Working with Active Directory Sites Lesson 3
Logical Versus Physical Structure Logical Forest Trees Domains OUs Leaf objects Physical IP Subnets/Sites Domain Controllers
Active Directory Sites Sites are defined by IP subnets that are well-connected, which means that network infrastructure between them is fast and reliable. – In most cases, an Active Directory site will map to a single LAN. Multiple sites will be joined together by site links. Servers replicate each other using intrasite or intersite. Client use DNS to locate the closed available DC. Active Directory sites are independent of logical structure of Active Directory.
Default-First-Site-Name The forest root domain controller server object is placed within the Servers folder of this site. The site can be renamed to more accurately reflect a physical location.
Active Directory Replication The process of duplicating Active Directory information between domain controllers for the purposes of fault tolerance and redundancy. Based on a multimaster replication model, in which the domain controllers from each domain participate in the replication process for that domain. – They also replicates forest-wide schema and configuration information. Administrators can control replication traffic by configuring Active Directory sites.
Active Directory Replication Domain controllers that reside within the same site participate in intrasite replication. – Transmit changes to the Active Directory database almost as soon as they occur. Domain controllers located in different sites will participate in intersite replication. – Occurs on a scheduled basis (every 15 minutes by default). – Intersite replication traffic is also compressed by default to decrease the use of network bandwidth. – Intersite replication’s goal is to minimize bandwidth usage.
Active Directory Replication Remember: – Intra means internal, such as an intranet (your own network). – Inter means external, such as the Internet (a conglomeration of networks).
Active Directory Replication
Understanding the Replication Process Replication within Active Directory will occur when one of the following conditions is met: – An object is added or removed from Active Directory. – The value of an attribute has changed. – The name of an object has changed.
Understanding the Replication Process To track changes from different sources and determine which objects need to be replicated from one domain controller to another, each domain controller uses the following: – Update sequence number (USN) that keeps track of changes that are made at each DC and thus keeps track of which updates should be replicated to other domain controllers. – Each Active Directory attribute has a version ID associated with it that keeps track of how many times that attribute has been changed. – timestamp, the time when the modification took place.
Understanding the Replication Process When replicating information between sites, Active Directory will designate a bridgehead server in each site to act as a gatekeeper in managing site-to-site replication. – Allows intersite replication to update only one domain controller within a site (usually over a slower WAN link). – After a bridgehead server is updated, it updates the remainder of its domain controller partners with the newly replicated information. – Active Directory convergence describes the amount of time that it takes for this process to take place so that all domain controllers in the environment contain the most up-to-date information.
Active Directory Replication
Knowledge Consistency Checker (KCC) Each domain controller uses an internal process called the Knowledge Consistency Checker (KCC) to map the logical network topology between the domain controllers. For each domain controller in the site, the KCC will select one or more replication partners for that domain controller and will create connection objects between the domain controller and its new replication partners. – Each connection object is a one-way connection.
Knowledge Consistency Checker (KCC) KCC creates duel counter-rotating ring for replication path. Additional connection objects are created to ensure “Rule of Three”. Intrasite replication traffic is not compressed. Domain controllers use change notification to inform one another for replication. Urgent replication will be placed up front before other changes.
Viewing Active Directory Connection Objects
Configuring Intersite Replication DC in each site runs the Intersite Topology Generator (ISTG) to select bridgehead server and map the topology to be use for replication. Site link characteristics: – Site links connect 2 sites that communicate using the same protocol. – Site link objects are defined manually. – Site link objects correspond to the WAN links connecting the sites. – ISTG uses site links to create an intersite replication topology.
Configuring Intersite Replication Cost – Allows the administrator to define the path that replication will take. – If more than one path can be used to replicate information, cost assignments will determine which path is chosen first. – A lower-numbered cost value will be chosen over a higher- numbered cost value. – Cost values can use a value of 1 to 99,999. – Chosen by the Active Directory administrator and are relational only to one another.
Configuring Intersite Replication Schedule – The schedule of the site link object determines when the link is available to replicate information. – By default, newly created site link objects are available for replication 24/7.
Configuring Intersite Replication Frequency – A site link’s frequency determines how often information will be replicated over a particular site link. – Keep in mind that replication will take place only during scheduled hours. – The default replication frequency for a new site link is 180 minutes, but it can be configured to take place as frequently as every 15 minutes and as infrequently as once per week.
Replication Protocol For both intrasite and intersite replication, Active Directory uses Remote Procedure Calls over Internet Protocol (RPC over IP) by default for all replication traffic. – RPC is commonly used to communicate with network services on various computers, whereas IP is responsible for the addressing and routing of the data. – RPC over IP replication keeps data secure while in transit by using both authentication and encryption.
Replication Protocol Simple Mail Transport Protocol (SMTP) is an alternative solution for intersite replication when a direct or reliable IP connection is not available. – Use asynchronous replication, meaning that each replication transaction does not need to complete before another can start because the transaction can be stored until the destination server is available. – SMTP cannot replicate domain directory partitions. – Requires an enterprise certification authority (CA) that is fully integrated with Active Directory.
Replication Protocol Unlike RPC over IP, SMTP does not adhere to schedules and should be used only when replicating between different domains over an extremely slow or unreliable WAN link.
Summary of Replication Methods
Bridgehead Server ISTG automatically assigns one server in each site as the bridgehead server. Preferred bridgehead servers override ISTG default bridgehead server. Bridgehead servers require more power. Configure multiple bridgehead servers for multiple partitions. Configure multiple bridgehead servers is recommended.
Forcing Manual Replication In Active Directory Sites and Services, expand Sites, followed by the site that contains the connection for which you wish to force replication. Locate the server in the Servers container that provides the connection object. Click NTDS Settings in the console tree. In the details pane, right-click the connection for which you want replication to occur and select Replicate Now.
Monitoring Replication Dcdiag Repadmin
Dcdiag A command-line tool used for monitoring Active Directory. – Perform connectivity and replication tests, reporting errors that occur. – Report DNS registration problems. – Analyze the permissions required for replication. – Analyze the state of domain controllers within the forest.
Repadmin A command-line tool used for the following: – To view the replication topology from the perspective of each domain controller. – To manually create a replication topology if site link bridging is disabled. – To force replication between domain controllers when you need updates to occur immediately. – To view the replication metadata, which is the combination of the actual data and the up-to-date vector or USN information.
Summary You learned how to define and manage sites and site links. You learned how to determine a site strategy based on the physical network infrastructure. You learned how to use Active Directory Sites and Services to configure replication.
Summary You learned how to understand the differences between intrasite and intersite replication. You learned how to describe the role of the Intersite Topology Generator (ISTG) and Knowledge Consistency Checker (KCC) in site replication.
Summary You learned how to optimize replication by configuring bridgehead servers and site link bridging. You learned how to monitor replication using dcdiag and repadmin.