1

Week 8 – Manage Sites and Replication

• Configure Sites and Subnets

• Configure the Global Catalog and Application Partitions

• Configure Replication

2

Understand Sites

• Loosely related to network “sites”

A highly connected portion of your enterprise

• Active Directory objects that support

Replication

• Active Directory changes must be replicated to all DCs

• Some DCs might be separated by slow, expensive links

• Balance between replication “cost” & convergence

Service localization

• DC (LDAP & Kerberos)

• DFS

• Active Directory–aware (site aware) apps

• Location property searching, for example, printer location

3

Plan Sites

• Active Directory sites may not map one-to-one with network sites Two locations, well connected, may be one Active Directory

site

A large enterprise on a highly connected campus (one “site”) may be broken into multiple Active Directory sites for service localization

• Criteria Connection speed: < 512 kbps link is slow speed.

Service placement: If no DCs or Active Directory–aware services, not much point in a site

User population: If the number of users warrants a DC, consider a site

Directory query traffic by users or applications

Desire to control replication traffic between DCs

4

Create Sites

• Active Directory Sites and Services

• Default-First-Site-Name

Should be renamed

• Create a site

Assign to site link

• Create a subnet

Assign to site

A site can have >1 subnetA subnet can be associated withonly one site

5

Manage Domain Controllers in Sites

• DCs should be in the correct site

The SERVERS container will show only DCs,not all server

• Add a DC to a site

First DC will be in Default-First-Site-Name

Additional DCs will be added to sites basedon their subnet address

DCPromo prompts you for the site

You can right-click the Servers container ofa site and pre-create the server objectbefore promoting the DC

• Move DC to a new site: right-click DC and choose Move

• Delete a DC: right-click DC and choose Delete

6

Domain Controller Location: SRV Records

• Domain controllers register service locator records (SRV)in DNS in the following locations

_tcp.contoso.com: all DCs in the domain

_tcp.siteName._sites.contoso.com: all DCs in site siteName

• Clients query DNS for domain controllers

7

Domain Controller Location: Client

1. New client queries for all DCs in the domain

Retrieves SRVs from_tcp.domain

2. Attempts LDAP bind to all

3. First DC to respond

Examines client IP andsubnet definitions

Refers client to a site

4. Client stores site in registry

5. Client queries for all DCs in the site

Retrieves SRVs from _tcp.site._sites.domain

6. Attempts LDAP bind to all

7. First DC to respond

Authenticates client

Client forms affinity

8. Subsequently

Client binds to affinity DC

DC offline? Client queries for DCs in registry-stored site

Client moved to another site? DC refers client to another site

8

Review Active Directory Partitions

• Full replica (DC)

• Read-only replica (RODC)

Does not include secrets

Replicates passwords per policy

Domain

Forest

Definitions and rules for creating and manipulating objects and attributes

Information about the Active Directory structure

Information about domain-specific objects

Active Directory Database

Active Directory Database

DomainDomain

ConfigurationConfiguration

SchemaSchema

9

Understand the Global Catalog

• Global catalog hosts apartial attribute set (PAS) for other domains in the forest

• Supports queries for objects throughout the forest

Domain BDomain B

Domain BDomain B

ConfigurationConfiguration

SchemaSchema

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

Global Catalog Server

Global Catalog Server

Domain BDomain B

ConfigurationConfiguration

SchemaSchema

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

10

Place Global Catalog Servers

• Recommendation: Every DC a GC

• In particular

If an application in a site queries the GC (port 3268)

If a site contains an Exchange server

If a connection to a GC in another site is slow/unreliable

Domain BDomain B

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

Domain BDomain B

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

HEADQUARTERS BRANCHA

Make a GC?

