Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Week 8 – Manage Sites and Replication Configure Sites and Subnets Configure the Global Catalog and Application Partitions Configure Replication.

Published byShon Matthews Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Week 8 – Manage Sites and Replication Configure Sites and Subnets Configure the Global Catalog and Application Partitions Configure Replication."— Presentation transcript:

1 1 Week 8 – Manage Sites and Replication Configure Sites and Subnets Configure the Global Catalog and Application Partitions Configure Replication

2 2 Understand Sites Loosely related to network “sites”  A highly connected portion of your enterprise Active Directory objects that support  Replication Active Directory changes must be replicated to all DCs Some DCs might be separated by slow, expensive links Balance between replication “cost” & convergence  Service localization DC (LDAP & Kerberos) DFS Active Directory–aware (site aware) apps Location property searching, for example, printer location

3 3 Plan Sites Active Directory sites may not map one-to-one with network sites  Two locations, well connected, may be one Active Directory site  A large enterprise on a highly connected campus (one “site”) may be broken into multiple Active Directory sites for service localization Criteria  Connection speed: < 512 kbps link is slow speed.  Service placement: If no DCs or Active Directory–aware services, not much point in a site  User population: If the number of users warrants a DC, consider a site  Directory query traffic by users or applications  Desire to control replication traffic between DCs

4 4 Create Sites Active Directory Sites and Services Default-First-Site-Name  Should be renamed Create a site  Assign to site link Create a subnet  Assign to site  A site can have >1 subnet A subnet can be associated with only one site

5 5 Manage Domain Controllers in Sites DCs should be in the correct site  The SERVERS container will show only DCs, not all server Add a DC to a site  First DC will be in Default-First-Site-Name  Additional DCs will be added to sites based on their subnet address  DCPromo prompts you for the site  You can right-click the Servers container of a site and pre-create the server object before promoting the DC Move DC to a new site: right-click DC and choose Move Delete a DC: right-click DC and choose Delete

6 6 Domain Controller Location: SRV Records Domain controllers register service locator records (SRV) in DNS in the following locations  _tcp.contoso.com: all DCs in the domain  _tcp.siteName._sites.contoso.com: all DCs in site siteName Clients query DNS for domain controllers

7 7 Domain Controller Location: Client 1. New client queries for all DCs in the domain  Retrieves SRVs from _tcp.domain 2. Attempts LDAP bind to all 3. First DC to respond  Examines client IP and subnet definitions  Refers client to a site 4. Client stores site in registry 5. Client queries for all DCs in the site  Retrieves SRVs from _tcp.site._sites.domain 6. Attempts LDAP bind to all 7. First DC to respond  Authenticates client  Client forms affinity 8. Subsequently  Client binds to affinity DC  DC offline? Client queries for DCs in registry-stored site  Client moved to another site? DC refers client to another site

8 8 Review Active Directory Partitions Full replica (DC) Read-only replica (RODC)  Does not include secrets  Replicates passwords per policy Domain Forest Definitions and rules for creating and manipulating objects and attributes Information about the Active Directory structure Information about domain- specific objects Active Directory Database Domain Configuration Schema

9 9 Understand the Global Catalog Global catalog hosts a partial attribute set (PAS) for other domains in the forest Supports queries for objects throughout the forest Domain B Configuration Schema Domain A Configuration Schema Global Catalog Server Domain B Configuration Schema Domain A Configuration Schema

10 10 Place Global Catalog Servers Recommendation: Every DC a GC In particular  If an application in a site queries the GC (port 3268)  If a site contains an Exchange server  If a connection to a GC in another site is slow/unreliable Domain B Domain A Configuration Schema Domain B Domain A Configuration Schema HEADQUARTERSBRANCHA Make a GC?

11 11 Configure a Global Catalog Server Right-click the NTDS Settings node underneath the DC

12 12 Universal Group Membership Caching Universal group membership replicated in the GC  Normal logon: user’s token built with UGs from GC  GC not available at logon: DC denies authentication If every DC is a GC, this is never a problem If connectivity to a GC is not reliable  DCs can cache UG membership for a user when user logs on  GC later not available: user authenticated with cached UGs In sites with unreliable connectivity to GC: enable UGMC Right-click NTDS Settings for site  Properties  Enables UGMC for all DCs in the site

13 13 Support a specific application Targeted to specific DCs Managed with the admin tool for the app: e.g. DNS Manager Consider app partitions before demoting a DC Domain B Configuration Schema Domain A Configuration Schema DNS Domain B Configuration Schema DNS Domain A Configuration Schema Understand Application Directory Partitions

