1 Week 8 – Manage Sites and Replication Configure Sites and Subnets Configure the Global Catalog and Application Partitions Configure Replication
2 Understand Sites Loosely related to network “sites” A highly connected portion of your enterprise Active Directory objects that support Replication Active Directory changes must be replicated to all DCs Some DCs might be separated by slow, expensive links Balance between replication “cost” & convergence Service localization DC (LDAP & Kerberos) DFS Active Directory–aware (site aware) apps Location property searching, for example, printer location
3 Plan Sites Active Directory sites may not map one-to-one with network sites Two locations, well connected, may be one Active Directory site A large enterprise on a highly connected campus (one “site”) may be broken into multiple Active Directory sites for service localization Criteria Connection speed: < 512 kbps link is slow speed. Service placement: If no DCs or Active Directory–aware services, not much point in a site User population: If the number of users warrants a DC, consider a site Directory query traffic by users or applications Desire to control replication traffic between DCs
4 Create Sites Active Directory Sites and Services Default-First-Site-Name Should be renamed Create a site Assign to site link Create a subnet Assign to site A site can have >1 subnet A subnet can be associated with only one site
5 Manage Domain Controllers in Sites DCs should be in the correct site The SERVERS container will show only DCs, not all server Add a DC to a site First DC will be in Default-First-Site-Name Additional DCs will be added to sites based on their subnet address DCPromo prompts you for the site You can right-click the Servers container of a site and pre-create the server object before promoting the DC Move DC to a new site: right-click DC and choose Move Delete a DC: right-click DC and choose Delete
6 Domain Controller Location: SRV Records Domain controllers register service locator records (SRV) in DNS in the following locations _tcp.contoso.com: all DCs in the domain _tcp.siteName._sites.contoso.com: all DCs in site siteName Clients query DNS for domain controllers
7 Domain Controller Location: Client 1. New client queries for all DCs in the domain Retrieves SRVs from _tcp.domain 2. Attempts LDAP bind to all 3. First DC to respond Examines client IP and subnet definitions Refers client to a site 4. Client stores site in registry 5. Client queries for all DCs in the site Retrieves SRVs from _tcp.site._sites.domain 6. Attempts LDAP bind to all 7. First DC to respond Authenticates client Client forms affinity 8. Subsequently Client binds to affinity DC DC offline? Client queries for DCs in registry-stored site Client moved to another site? DC refers client to another site
8 Review Active Directory Partitions Full replica (DC) Read-only replica (RODC) Does not include secrets Replicates passwords per policy Domain Forest Definitions and rules for creating and manipulating objects and attributes Information about the Active Directory structure Information about domain- specific objects Active Directory Database Domain Configuration Schema
9 Understand the Global Catalog Global catalog hosts a partial attribute set (PAS) for other domains in the forest Supports queries for objects throughout the forest Domain B Configuration Schema Domain A Configuration Schema Global Catalog Server Domain B Configuration Schema Domain A Configuration Schema
10 Place Global Catalog Servers Recommendation: Every DC a GC In particular If an application in a site queries the GC (port 3268) If a site contains an Exchange server If a connection to a GC in another site is slow/unreliable Domain B Domain A Configuration Schema Domain B Domain A Configuration Schema HEADQUARTERSBRANCHA Make a GC?
11 Configure a Global Catalog Server Right-click the NTDS Settings node underneath the DC
12 Universal Group Membership Caching Universal group membership replicated in the GC Normal logon: user’s token built with UGs from GC GC not available at logon: DC denies authentication If every DC is a GC, this is never a problem If connectivity to a GC is not reliable DCs can cache UG membership for a user when user logs on GC later not available: user authenticated with cached UGs In sites with unreliable connectivity to GC: enable UGMC Right-click NTDS Settings for site Properties Enables UGMC for all DCs in the site
13 Support a specific application Targeted to specific DCs Managed with the admin tool for the app: e.g. DNS Manager Consider app partitions before demoting a DC Domain B Configuration Schema Domain A Configuration Schema DNS Domain B Configuration Schema DNS Domain A Configuration Schema Understand Application Directory Partitions
14 Understand Active Directory Replication Multimaster replication’s balancing act: “loose coupling” Accuracy (integrity) Consistency (convergence) Performance (keeping replication traffic to a reasonable level) Key characteristics of Active Directory Replication Multimaster replication Pull replication Store-and-forward Partitions Automatic generation of an efficient & robust replication topology Attribute level replication Distinct control of intrasite and intersite replication Collision detection and remediation
15 Intrasite Replication Connection object: inbound replication to a DC Knowledge consistency checker (KCC) creates topology Efficient (maximum three hop) & robust (two-way) topology Runs automatically, but you can “Check Replication Topology” Few reasons to manually create connection objects Standby operations masters should have connections to masters Replication Notification: DC tells its downstream partners change is available (15 seconds) Polling: DC checks with its upstream partners (1 hour) for changes Downstream DC directory replication agent (DRA) replicates changes Changes to all partitions held by both DCs are replicated DC2 DC1 DC3
16 Site Links Intersite topology generator (ISTG) builds replication topology between sites Site links Contain sites Within a site link, a connection object can be created between any two DCs Not always appropriate given your network topology!
17 Replication Transport Protocols Directory Service Remote Procedure Call (DS-RPC) Appears as IP in Active Directory Sites and Services The default and preferred protocol for intersite replication Inter-Site Messaging—Simple Mail Transport Protocol (ISM-SMTP) Appears as SMTP in Active Directory Sites and Services Rarely used in the real world Requires a certificate authority Cannot replicate the domain naming context—only schema and configuration Any site that uses SMTP to replicate must be in a separate domain within the forest
18 Bridgehead Servers Replicates changes from bridgeheads in all other sites Polled for changes by bridgeheads in all other sites Selected automatically by ISTG Or you can configure preferred bridgehead servers Firewall considerations Performance considerations
19 Site Link Transitivity and Bridges Site link transitivity (default) ISTG can create connection objects between site links Disable transitivity in the properties of the IP transport Site link bridges Manually transitive site links Useful only when transitivity is disabled
20 Control Intersite Replication Site link costs Replication uses the connections with the lowest cost Replication Notifications off by default. Bridgeheads do not notify partners Polling. Downstream bridgehead polls upstream partners Default: 3 hours Minimum: 15 minutes Recommended: 15 minutes Replication schedules 24 hours a day Can be scheduled
21 Whiteboard: Replication IP Subnet Site B IP Subnet Site A IP Subnet BH Site Link Bridge BH Site C Site D IP Subnet BH IP Subnet RODC Branch
22 Monitor and Manage Replication RepAdmin repadmin /showrepl hqdc01.contso.com repadmin /showconn hqdc01.contoso.com repadmin /showobjmeta hqdc01 "cn=Linda Miller,ou=…" repadmin /kcc repadmin /replicate hqdc02 hqdc01 dc=contoso,dc=com repadmin /syncall hqdc01.contoso.com /A /e DCDiag /test:testName FrsEvent or DFSREvent Intersite KccEvent Replications Topology