11

Configure a Global Catalog Server

• Right-click the NTDS Settings node underneath the DC

12

Universal Group Membership Caching

• Universal group membership replicated in the GC

Normal logon: user’s token built with UGs from GC

GC not available at logon: DC denies authentication

• If every DC is a GC, this is never a problem

• If connectivity to a GC is not reliable

DCs can cache UG membership for a user when user logs on

GC later not available: user authenticated with cached UGs

• In sites with unreliable connectivity to GC: enable UGMC

• Right-click NTDS Settings for site Properties

Enables UGMC for all DCs in the site

13

• Support a specific application

• Targeted to specific DCs

• Managed with the admin tool for the app: e.g. DNS Manager

• Consider app partitions before demoting a DC

Domain BDomain B

Domain BDomain B

ConfigurationConfiguration

SchemaSchema

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

DNSDNS

Domain BDomain B

ConfigurationConfiguration

SchemaSchema

DNSDNS

Domain ADomain A

ConfigurationConfiguration

SchemaSchema

Understand Application Directory Partitions

14

Understand Active Directory Replication

• Multimaster replication’s balancing act: “loose coupling” Accuracy (integrity)

Consistency (convergence)

Performance (keeping replication traffic to a reasonable level)

• Key characteristics of Active Directory Replication Multimaster replication

Pull replication

Store-and-forward

Partitions

Automatic generation of an efficient & robust replication topology

Attribute level replication

Distinct control of intrasite and intersite replication

Collision detection and remediation

15

Intrasite Replication

• Connection object: inbound replication to a DC

• Knowledge consistency checker (KCC) creates topology

Efficient (maximum three hop) & robust (two-way) topology

Runs automatically, but you can “Check Replication Topology”

Few reasons to manually create connection objects

• Standby operations masters should have connections to masters

• Replication

Notification: DC tells itsdownstream partners changeis available (15 seconds)

Polling: DC checks with itsupstream partners (1 hour) for changes

Downstream DC directory replication agent (DRA) replicates changes

Changes to all partitions held by both DCs are replicated

DC2

DC1 DC3

16

Site Links

• Intersite topology generator (ISTG) builds replication topology between sites

• Site links

Contain sites

Within a site link, a connection object can be created between any two DCs

Not always appropriate given your network topology!

17

Replication Transport Protocols

• Directory Service Remote Procedure Call (DS-RPC)

Appears as IP in Active Directory Sites and Services

The default and preferred protocol for intersite replication

• Inter-Site Messaging—Simple Mail Transport Protocol (ISM-SMTP)

Appears as SMTP in Active Directory Sites and Services

Rarely used in the real world

Requires a certificate authority

Cannot replicate the domain naming context—only schema and configuration

Any site that uses SMTP to replicate must be in a separate domain within the forest

18

Bridgehead Servers

• Replicates changes from bridgeheads in all other sites

• Polled for changes by bridgeheads in all other sites

• Selected automatically by ISTG

• Or you can configure preferred bridgehead servers

Firewall considerations

Performance considerations

19

Site Link Transitivity and Bridges

• Site link transitivity (default)

ISTG can create connection objects between site links

Disable transitivity in the properties of the IP transport

• Site link bridges

Manually transitive site links

Useful only when transitivity is disabled

20

Control Intersite Replication

• Site link costs

Replication uses the connections with the lowest cost

• Replication

Notifications off by default. Bridgeheads do not notify partners

Polling. Downstream bridgehead polls upstream partners

• Default: 3 hours

• Minimum: 15 minutes

• Recommended: 15 minutes

Replication schedules

• 24 hours a day

• Can be scheduled 100100

100300

21

Whiteboard: Replication

IP SubnetIP SubnetIP SubnetIP Subnet

Site B

IP SubnetIP Subnet

Site A

IP SubnetIP Subnet

BH

Site Link BridgeSite Link Bridge

BH

BH

Site C

Site D

IP SubnetIP SubnetIP SubnetIP Subnet

BH

IP SubnetIP Subnet

RODC Branch

22

Monitor and Manage Replication• RepAdmin

repadmin /showrepl hqdc01.contso.com

repadmin /showconn hqdc01.contoso.com

repadmin /showobjmeta hqdc01 "cn=Linda Miller,ou=…"

repadmin /kcc

repadmin /replicate hqdc02 hqdc01 dc=contoso,dc=com

repadmin /syncall hqdc01.contoso.com /A /e

• DCDiag /test:testName

FrsEvent or DFSREvent

Intersite

KccEvent

Replications

Topology