14 14 Understand Active Directory Replication Multimaster replication’s balancing act: “loose coupling”  Accuracy (integrity)  Consistency (convergence)  Performance (keeping replication traffic to a reasonable level) Key characteristics of Active Directory Replication  Multimaster replication  Pull replication  Store-and-forward  Partitions  Automatic generation of an efficient & robust replication topology  Attribute level replication  Distinct control of intrasite and intersite replication  Collision detection and remediation

15 15 Intrasite Replication Connection object: inbound replication to a DC Knowledge consistency checker (KCC) creates topology  Efficient (maximum three hop) & robust (two-way) topology  Runs automatically, but you can “Check Replication Topology”  Few reasons to manually create connection objects Standby operations masters should have connections to masters Replication  Notification: DC tells its downstream partners change is available (15 seconds)  Polling: DC checks with its upstream partners (1 hour) for changes  Downstream DC directory replication agent (DRA) replicates changes  Changes to all partitions held by both DCs are replicated DC2 DC1 DC3

16 16 Site Links Intersite topology generator (ISTG) builds replication topology between sites Site links  Contain sites  Within a site link, a connection object can be created between any two DCs  Not always appropriate given your network topology!

17 17 Replication Transport Protocols Directory Service Remote Procedure Call (DS-RPC)  Appears as IP in Active Directory Sites and Services  The default and preferred protocol for intersite replication Inter-Site Messaging—Simple Mail Transport Protocol (ISM-SMTP)  Appears as SMTP in Active Directory Sites and Services  Rarely used in the real world  Requires a certificate authority  Cannot replicate the domain naming context—only schema and configuration  Any site that uses SMTP to replicate must be in a separate domain within the forest

18 18 Bridgehead Servers Replicates changes from bridgeheads in all other sites Polled for changes by bridgeheads in all other sites Selected automatically by ISTG Or you can configure preferred bridgehead servers  Firewall considerations  Performance considerations

19 19 Site Link Transitivity and Bridges Site link transitivity (default)  ISTG can create connection objects between site links  Disable transitivity in the properties of the IP transport Site link bridges  Manually transitive site links  Useful only when transitivity is disabled

20 20 Control Intersite Replication Site link costs  Replication uses the connections with the lowest cost Replication  Notifications off by default. Bridgeheads do not notify partners  Polling. Downstream bridgehead polls upstream partners Default: 3 hours Minimum: 15 minutes Recommended: 15 minutes  Replication schedules 24 hours a day Can be scheduled 100 300

21 21 Whiteboard: Replication IP Subnet Site B IP Subnet Site A IP Subnet BH Site Link Bridge BH Site C Site D IP Subnet BH IP Subnet RODC Branch

22 22 Monitor and Manage Replication RepAdmin  repadmin /showrepl hqdc01.contso.com  repadmin /showconn hqdc01.contoso.com  repadmin /showobjmeta hqdc01 "cn=Linda Miller,ou=…"  repadmin /kcc  repadmin /replicate hqdc02 hqdc01 dc=contoso,dc=com  repadmin /syncall hqdc01.contoso.com /A /e DCDiag /test:testName  FrsEvent or DFSREvent  Intersite  KccEvent  Replications  Topology

Download ppt "1 Week 8 – Manage Sites and Replication Configure Sites and Subnets Configure the Global Catalog and Application Partitions Configure Replication."

Similar presentations

Active Directory: Beyond The Basics

Active Directory: Beyond The Basics
Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.
Implementing and Administering AD DS Sites and Replication

Implementing and Administering AD DS Sites and Replication
Windows Server 2003 AD 安裝設定與管理維護 林寶森

Windows Server 2003 AD 安裝設定與管理維護 林寶森
Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.
Module 10: Troubleshooting AD DS, DNS, and Replication Issues.

Module 10: Troubleshooting AD DS, DNS, and Replication Issues.
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Introduction to Active Directory

Introduction to Active Directory
Administering Active Directory

Administering Active Directory
Colorado State University’s Active Directory Environment Presented by the ACNS Windows Group Windows Administrators Advisory Group Meeting Feb 22 2011.

Colorado State University’s Active Directory Environment Presented by the ACNS Windows Group Windows Administrators Advisory Group Meeting Feb
Introduction to Dfs. Limits of Dfs 260 characters per file path 32 alternatives per volume 1 Dfs root per server Unlimited Dfs roots per domain Volumes.

Introduction to Dfs. Limits of Dfs 260 characters per file path 32 alternatives per volume 1 Dfs root per server Unlimited Dfs roots per domain Volumes.
3.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

3.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Understanding Active Directory

Understanding Active Directory
Module 1: Introduction to Active Directory

Module 1: Introduction to Active Directory
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.

1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.
Chapter 4: Active Directory Design and Security Concepts

Chapter 4: Active Directory Design and Security Concepts

Similar presentations

Ads by Google