, which is responsible for managing the inbound replication connection objects for all bridgehead servers in the site in which it is located.
Active Directory uses the KCC (Knowledge Consistency Checker) to establish a replication path between domain controllers

15. Demonstration: Creating and Configuring Connection Objects
Course 6425A
Demonstration: Creating and Configuring Connection Objects
Module 4: Configuring Active Directory Sites and Replication
In this demonstration, you will see how to create connection objects and configure existing connection objects
To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 virtual machines running.
Question: When would you configure connection objects manually?
Answer: You normally would not configure connection objects manually, because in most cases the replication topology that the KCC configures will be fine. The only time you need to configure a connection object manually is if you need to ensure that two specific domain controllers are replication partners.

16. Lesson 2: Overview of AD DS Sites and Replication
Course 6425A
Lesson 2: Overview of AD DS Sites and Replication
Module 4: Configuring Active Directory Sites and Replication
What Are AD DS Sites and Site Links?
Discussion: Why Implement Additional Sites?
Demonstration: Configuring AD DS Sites
How Replication Works Between Sites
Comparing Replication Within Sites and Between Sites
Demonstration: Configuring AD DS Site Links
What Is the Inter-site Topology Generator?
How Unidirectional Replication Works

17. Sites are used to organize well-connected computers within an organization to optimize network bandwidth. Excessive network traffic can occur between remote locations due to frequent exchange of large amounts of data and directory information.

18. What Are AD DS Sites and Site Links?
Course 6425A
What Are AD DS Sites and Site Links?
Module 4: Configuring Active Directory Sites and Replication
Sites: A1
Identify network locations with fast reliable network connections
Are associated with subnet objects in Active Directory A2
IP Subnet
Mention that sites usually are associated with a single office location. Although you can create multiple sites in a location where all computers are connected by fast network connections, or you can create a site that includes multiple locations, in most cases the site boundaries are the office location boundaries. You can have multiple subnets associated with a single site.
Describe site links as the connections between sites that define replication schedules.
Mention that when you install AD DS, a default site named Default-First-Site-Name is created. All computers, including domain controllers, are added automatically to the default site until you create additional sites.
Reference
Active Directory Sites and Services Help: Understanding Sites, Subnets, and Site Links
IP Subnet
Site
Site Link B1 B2
IP Subnet B3
IP Subnet
Site

19. Use sites to optimize network bandwidth
Workstation logon traffic.
Replication traffic:
When a change occurs in Active Directory, sites can be used to control how and when the change is replicated to domain controllers in another site.
Distributed file system (Dfs) topology
When a shared file or folder has multiple locations, a user will be directed to a server in his or her own site. Localizing the availability of servers in a site reduces traffic across slow links.
File Replication service (FRS)
FRS is used to replicate the contents of the SYSVOL directory, which includes logon and logoff scripts, Group Policy settings, and system policies

20. Assess the need for sites
Available bandwidth.
Anticipated replication traffic.
Placement of domain controllers.

21. Using Site Links in a Network

22. Factors Affecting Replication

24. Discussion: Why Implement Additional Sites?
Course 6425A
Discussion: Why Implement Additional Sites?
Module 4: Configuring Active Directory Sites and Replication
Why would an organization choose to implement additional sites?
What are the benefits and disadvantages of creating additional sites?
Questions
Why would an organization choose to implement additional sites?
Answer: Replication. AD DS balances the need for up-to-date directory information with the need for bandwidth optimization, by replicating information within a site whenever data is updated and between sites according to a configurable schedule.
Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first requests a domain controller in its local site for authentication. By establishing sites, you can ensure that clients use domain controllers that are nearest to them for authentication, which reduces authentication latency and traffic on wide area network (WAN) connections.
Service location. Other services, such as Certificate Services, Exchange Server, and Message Queuing, use AD DS to store objects that can use site and subnet information to enable clients to locate the nearest service providers more easily.
What are the benefits and disadvantages of creating additional sites?
Answer: The primary benefit is so that you can control network bandwidth related to AD DS replication and logon traffic. Exchange Server 2007 also uses AD DS sites to determine the message-routing topology within an AD DS forest.
The primary disadvantages for creating additional sites are increased complexity and increased hardware costs. To take advantage of the site configuration, you must deploy at least one domain controller in each site. This likely will require additional hardware. Additionally, it can be more difficult to monitor and troubleshoot replication in an environment with multiple sites.
Reference
Active Directory Sites and Services Help: Understanding Sites, Subnets, and Site Links

