ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Managing Sites and Active Directory® Replication

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Module Overview

• Configure Sites and Subnets• Configure the Global Catalog and Application Partitions• Configure Replication

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Configure Sites and Subnets

• Understand Sites• Plan Sites• Create Sites• Manage Domain Controllers in Sites• SRV Records for Domain Controller• How Client Locates Domain Controller

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Understand Sites

• Loosely related to network “sites”• A highly connected portion of your enterprise

• Active Directory objects that support• Replication

• Active Directory changes must be replicated to all DCs• Some DCs might be separated by slow, expensive links• Balance between replication “cost” & convergence

• Service localization• Domain Controller (LDAP and Kerberos)• DFS• Active Directory–aware (site aware) apps• Location property searching, for example, printer location

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Plan Sites

• Active Directory sites may not map one-to-one with network sites• Two locations, well connected, may be one Active Directory site

• A large enterprise on a highly connected campus (one “site”) may be broken into multiple Active Directory sites for service localization

• Criteria• Connection speed: 512 kbps link is a guideline, but as low as 28 kbps is used

• Service placement: If there are no domain controllers or Active Directory–aware services, you might not need to create a site

• User population: If the number of users warrants a domain controller, consider a site

• Directory query traffic by users or applications

• Desire to control replication traffic between domain controllers

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Create Sites

• Active Directory Sites and Services• Default-First-Site-Name

• Should be renamed

• Create a site• Assign to site link

• Create a subnet• Assign to site• A site can have more than one subnet

A subnet can be associated withonly one site

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Manage Domain Controllers in Sites

• Domain controllers should be in the correct site• The Servers container will show only domain

controllers, not all servers

• Add a domain controller to a site• First domain controller will be

in Default-First-Site-Name• Additional domain controllers will be added

to sites based on their subnet address• DCPromo prompts you for the site• You can right-click the Servers container of

a site and precreate the server objectbefore promoting the domain controller

• Move a domain controller to a new site: Right-click the domain controller and click Move

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

SRV Records for Domain Controller

• Domain controllers register service locator records (SRV)in DNS in the following locations• _tcp.contoso.com: all DCs in the domain• _tcp.siteName._sites.contoso.com: all DCs in site siteName

• Clients query DNS for domain controllers

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

How Client Locates Domain Controller

1. New client queries for all domain controllers in the domain

• Retrieves SRVs from_tcp.domain

2. Attempts LDAP bind to all

3. First domain controller to respond• Examines client IP and

subnet definitions• Refers client to a site

4. Client stores site in registry

5. Client queries for all domain controllers in the site

• Retrieves SRVs from _tcp.site._sites.domain

6. Attempts LDAP bind to all

7. First domain controller to respond• Authenticates client• Client forms affinity

8. Subsequently• Client binds to affinity domain

controller• Domain controller offline? Client

queries for domain controllers in registry-stored site

• Client moved to another site? Domain controller refers client to another site

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Configure the Global Catalog and Application Partitions• Review Active Directory Partitions• Understand the Global Catalog• Global Catalog Servers Placement• Configure a Global Catalog Server• Universal Group Membership Caching• Understand Application Directory Partitions

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Review Active Directory Partitions

• Full replica (DC)• Read-only replica (RODC)

• Does not include secrets• Replicates passwords per policy

Domain

Forest

Definitions and rules for creating and manipulating objects and attributes

Information about the Active Directory structure

Information about domain-specific objects

Active Directory Database

DomainDomain

ConfigurationConfiguration

SchemaSchema

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Understand the Global Catalog• Global catalog hosts a

partial attribute set for other domains in the forest• Supports queries for

objects throughout the forest

Domain BDomain B

Domain BDomain B

ConfigurationConfiguration

SchemaSchema

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

Global Catalog ServerDomain BDomain B

ConfigurationConfiguration

SchemaSchema

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Global Catalog Servers Placement• Recommendation: Make every DC a global catalog• In particular

• If an application in a site queries the global catalog (port 3268)• If a site contains an Exchange server• If a connection to a GC in another site is slow or unreliable

Domain BDomain B

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

Domain BDomain B

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

HEADQUARTERS BRANCHA

Make a GC?