25. Demonstration: Configuring AD DS Sites
Course 6425A
Demonstration: Configuring AD DS Sites
Module 4: Configuring Active Directory Sites and Replication
In this demonstration, you will see how to:
Create sites and subnets
Move domain controllers to other sites
To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 and 6425A- NYC-RAS virtual machines running.
The following are high-level steps for configuring an AD DS site:
In Active Directory Sites and Services, show a site’s default objects and configuration settings.
Show how to create a subnet, and then create a new site linked to the subnet.
When you create the site, show how the site must be linked to an existing site link.
Move a domain controller from the default site to the new site.
To complete this demonstration, you will need to have the NYC-DC1, NYC-RAS, and the NYC-DC2 virtual servers running. NYC-RAS is configured with two network cards and has routing enabled. You also will need to modify the NYC-DC2 IP settings to use an address on the /16 address that correspond with the second network card on NYC-RAS.
Question: What would happen to the replication topology if you moved a domain controller from one site to another?
Answer: You would have to recalculate the replication topology. Because the KCC only runs every 15 minutes, it may take some time for the KCC to create the new connection objects.
Question: You move a domain controller to a new site by using Active Directory Sites and Services. Six hours later, you determine that the domain controller is not replicating with any other domain controller. What should you check?
Answer: AD DS replication is dependant on the IP network configuration and the availability of DNS records. You should make sure that the IP address assigned to the domain controller corresponds to the IP subnets configured for the new site. Also ensure that there is network connectivity between the new site and the existing sites. Finally, make sure that the DNS records for the domain controller that you moved have been updated in DNS.
Reference
Active Directory Sites and Services Help: Create a Site, Create a Subnet

26. Module 4: Configuring Active Directory Sites and Replication
Course 6425A
How Replication Works Between Sites
Module 4: Configuring Active Directory Sites and Replication
You can configure: A1
Replication paths between sites
Replication schedules and frequency
Replication protocols A2
Start your presentation of this topic by summarizing the reasons why you would create an additional site. Then state that this topic describes the options that are available when configuring replication between sites.
Mention that you will be demonstrating how to configure site-link options later in this module.
Site
Site Link B1 B2 B3
Site

27. Comparing Replication Within Sites and Between Sites
Course 6425A
Comparing Replication Within Sites and Between Sites
Module 4: Configuring Active Directory Sites and Replication
Replication Within Sites:
Assumes fast and highly reliable network links
Does not compress replication traffic
Uses a change notification mechanism
Replication Between Sites:
Assumes limited available bandwidth and unreliable network links
Compresses all replication traffic between sites (10:1)
Occurs on a manual schedule A1
IP Subnet
Mention that one of the important reasons for creating sites is to manage replication traffic across slow network connections. This is done by compressing all replication traffic between sites and enabling the replication scheduling.
Mention that urgent changes (such as password changes) are replicated between sites immediately and not based on the replication schedule.
Reference
Active Directory Sites and Services Help: Understanding Replication Between Sites
What Is Active Directory Replication Topology?: e3ca3f60b mspx?mfr=true A2
Replication
IP Subnet A1
IP Subnet A2
IP Subnet
Replication B1
IP Subnet
Replication B2
IP Subnet
Replication

28. Demonstration: Configuring AD DS Site Links
Course 6425A
Demonstration: Configuring AD DS Site Links
Module 4: Configuring Active Directory Sites and Replication
In this demonstration, you will see how to:
Configure the default site link
Create additional site links
Add sites to the site links
To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 and 6425-NYC- RAS virtual machines running.
The following are high-level steps for configuring AD DS Site Links :
Demonstrate the configuration of the default site link and discuss reasons for creating additional site links.
Demonstrate how to create additional site links and how to add sites to the site links.
Discuss the two inter-site transport options available and describe when you can use each. Stress that you cannot use the Simple Mail Transport Protocol (SMTP) replication to replicate the domain partition, only the configuration and schema partition.
Questions
Question: If all of the locations in your organization are connected by a wide area network (WAN) that has the same available bandwidth, do you need to create additional site links?
Answer: You probably do not need to configure any additional site links in this scenario. If you want replication to function in the same way between all sites, you can modify the settings for the default site link.
Question: Your organization has two sites and a single domain. Can you use SMTP as the replication protocol between the two sites?
Answer: No, because you cannot use SMTP to replicate the domain partition.
Reference
Active Directory Sites and Services Help: Create a Site Link

29. What Is the Inter-site Topology Generator?
Course 6425A
What Is the Inter-site Topology Generator?
Module 4: Configuring Active Directory Sites and Replication
Inter-site topology generator A1
Bridgehead server
The inter-site topology generator defines the replication between sites on a network
IP Subnet
Mention that the ISTG creates the replication topology between sites. The ISTG uses the KCC, but also adds an addition level of complexity to deal with multiple sites.
The intersite topology generator is an Active Directory process that defines replication between sites on a network. A single domain controller in each site is designated automatically to be the intersite topology generator. Because this action is performed by the intersite topology generator, you are not required to take any action to determine the replication topology and bridgehead server roles.
The ISTG:
- Automatically selects one or more domain controllers to become bridgehead servers. This way, if a bridgehead server becomes unavailable, it automatically selects another bridgehead server, if possible.
- Runs the KCC to determine the replication topology and resultant connection objects that the bridgehead servers can use to communicate with other sites’ bridgehead servers.
Reference
How the Active Directory Replication Model Works e3ca3f60b mspx?mfr=true A2
Replication
IP Subnet B1
IP Subnet
Replication B2
Inter-site topology generator
Replication
IP Subnet
Bridgehead server

30. How Unidirectional Replication Works
Course 6425A
How Unidirectional Replication Works
Module 4: Configuring Active Directory Sites and Replication
Unidirectional replication ensures that changes to a read-only domain controller are never replicated to any other domain controller
Mention scenarios where changes may be made to a read-only domain controller (RODC). For example, if an attacker gains physical access to the domain controller, they may be able to make changes to the Active Directory database. However, RODC, these changes will not be replicated to any other domain controller.
Mention that with an RODC a single connection object is created – only from the writeable domain controller to the RODC.
Reference
AD DS: Read-Only Domain Controllers: bfad mspx?mfr=true

31. Lesson 3: Configuring and Monitoring AD DS Replication
Course 6425A
Lesson 3: Configuring and Monitoring AD DS Replication
Module 4: Configuring Active Directory Sites and Replication
What Is a Bridgehead Server?
Demonstration: Configuring Bridgehead Servers
Demonstration: Configuring Replication Availability and Scheduling
What Is Site Link Bridging?
Demonstration: Modifying Site Link Bridges
What Is Universal Group Membership Caching?
Demonstration: Configuring Universal Group Membership Caching
Demonstration: Tools for Monitoring and Managing Replication

32. What Is a Bridgehead Server?
Course 6425A
What Is a Bridgehead Server?
Module 4: Configuring Active Directory Sites and Replication
A bridgehead server:
IP Subnet
Bridgehead Server
Sends and receives replicated data
Is designated for each partition in the site A1
The bridgehead server is a domain controller that you designate to send and receive replicated data at each site. The bridgehead server from the originating site collects all of the replication changes and sends them to the receiving site’s bridgehead server, which replicates the changes to all domain controllers in the site.
Mention that the bridgehead server at each site is selected automatically and all domain controllers in the site are eligible to be bridgehead servers. However, if you have one or more domain controllers that you want to operate as bridgehead servers, you can specify a list of preferred bridgehead servers. To ensure efficient directory updates, a preferred bridgehead server must have the processing power and bandwidth to compress, send, receive, and decompress replication data efficiently. Active Directory uses only one bridgehead server at any time. If the first preferred server becomes unavailable, another one on the preferred list is used.
Reference
How the Active Directory Replication Model Works
e3ca3f60b mspx?mfr=true
IP Subnet
Replication
IP Subnet
IP Subnet B1
Bridgehead Server