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Configure a Global Catalog Server• Right-click the NTDS Settings node underneath the DC

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Universal Group Membership Caching• Universal group membership replicated in the global catalog

• Normal logon: User’s token built with universal groups from global catalog• Global catalog not available at logon: Domain controller denies authentication

• If every Domain controller is a global catalog, this is never a problem

• If connectivity to a global catalog is not reliable• Domain controllers can cache universal group membership for a user when user logs on• Global catalog later not available: User authenticated with cached Universal groups

• In sites with unreliable connectivity to global catalog, enable universal group membership caching

• Right-click NTDS Settings for site Properties• Enables universal group membership caching for all domain controllers on the site

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Configure Replication

• Understand Active Directory Replication• Intrasite Replication• Site Links• Replication Transport Protocols• Bridgehead Servers• Site Link Transitivity and Bridges• Control Intersite Replication• Monitor and Manage Replication

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Understand Active Directory Replication• Multimaster replication’s balancing act: “loose coupling”

• Accuracy (integrity)

• Consistency (convergence)

• Performance (keeping replication traffic to a reasonable level)

• Key characteristics of Active Directory Replication• Multimaster replication

• Pull replication

• Store-and-forward

• Partitions

• Automatic generation of an efficient & robust replication topology

• Attribute level replication

• Distinct control of intrasite and intersite replication

• Collision detection and remediation

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Intrasite Replication

• Connection object: inbound replication to a DC• Knowledge consistency checker (KCC) creates topology

• Efficient (maximum three hop) and robust (two-way) topology• Runs automatically, but you can “Check Replication Topology”• Few reasons to manually create connection objects

• Standby operations masters should have connections to masters

• Replication• Notification: DC tells its

downstream partners changeis available (15 seconds)

• Polling: DC checks with itsupstream partners (1 hour) for changes

• Downstream DC directory replication agent (DRA) replicates changes• Changes to all partitions held by both DCs are replicated

DC2

DC1 DC3

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Site Links• Intersite topology generator (ISTG) builds replication topology

between sites• Site links

• Contain sites• Within a site link, a connection object can be created between any two DCs• Not always appropriate given your network topology!

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Replication Transport Protocols

• Directory Service Remote Procedure Call (DS-RPC)• Appears as IP in Active Directory Sites and Services• The default and preferred protocol for intersite replication

• Inter-Site Messaging—Simple Mail Transport Protocol (ISM-SMTP)• Appears as SMTP in Active Directory Sites and Services• Rarely used in the real world• Requires a certificate authority• Cannot replicate the domain naming context—only schema and configuration• Any site that uses SMTP to replicate must be in a separate domain within the forest

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Bridgehead Servers• Replicates changes from bridgeheads in all other sites• Polled for changes by bridgeheads in all other sites• Selected automatically by ISTG (new method in R2)• Or you can configure preferred bridgehead servers

• Firewall considerations• Performance considerations

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Control Intersite Replication

• Site link costs• Replication uses the connections with the lowest cost

• Replication• Notifications off by default. Bridgeheads do not notify partners• Polling. Downstream bridgehead polls upstream partners

• Default: 3 hours• Minimum: 15 minutes• Recommended: 15 minutes

• Replication schedules• 24 hours a day• Can be scheduled

100100

100300

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Whiteboard: Replication

IP SubnetIP Subnet

Site B

IP Subnet

Site A

IP Subnet

BH

Site Link Bridge

BH

BH

Site C

Site D

IP SubnetIP Subnet

BH

IP Subnet

RODC Branch

ww

w.te

chno

corp

.co.

inw

ww

.tech

noco

rp.c

o.in

Monitor and Manage Replication

• RepAdmin• repadmin /showrepl hqdc01.contso.com• repadmin /showconn hqdc01.contoso.com• repadmin /showobjmeta hqdc01 "cn=Linda Miller,ou=…"• repadmin /kcc• repadmin /replicate hqdc02 hqdc01 dc=contoso,dc=com• repadmin /syncall hqdc01.contoso.com /A /e

• DCDiag /test:testName• FrsEvent or DFSREvent• Intersite• KccEvent• Replications• Topology