33. Demonstration: Configuring Bridgehead Servers
Course 6425A
Demonstration: Configuring Bridgehead Servers
Module 4: Configuring Active Directory Sites and Replication
In this demonstration, you will see how to configure bridgehead servers
To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 and 6425-NYC- RAS virtual machines running.
Demonstrate how to configure bridgehead servers.
In this demonstration, use Active Directory Sites and Services to configure NYC-DC1 and NYC-DC2 as preferred bridgehead servers.
Question: Your organization has two sites and two domains in the same forest, with domain controllers for both domains in both sites. You configure one domain controller in each site as the preferred bridgehead server. Some time later, you notice that the domain controllers for one of the domains are not replicating across the site link. What do you need to do to fix this?
Answer. If you have only one domain controller in each site configured as a preferred bridgehead server, you do not have a preferred bridgehead server for each partition. Because replication for one of the domains is working, you must have configured both bridgehead servers from the same domain. To fix this, add a domain controller from the second domain as a preferred bridgehead server in each site.
Reference
Managing Intersite Replication
e3ca3f60b mspx?mfr=true

34. Demonstration: Configuring Replication Availability and Frequency
Course 6425A
Demonstration: Configuring Replication Availability and Frequency
Module 4: Configuring Active Directory Sites and Replication
In this demonstration, you will see how to configure the site link object to manage replication between sites
To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 and 6425-NYC- RAS virtual machines running.
In Active Directory Sites and Services, modify the configuration of a site link object.
Discuss the differences between schedule or availability and frequency. Demonstrate how to configure each setting.
Questions
You configure site links between the New York and Toronto sites, and between the New York and London sites. The New York-Toronto site link is available from 2 a.m. to 5 a.m. EST. The New York-London site link is available from 8 p.m. to 11 p.m. EST. You create a new user in Toronto. When will the new user appear in AD DS on a London domain controller?
Answer: The earliest that the new user would appear on the London domain controller is at 8 p.m. EST the day after you create the user.
Your organization has four sites. All of your sites are included in the DefaultIPSiteLink. You would like to modify the replication schedule for all of the sites so that replication between sites happens every 15 minutes. What should you do?
Answer: The easiest way to do this is to change the replication frequency on the DefaultIPSiteLink. You only need to create a new site link if you need to have different replication schedules between sites.
Reference
Active Directory Sites and Services Help: Configure Intersite Replication

35. What Is Site Link Bridging?
Course 6425A
What Is Site Link Bridging?
Module 4: Configuring Active Directory Sites and Replication
IP Subnet
Site B
Site A A1 A2
Site Link Bridge B2
Site Link BC
Site Link AB B1 B3 C2 C1
Site C
To describe site link bridging, mention that by default, site links are transitive or “bridged.” For example, if site A has a common site link with site B, site B also has a common site link with Site C, and the two site links are bridged. Therefore, domain controllers in site A can replicate directly with domain controllers in site C, even though there is no site link between sites A and C. In other words, the effect of bridged site links is that replication between sites in the bridge is transitive.
If the routing configuration for an organization is such that all domain controllers in all sites can directly communicate with domain controllers in other sites, you do not need to change the default configuration. However, you can modify the replication topology and force additional hops in the replication process by disabling site link bridging for all site links and creating new site link bridges.
Reference
How the Active Directory Replication Model Works
e3ca3f60b mspx?mfr=true

36. Demonstration: Modifying Site Link Bridges
Course 6425A
Demonstration: Modifying Site Link Bridges
Module 4: Configuring Active Directory Sites and Replication
In this demonstration, you will see how to:
Disable site link bridging
Create a new site link bridge
To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 and 6425-NYC- RAS virtual machines running.
Demonstrate how to disable site link bridging and how to create a new site link bridge.
Question
Your organization has five sites. Four of the sites are connected by WAN links with surplus network bandwidth, while one of the sites is connected to the other sites by a WAN link with very little available bandwidth. You disable site link bridging in your organization, and then realize that it is taking much longer than usual to replicate AD DS changes between sites. What should you do to optimize replication between the four sites with available bandwidth, while minimizing the network utilization to the site with less available bandwidth?
Answer: You can create a site link bridge that includes the site connections between the four sites. By doing this, the site links become transitive, which will allow domain controllers from each site to replicate directly to domain controllers in each of the other sites.
Reference
Managing Intersite Replication
e3ca3f60b mspx?mfr=true

37. What Is Universal Group Membership Caching?
Course 6425A
What Is Universal Group Membership Caching?
Module 4: Configuring Active Directory Sites and Replication
Global Catalog Server A1
Bridgehead server
Enables domain controllers in a site with no global catalog servers to cache universal group membership
IP Subnet
Universal group membership caching makes it possible to log on to a Windows Server 2008 network without contacting a global catalog (GC). Universal group membership is cached on non-GC domain controllers once this option is enabled and a user attempts to log on for the first time. Once this information is obtained from a GC, it is cached on the domain controller for the site indefinitely and is updated periodically (by default every eight hours). Enabling this feature results in faster logon times for users in remote sites, as the authenticating domain controllers do not have to access a GC.
Organizations may choose to use universal group-membership caching for a site where they do not want to deploy a global catalog server.
Reference
Planning Global Catalog Server Placement
099f8bc259ff1033.mspx?mfr=true A2
IP Subnet
IP Subnet B1
IP Subnet
Bridgehead server

38. Demonstration: Configuring Universal Group Membership Caching
Course 6425A
Demonstration: Configuring Universal Group Membership Caching
Module 4: Configuring Active Directory Sites and Replication
In this demonstration, you will see how to:
Configure universal group membership caching for a site
Configure the source for caching
To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 and 6425-NYC- RAS virtual machines running.
Demonstrate how to configure universal group-membership caching for a site and configure the caching source:
1. Start by opening Active Directory Sites and Services and forcing the KCC to recalculate the replication topology.
2. Locate a connection object and force replication on the connection object.
3. Open a command prompt, type NLTest /dclist:woodgrovebank.com and press ENTER. This command returns a list of all of the domain controllers in the WoodgroveBank.com domain.
4. At the command prompt, type nltest.exe /server:NYC-DC2 /sc_query:WoodgroveBank and press ENTER. This command verifies that the domain controller has a valid trust with the domain.
5. At the command prompt, type DCdiag and press ENTER. This command verifies that the current domain controller is healthy and functioning properly.
6. At the command prompt, type DCDiag /test:replications and press ENTER. This command tests for replication errors between domain controllers.
7. At the command prompt, type repadmin /showrepl nyc-dc1.woodgrovebank.com and press ENTER. This command shows the replication partners for NYC-DC1 and any replication failures.
8. At the command prompt, type repadmin /replicate NYC-DC1.woodgrovebank.com NYC- DC2.woodgrovebank.com dc=woodgrovebank,dc=com and press ENTER. This command forces replication between the two domain controllers.
Questions
Under what circumstance might you want to know which domain controller is a site’s ISTG?
Answer: If you have made a change, such as adding a new site or adding a new domain controller to AD DS, and those changes are not replicating to other sites, you should verify that the ISTG is functional.
What information is available in the command-line tools that is not available through the GUI tools?
Answer: The command-line tools provide much more detailed information about the replication status. For example, with Active Directory Sites and Services, you may be able to detect that replication is failing when you force an update. However, with Repadmin, you can determine when the last successful replication occurred and get more details on why the replication may be failing.
Reference
Cache universal group memberships
20a5fc1db11b1033.mspx?mfr=true

39. Demonstration: Tools for Monitoring and Managing Replication
Course 6425A
Demonstration: Tools for Monitoring and Managing Replication
Module 4: Configuring Active Directory Sites and Replication
In this demonstration you will see how to:
Identify the domain controller holding the ISTG role
Force the KCC to run, and how to force replication
Use Repadmin, NLTest, and DCDiag
To complete this demonstration, you must have the 6425A-NYC-DC1 and 6425A-NYC-DC2 and 6425-NYC- RAS virtual machines running.
Demonstrate how to identify the domain controller holding the ISTG role.
Demonstrate how to force the KCC to run and how to force replication.
Show how to use Repadmin, NLTest, and DCDiag.
Provide details on the settings available in Repadmin.

40. Lab: Configuring Active Directory Sites and Replication
Course 6425A
Lab: Configuring Active Directory Sites and Replication
Module 4: Configuring Active Directory Sites and Replication
Exercise 1: Configuring AD DS Sites and Subnets
Exercise 2: Configuring AD DS Replication
Exercise 3: Monitoring AD DS Replication
In this lab, students will configure Active Directory sites and replication.
Lab: Configuring Active Directory Sites and Replication (60 minutes)
Lab Goal: Implement and configure Active Directory sites and replication.
Objectives covered in the Lab:
Create AD DS sites
Configure AD DS replication
Monitor AD DS replication
Scenario:
Woodgrove Bank has multiple offices throughout the world. To optimize client-logon traffic and manage AD DS replication, the enterprise administrator has created a new design for configure AD DS sites and for configuring replication between the sites. You need to create AD DS sites based on the enterprise administrator’s design and configure replication based on the design. You also need to monitor site replication and ensure that all components required for replication are functional.
This lab will consist of three exercises.
Exercise 1: Configuring AD DS Sites and Subnets
The student will modify the existing site configuration based on the enterprise administrator’s design. The tasks include creating new subnets and sites, removing sites, creating site links, and moving servers into the appropriate sites.
Exercise 2: Configuring AD DS Replication
The student will configure AD DS replication between sites. The tasks include modifying the default configuration for the site links, configuring bridgehead servers, and configuring connection objects.
Exercise 3: Monitoring AD DS Replication
The student will monitor AD DS replication between sites. The students will use DCDiag and NLTest to check for server availability, use Repadmin to configure AD DS objects, and use Replmon to monitor the replication between sites.
Inputs: AD DS sites and replication design that the Enterprise Administrator provides.
Outputs: AD DS site and replication topology that matches the design.
Logon information
Virtual machine
NYC-DC1, LON- DC1, MIA-RODC, NYC-RAS
User name
Administrator
Password
Pa$$w0rd
Estimated time: 60 minutes

41. Module 4: Configuring Active Directory Sites and Replication
Course 6425A
Lab Review
Module 4: Configuring Active Directory Sites and Replication
What additional changes would you need to make to the AD DS site configuration if you needed to ensure that all replication traffic in the New-York site passed through NYC-DC2?
What additional changes would you need to make if you implemented another WAN connection between Tokyo and London, and wanted to use that WAN connection for AD DS replication instead of routing all replication changes through NewYork-Site?
Why did you force the domain controllers in the lab to update their IP addresses in DNS?
1. What additional changes would you need to make to the AD DS site configuration if you needed to ensure that all replication traffic in the New-York site passed through NYC-DC2?
Answer: You would have to configure NYC-DC2 as the preferred bridgehead server for the NewYork-Site.
2. What additional changes would you need to make if you implemented another wide area network (WAN) connection between Tokyo and London, and wanted to use that WAN connection for AD DS replication instead of routing all replication changes through NewYork-Site?
Answer: You could create an additional site connector from the London-Site to the Tokyo-Site, and ensure that it has a lower cost that the total cost of the site connectors to New York.
3. Why did you force the domain controllers in the lab to update their IP addresses in DNS?
Answer: If the IP addresses are not updated in DNS, the domain controllers will not be able to locate each other to initiate AD DS replication.

42. Module Review and Takeaways
Course 6425A
Module Review and Takeaways
Module 4: Configuring Active Directory Sites and Replication
Review questions
Considerations for configuring AD DS sites and replication
Tools
Module key points:
In an organization with a single site, you can almost always accept the default replication configuration.
In organization with multiple sites, you must plan the site design to optimize WAN utilization by minimizing Active Directory replication and client-logon traffic.
The site configuration and domain controller locations within sites can be modified after deployment.
Review questions
Question: How can you minimize the chances of creating a replication conflict in your organization?
Answer: Implement a consistent change-control process so that a limited number of administrators ever make changes to AD DS, and ensure that all changes are approved.
Question: You have deployed nine domain controllers in the same domain. Five of these domain controllers are in one site, while four are in a different site. You have not modified the default replication frequency for intra-site and inter- site replication. You create a user account on one domain controller. What is the maximum amount of time it will take for that user account to be replicated to all of the domain’s controllers?
Answer: It will take up to 180 minutes. Intra-site replication in the site will update the domain controllers, including the bridgehead server, within about a minute of creating the user account. The default frequency for inter-site replication is 180 minutes, so it could take up to that time to replicate the user account to the bridgehead server in the second site. Then intra-site replication will update all the domain controllers in the second site within about a minute.
Question: You add a new domain controller to an existing domain in your forest. Which AD DS partitions will be modified as a result?
Answer: It is likely that all of the partitions, except the schema partition, will be modified. The new domain controller is added to the domain partition as well as the configuration partition to ensure that AD DS replication is configured correctly. If you are using AD DS-integrated DNS, the domain controller records also will be updated in the DNS application partitions.
Question: Your organization has one domain with three sites, a head-office site and two branch-office sites. Domain controllers in the branch-office sites can communicate with domain controllers at the head office, but cannot communicate directly with domain controllers in the other branch office due to firewall restrictions. How can you configure the site-link architecture in AD DS to integrate the firewall and ensure that the KCC will not create a connection between the branch office sites automatically?
Answer: Create a separate site link between each branch office and the head office. Then turn off site link bridging.
Question: Your organization has a head office and 20 branch offices. Each office is configured as a separate site. You have three domain controllers deployed at the head office. One of the domain controllers at the head office has a faster processor and more memory than the other two. You want to ensure that the AD DS replication workload is assigned to the more powerful computer. What should you do?
Answer: Move the more powerful domain controller to the top of the preferred bridgehead server list on the domain controller that holds the role of intersite topology generator.
Question: There are three sites in your organization: Portland, Seattle, and Vancouver. Portland is connected to Seattle, which is connected to Vancouver. Separate sites and site connectors are configured for each site. The sites are connected by slow network connections. When a user account is created in the Portland site, it can take more than a day before this user can log on successfully from the Vancouver site. What is the possible cause of this problem?
Answer: The most likely cause for this problem is the availability for the site links. If there is not overlap in the availability, it can take more than a day for the information to replicate between sites.

43. Module 4: Configuring Active Directory Sites and Replication
Course 6425A
Beta Feedback Tool
Module 4: Configuring Active Directory Sites and Replication
Beta feedback tool helps:
Collect student roster information, module feedback, and course evaluations.
Identify and sort the changes that students request, thereby facilitating a quick team triage.
Save data to a database in SQL Server that you can later query.
Walkthrough of the tool

44. Module 4: Configuring Active Directory Sites and Replication
Course 6425A
Beta Feedback
Module 4: Configuring Active Directory Sites and Replication
Overall flow of module:
Which topics did you think flowed smoothly, from topic to topic?
Was something taught out of order?
Pacing:
Were you able to keep up? Are there any places where the pace felt too slow?
Were you able to process what the instructor said before moving on to next topic?
Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions?
Learner activities:
Which demos helped you learn the most? Why do you think that is?
Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment?
Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?